IETF Logo Mail Archive

Re: [v6ops] Dual ISP deployment operational issues and uncertainties

Kevin Myers <kevin.myers@iparchitechs.com> Thu, 01 September 2022 13:42 UTC

Return-Path: <kevin.myers@iparchitechs.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E15E2C14CF06 for <v6ops@ietfa.amsl.com>; Thu, 1 Sep 2022 06:42:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.895
X-Spam-Level:
X-Spam-Status: No, score=-0.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_AFFORDABLE=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iparchitechs.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Mf4pTBytJv8 for <v6ops@ietfa.amsl.com>; Thu, 1 Sep 2022 06:42:34 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2102.outbound.protection.outlook.com [40.107.244.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 133C4C14F73D for <v6ops@ietf.org>; Thu, 1 Sep 2022 06:42:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q85CIik+iNO11QHMsckP6BHvnLUbr1qEb2iojojMgjTcrZeiphY26Gx3+z9nrvE60d3vOBEEZf5YkorHnqgSwl1uRityPhrOYOQ0LoPZZ31srquiWzmIjerWWeq6iJBx/GHKS6lHsrW34j52o907UoVcaTthEw969syBLfwAGIseMU4RcM3uXhOKcvW3qQ/h54im11/dwepTyqfrVJ8VtgqSkPmcwyMhPe2S2u9BgXhQAsbvC6pUXTJf5F+YiHxhmj94cL3gDDrfnJIvbER6a4w3uxQ/ztkb2b1LmLsYGZ1SiHQmmr5od534e2TSzMol9/y9bILKzLD/sHroAaf5pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0p9bRIb+jUf9PfMKqo/a8tBekI6/XwT4/lJe0nfOCO0=; b=MfwUWwNfFBl/npJGoaFKGNwSR42kf1mOx5yK4TmoJC0s90FjNfrR7VEewZ72g88EMRje/ociVrYgx8Ut6TFsDCVY922+N6PcPCk93WkPgLU7Xvo/izPpldCXZ5EFPP1AbhGv8pncHCgpeDlWdTwos1Lpf/YiDJRWuWpST8Xjs2DtYaguxQnZfcn35NlQrNNSYhY7uCkU5NKbKf/zbjNcl7jq+Xzzsl3ZCI6IEBvxhI8iyoNvoCU1L5dmQbrlE53bsaNKud/aP4VrykGNMxvKDw8m8MhFa/evaLDqd87q0EQs8sV6WoikMK8dWFBWrs3N2AO6d8qthE3bbWIgoaSFFg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iparchitechs.com; dmarc=pass action=none header.from=iparchitechs.com; dkim=pass header.d=iparchitechs.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iparchitechs.onmicrosoft.com; s=selector2-iparchitechs-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0p9bRIb+jUf9PfMKqo/a8tBekI6/XwT4/lJe0nfOCO0=; b=Yolo43b6KuEFj/yt39RLOOtA30F8ytgnfl7nE1nK7MDeqPWICfe4nCT0ydnqCW7JNGZUne9dICfU1hJW8WNRN+ULCfim5YxFUspaPcrw2BPiMCoX672p+NBp1BXRbavVJhVn9owWfMKHNZsmKsB5SSWRDmy/XQpwpJIX863grm4=
Received: from BN8PR07MB7076.namprd07.prod.outlook.com (2603:10b6:408:79::19) by SN6PR07MB4160.namprd07.prod.outlook.com (2603:10b6:805:5e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.10; Thu, 1 Sep 2022 13:42:30 +0000
Received: from BN8PR07MB7076.namprd07.prod.outlook.com ([fe80::a88a:2b9c:ffb5:8414]) by BN8PR07MB7076.namprd07.prod.outlook.com ([fe80::a88a:2b9c:ffb5:8414%5]) with mapi id 15.20.5588.011; Thu, 1 Sep 2022 13:42:30 +0000
