IETF Logo Mail Archive

Re: [v6ops] ULA precedence [Thoughts about wider operational input]

Mark Smith <markzzzsmith@gmail.com> Mon, 25 April 2022 08:05 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD4C3A0C50; Mon, 25 Apr 2022 01:05:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.608
X-Spam-Level:
X-Spam-Status: No, score=-4.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.998, HK_RANDOM_FROM=0.998, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xVrtAcLUR_Kr; Mon, 25 Apr 2022 01:05:45 -0700 (PDT)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FCA53A0C85; Mon, 25 Apr 2022 01:05:45 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id k4so13683608plk.7; Mon, 25 Apr 2022 01:05:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XVpwMKJFKOB0rv38aZ09oLCXwuNTboD56OvamIwCslE=; b=qx+55sIhTXKOjpA6roUfouc2iNUequEz5L78vHc0mJ51MaS0VS+JCovprreNXIFOhX 0B+aWPtzRWIIo4oXRWVroIMi8oKQJzx5epeRdxAP6Z+BxgHozPF8pkV1FqzJjd/Guu26 Lz6DRi/R9/EXjciTXgw8CNZWKWfrBkToOwFAKqcS7H68a6X/sDc+cRyVIgR16ks0+Xoo HVz6F2aQ46S80oid7jakFwM+632VcquOqpDLNlmFK7fEdwBGBCG+tbQBjaiOLoqiT/XA bu3dZ08OD3XJLc3URFa6OihNHx635IZbG7C9Zt56U84e8VQ4MVvUWTvLq2+ATPQCGuua BNRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XVpwMKJFKOB0rv38aZ09oLCXwuNTboD56OvamIwCslE=; b=EEZ7seaf8JQQFuqrCb/M1JZlWH6X5JuFnGbyJ2iFYxJ5kzwkMAHa9koru1/lTnfGCl kVUET7/ObsKC1xoKSYamB+MpXEeZmHh72cRUq1bVSonKKt+xnneTyXGGHqc3+Jjhm1Ko aCp0tkqXyMPoYml59u575yIhh3mu7hyXvKtpcxthxIXqMO3CaAlT+SvHd7HdJi2g3uda gkh2rGhvMgx4pot6XAiOiLflUeK/uKa/Dp6DmCLmL0omeyZYCOHfUrg9Chti1TKmnaku 4yARPW8j9oxKBX3Wlm8GnDOsjnDh+b1UYOPLu1ETp53ixYQ7kKm9HPf/4Ydb8Mn3fRks JboQ==
X-Gm-Message-State: AOAM532JVZXUGGUdy23AwXdt386owsENltD3dvse5wfZeg4okLElGXjj hH1kjpmvX8XcCmC5JHUYJqk0ZCY51yIfSPPNOXo=
X-Google-Smtp-Source: ABdhPJzxyOkQqmpP6sIOnPh3E+TUl/BTyZJgPH5TekCDnCwRwjGFd+xqePVdsYqyohTgULCVEAUBIMKRIjfbXqdBNQQ=
X-Received: by 2002:a17:903:1251:b0:156:9d8e:1077 with SMTP id u17-20020a170903125100b001569d8e1077mr16572401plh.116.1650873944019; Mon, 25 Apr 2022 01:05:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com>
In-Reply-To: <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Mon, 25 Apr 2022 18:05:31 +1000
Message-ID: <CAO42Z2wTujti8nghRqqf4UpPwH+8qJgoqBZX_RPnY1k3w4-LYA@mail.gmail.com>
To: Kevin Myers <kevin.myers@iparchitechs.com>
Cc: Lorenzo Colitti <lorenzo@google.com>, v6ops list <v6ops@ietf.org>, Ted Lemon <elemon@apple.com>, 6man list <ipv6@ietf.org>, Erik Auerswald <auerswald@fg-networking.de>
Content-Type: multipart/alternative; boundary="0000000000000095e905dd760b7c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/NZaoWpQaGctlzyaNMBVQJWLGrOU>
Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 08:05:51 -0000

Can you cite this regulation that requires NAT?




On Mon, 25 Apr 2022, 15:35 Kevin Myers, <kevin.myers@iparchitechs.com>
wrote:

> This misses the problem entirely though.
>
> It's not a choice to reconsider, these are regulatory requirements. The
> fact that a handful of enterprises have deployed IPv6 doesn't move the
> needle on compliance for the vast majority of them.
>
> No retail enterprise is going to choose IPv6 without NAT internally if it
> means not being permitted to use credit cards because of a failed PCI-DSS
> audit.
>
> Auditing frameworks and auditors are just not ready for IPv6 and without
> migration strategies like NAT, they'll have no reason to be because IPv4
> will continue to dominate.
>
> ------------------------------
> *From:* Lorenzo Colitti <lorenzo@google.com>
> *Sent:* Sunday, April 24, 2022, 11:27 PM
> *To:* Kevin Myers <kevin.myers@iparchitechs.com>
> *Cc:* Brian E Carpenter <brian.e.carpenter@gmail.com>; Erik Auerswald <
> auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>; v6ops list <
> v6ops@ietf.org>; 6man list <ipv6@ietf.org>
> *Subject:* Re: [v6ops] ULA precedence [Thoughts about wider operational
> input]
>
> There are several fortune 500 companies that have publicly stated that
> they have deployed IPv6 with global addressing, so that's definitely
> possible.
>
> As for "is it better to deploy IPv6 with NAT66 or not to deploy at all", I
> would guess it depends who you ask. My personal answer would be no. It's
> possible that when faced with app and OS incompatibilities, those
> enterprises might reconsider. Or they might pick the same technical
> solutions as the enterprises that have already deployed with global
> addresses.
>
> On Mon, Apr 25, 2022 at 12:42 PM Kevin Myers <kevin.myers@iparchitechs.com>
> wrote:
>
>> IPv6 NAT is already being deployed in large enterprises for the few that
>> want to tackle IPv6. Vendor implementations exist, so that ship has sailed
>> regardless of where the IETF lands.
>>
>> Most of the Fortune 500 fall under regulatory compliance of one body or
>> another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well for an
>> IPv6 no-NAT world. Most of the discussion I see around enterprise adoption
>> on the IETF lists misses this point. It matters very little whether NAT is
>> a "good" or "bad" practice when it comes to selecting an operational model.
>> Enterprises choose operational models that will pass audits and the
>> overwhelming majority rely heavily on NAT.  We can make the argument that
>> compliance bodies and auditors should update their guidance and standards
>> and they absolutely should, but it will probably take close to a decade to
>> change the regulatory compliance auditing landscape to the point that IPv6
>> without NAT is commonplace.
>>
>> If auditors won't sign off on end to end GUA addressing, then NAT is
>> going to remain.
>>
>> Enterprises are more than willing to punt IPv6 for another decade and
>> will likely have no issues in doing so given how little IPv4 space most of
>> them need compared to service providers. Even when IPv6 becomes the
>> predominant transport type for an Internet handoff everywhere, it will
>> still just live in the underlay while IPv4 remains the predominant choice
>> in the overlay, in apps,  and internally in the DC for enterprises.
>>
>> At what point does it become more important to have IPv6 implemented,
>> than to have it "perfectly" implemented?
>>
>> Kevin Myers
>> Sr. Network Architect
>> IP ArchiTechs
>>
>> -----Original Message-----
>> From: v6ops <v6ops-bounces@ietf.org> On Behalf Of Brian E Carpenter
>> Sent: Sunday, April 24, 2022 9:48 PM
>> To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>; Erik
>> Auerswald <auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>
>> Cc: v6ops list <v6ops@ietf.org>; 6man list <ipv6@ietf.org>
>> Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational
>> input]
>>
>> On 25-Apr-22 12:16, Lorenzo Colitti wrote:
>> > On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <
>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>> wrote:
>> >
>> >       "Since ULAs are defined to have a /48 site prefix, an
>> implementation
>> >        might choose to add such a row automatically on a machine with
>> >        a ULA."
>> >
>> >     The result is that only the local ULA prefix, i.e., exactly the
>> >     local IPv6 addresses, are preferred over IPv4 (and IPv6 GUA).
>> >     This should be exactly what is needed to use ULA addresses inside
>> >     an organization, or for a lab.
>> >     [...]
>> >     Implementing the non-normative suggestion from Section 10.6 of RFC
>> >     6724 would in all likelihood result in making ULA usable for local
>> >     tests and even first steps in deploying IPv6.  ULA addresses would
>> >     only be used locally.  Existing IPv4 based Internet access would not
>> >     be impaired by adding IPv6 ULA.
>> >
>> >
>> > That does seem like it might make ULA more useful, yes.
>> >
>> > Additionally, maybe we could clarify that the longest-prefix match rule
>> does not apply to ULAs outside the same /48? I think that would fix the
>> issue observed by +Ted Lemon <mailto:elemon@apple.com> in home networks:
>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>> <
>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>
>> .
>>
>> When two networks each with its own ULA prefix are intentionally merged,
>> longest match would be the right thing, wouldn't it? (Assuming that the
>> split DNSs are also merged, and of course internal routing.) In that case
>> there is no "foreign" ULA prefix.
>>
>> >     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT could be
>> >     considered.  To make this work as intended, the address selection
>> >     policy table could be adjusted to contain the local ULA prefix
>> >     with precedence greater or equal to GUA and the same label as GUA.
>> >
>> >
>> > This seems like it would encourage the use of IPv6 NAT. I think there
>> is reasonably strong consensus within the IETF that that is not the right
>> way to go, because it pushes problems on to application developers. This
>> adds costs for NAT traversal software development and maintenance, and
>> requires devices to implement NAT keepalives, increasing battery usage.