From: Kevin Myers <kevin.myers@iparchitechs.com>
To: "buraglio@es.net" <buraglio@es.net>, Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: Ole Troan <otroan@employees.org>, Klaus Frank <klaus.frank@posteo.de>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Dual ISP deployment operational issues and uncertainties
Thread-Index: AQHYvBFFv8C+nJrobUmz7EW5+o1vba3G/0EAgAAFG4CAABUtAIAAFimAgAANMQCAABShAIAA0hGAgAAXQ4CAAFvaAIAA6VyAgAAKBACAAQUWEA==
Date: Thu, 01 Sep 2022 13:42:30 +0000
Message-ID: <BN8PR07MB70760CA85E687387AA0EAB5A957B9@BN8PR07MB7076.namprd07.prod.outlook.com>
References: <28642990-c869-47fd-41d4-f43249b5f6dd@posteo.de> <0C5EAAF1-9657-4FB8-9323-1F6C350E8D45@employees.org> <1060ecee-a6b0-bddb-35b2-33f53a0126f8@gmail.com> <CAM5+tA-BUfz2ujx-SyPAmMFYKiSi8bcY98mvEm1YWwnQxSa95A@mail.gmail.com>
In-Reply-To: <CAM5+tA-BUfz2ujx-SyPAmMFYKiSi8bcY98mvEm1YWwnQxSa95A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iparchitechs.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1e0b8193-cd14-4608-8341-08da8c1fd0da
x-ms-traffictypediagnostic: SN6PR07MB4160:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 06IgYp9LYKMi4imsFyykfP3mkzuRG6qjZGDLdargUV3LU9+Nupj0bTgttOrv2qPKfcnZX0jeaCxc71FiyWbg6/1z7jNf9MGqLfIiIq7V6ilPdOUrQryMxtdbPQJCjSz+7g+NfxqR0U/B+BfNIYzjjxPu05mKM9RTQT7rylex8Lcm8J9JlgidEM72WU9XhnNPN92IghAMM0bI8t+id1k8V072+EXaWg8bKXll4VWnGN3vXwPPxefi19qsFzvvP+QH5zWSWcle0FNABO0AP9yMveG4sucFtdWpNkIBS8alLSKvVhBxQA0wdtEnGxKg6A8vvM1HUTZCE5o1S9zf0cNneOehMS64d6FwlZL8PI9GoBYlio8CrViWNj6YxpZnuGO6mhYKno0M9ju//wQNTywD6Tu6GAJUsl+qZlegHFwFyPqjfHwgpByGlpcFNz4htkJ+fEmTkdoEqxr/a785tJ0LggoW3smmgS5eI6t7J01k+8dw8g2YUzNSKSbCryljwg+lS0GNze6td5VC2yfM4U6SZvawcj4AavO59k29+0l+cY5uXXdzj1NPrw8SGNly4ZP7yq33G8vFRNIlH22D483RTrzAMUZm49hv7JtRcFViX9xwBmnZwscrObyS7PRmEmxMMf9eP/VawO1LnlKTid284h1PG7ZiAbRJPA9B+Ny2XlmQnc7XjFSTjl6CiQj2MT8DSY25UZZ495t4GOX1OZ3ZMHkPe8zZtabJnB4xto48JDEErCm3ybTG1Fr/YcCUf8QERCOAzCT5NekjLHmTxNo8Piet7JHscUesXFfRWcMYiib2t/36VMwM0BayM4dcaSeXR4tq502saduVzBbCxXCBUQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR07MB7076.namprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(396003)(346002)(136003)(366004)(376002)(39830400003)(38070700005)(122000001)(166002)(9686003)(83380400001)(7696005)(53546011)(66574015)(6506007)(186003)(478600001)(41300700001)(71200400001)(64756008)(110136005)(316002)(54906003)(2906002)(966005)(8676002)(66476007)(66946007)(4326008)(66556008)(76116006)(66446008)(38100700002)(8936002)(76236004)(33656002)(5660300002)(55016003)(86362001)(52536014)(44832011)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TE8Acy3y5mZmx0drEmVFE8bELCblV76tKH66PcGw++4hIbW4eIEEe1wH698AbZi36IxV0cLYokiFOC2qKqX7fYLyFrCFL1aUcDEwj7eHYBSvz9I1p1hFYF3M3wSQLd06ZIzorQtC7w+by72TdJybBdN61x+lOOirdvJ1XThXOO8Twwsyth8IEw40CFYuINH9BIj2aYLvkwdNkTHWHywBIni6vshnlh9auKwsCZEYYWQfLnWDJWq63+pUND0ZPpqwYblh/w1ojLEMmU198jqOJ+stcGKiRtLISUiIRtLj29uFyM7nGDwjlzhrvCU2Hd/RS5e2zRIT/n8LutY5j71bpGWpEhQp/6ZdYx5hBaPUqDVeq1ViVSbWTeDpR2+IABjlNxIZs78fywKg48keHZRlP8gQPDq7Ux0dzD48GqF5UDEWtWTsCZvglvlfwMHe6z0E57dRj8QqHyaAwAkF0rY4M/BGenaSIOqNMWxJCwNOUVB7t9tb9rOZ6dtqZptdeAKsTIJ2FENfyM8Ty01CL8OQA0Rc533lVg7ndWOnqogLezvDLzsJSopQAfwCCQpPUU2MTsoZ1iLpFMoWx0nQGKnvyu0h6BIrFJV8gsPzv0i4WJPE6Y9V+ZCHBIXxoGXLB8zbmxgBtFckwdOMzRcRs4b3s7PNVHjCVEjAEXqK83hJoWDGQ+OUDbAkJ20WL3I4d7ZTvT0T374zN03pRSW0ViMfQYd8/3eEtZm/H7UjpUCc16qmJrPNkRSghDcReNrO7WzHfIBkyXtkJcWQOnHYtXPQmjxLx+WxmxmmUAaIJlIGkZ7cGqc6pymiT0pfBsxU6CgxH3LGwtEIIgJUi1UgUfcaNJd0GtaFYpn0Twp6g4K9hX1z7lPICK6BGbJUnAMj9isKSWhEwsQ6hoP2bAoW6PE+oGaFqNXctuyUY+TO79AS1qSK1vMe8RxyMNMNl3iQwkk+lUEg4zbw8EC9PNfOUPhJ41znX4XSwaT84C47dByCrzTpPFrlgWC6wJ7gai1K6ZkF03r3G7XTAVbjOUKTGrWygMsmGDUtV5nXvH3BiWAIlUrWWCyMfgZIDN7GQCqvzbf3Vnp85n7JskqdDgoDv/vHrAiVF8PZoYQTGZwTI4+pJ4u4KptL+zLdEVZMh7SoPP8cop+tlfM77vz/sxfV8eET46BrqV52/j4cujOT5xG0Bc0VjBzRan+PeqVjKC97F+zsNRZpSFuWbdO2B5Z5Z1chNMGOWdgoQGzFBuK5r9jwzFvC+VUObPHulQXYI8/46bf6O59joEHGHpWGW568jVGiRZxNzxD494i9tvg/wCpuLPTqNHBmTZb6+SPNm3yBdu17gwmmi8tBDvS5YM8XWlvjqexvIzvn4/YAm63JsFJcsL+ITUmkQBBG/a6zlp8Ujf7p0k8qywoW26zNKfQ7cKFlXic/yMDtSAXfL2AIBpLkmxA3N8Zo258GYpG61dU+uDenWxES+QVNd1DPXe39lrWsO/QJk/EPwhMDO/LDGM+hBtdLUpGeS7278AupKtqbfy8wLHEGmJVqMgwelHFl9islxwbcZr8YOnztwS0Ak5eTUly4c2CsCSQYZotQ/x/yP2W3SYpnNnhAPG7GufUXGrgkbQLji1vkZl1BjENZUdohxoXqSaOnxRD7WX6pK6vXxAuqKkQs2ATqL0xbE2Ij0tH7+A==
Content-Type: multipart/alternative; boundary="_000_BN8PR07MB70760CA85E687387AA0EAB5A957B9BN8PR07MB7076namp_"
MIME-Version: 1.0
X-OriginatorOrg: iparchitechs.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR07MB7076.namprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1e0b8193-cd14-4608-8341-08da8c1fd0da
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Sep 2022 13:42:30.1577 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 394cfad8-1b06-48c6-b381-e12377a8fdde
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mVRSKXybjHYhm6ocEN1pWs/MOMQQ+MDRwi3mha3OPD6sKRIhYLypP3hmbbWTAtztgWy1OV4wG3uf8Liwah00zzHcNxYjgWg+I+3wEq4+kR4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB4160
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/NODlTw2W8pw5NLCDI4gQuD3c_Vk>
Subject: Re: [v6ops] Dual ISP deployment operational issues and uncertainties
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2022 13:42:38 -0000

Nick,

I agree with this completely and it matches the experience I’ve had when connecting the branch offices and remote workers of my company to our DCs and the Internet in general. Relying on hosts to manage PA failover has been slow, messy, inconsistent and far less smooth than the equivalent IPv4 + NAT44 connected site. Maybe that will get better with time, but if I need to deploy IPv6 PA across two providers today at a site, it’s a bit of a crapshoot.

Nobody wants to talk about it, but we’re going to need some level of NAT66 to facilitate the transition for large enterprise, SME and SMB. Rather than fight against it, it would be ideal to determine which use cases are good for dual addressed PA space, NPTv6 and NAT66 so that IPv6 can be more easily deployed and we (hopefully) limit where NAT66 is needed with clear guidance on pros/cons of the options you listed.

That also paves the way to addressing the problem of host failover long term so that the experience can get better without delaying IPv6 deployment. Much like the ULA problem in the draft you wrote, improving the host OS is a multi-year journey.

From: Nick Buraglio <buraglio@es.net>
Sent: Wednesday, August 31, 2022 4:32 PM
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Ole Troan <otroan@employees.org>; Klaus Frank <klaus.frank@posteo.de>; v6ops@ietf.org; Kevin Myers <kevin.myers@iparchitechs.com>
Subject: Re: [v6ops] Dual ISP deployment operational issues and uncertainties

I have been working on exactly this problem recently. Given the *current* landscape of affordable, widely available options, there aren't many. If one were to need to get this working today, what I have found is this:

Multi-netting:
* Prefix preference is hairy, not well understood, and poorly supported in a way that makes it easily deployed.
* Multi-netting is wrought with lack of awareness and that will make most security teams balk at it.
* It's fairly onerous for an operations team to support at the first level due to it being so foreign of a concept when a NOC is used to legacy IPv4.
* It suffers from the same issues that exist with DNS application support, RR failover is not always great making timeouts a thing, leading to perceptions of performance degradation or poor user experience.
* Many devices are unable to support it in a way that a given engineer can deal with, or have unexposed knobs, making it largely unsupportable.

NPTv6
My preferred option, but not well supported in most smaller devices with a few exceptions.
* I've never seen it in a provider issued CPE, ONT+Router, even in most of the MetroE gear that I have seen*
* Where it is available there are odd bit-shifting issues when both allocations are not the same, i.e. not a /48. This seems to kinda-sorta work but I'd never, ever try to support it at scale as it is available today given that most providers in this level of space, at least in North America, tend to delegate at most a /56 to a level of service that would be in use for something like a SD-WAN solution.
* Lacks a way to make it work with address space that is not myred in other operational problems (i.e. ULA doesn't work for this in dual stacked networks that have diverse devices or embedded/OT systems with no mechanism for adjusting address selection)

NAT66
My own deployments are using this for the backup link. It's my last choice, but it works without breaking outbound traffic, which let's be honest, that's that we're mostly talking about for these use cases - eyeball networks or soho/small biz deployments where they need to connect to a DC or cloud system "somewhere on the internet". Rarely have I seen the requirement for inbound connectivity. This has the advantage of being incredibly easy to set up, works as designed, and for ensuring backup connectivity in a primary link outage, it is largely seamless.

I will say that I begrudgingly came to what I can only assume will be an unpopular solution here, but it's what is easily available now, and can be supported with almost no overhead. This also works for IPv6-only client + NAT64 networks, which is how some of the testing was done.

Assumptions made:
All IPv6 is PA space
Backup link is not ECMP or load sharing - it is simply for backup
At least one service has native IPv6 (I have also done this via a tunnel on the backup over an IPv4-only network)
CPE must be available, commercially supportable, and well known (i.e. not a linux system or a random DDWRT box)



----
nb

ᐧ

On Wed, Aug 31, 2022 at 3:56 PM Brian E Carpenter <brian.e.carpenter@gmail.com<mailto:brian.e.carpenter@gmail.com>> wrote:
On 31-Aug-22 19:00, Ole Troan wrote:
>
>> Limitations with UPNPv6 and other limitations with the discovery. Or just because the NAT discovery is bypassed as E2E is assumed for IPv6 (otherwise you could just stick with IPv4 and wouldn't have to migrate from a use-case perspective; Also one of the main selling-points of IPv6 is the reduced complexity by not needing to implement complex NAT detection and traversal techniques)
>
> Given the apparent success of NAT64, it’s not at all obvious that IPv6 applications will not need the same level of NAT/firewall traversal logic that IPv4 applications require.

Absolutely, but are code paths in the end-node applications affected? I thought NATs were supposed to act as if they were transparent :-).

I must confess that I have never understood STUN properly, but RFC8489 appears to cover IPv6 already.

> I would also expect that other “middle boxes” in an IPv6 network that require traversal is at a level with IPv4.

Yes, the code paths in any NAT-aware middleboxes would be affected. But since NAT66 is already a thing in the real world, if not in the IETF, I would expect this to be taken care of.

    Brian
_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email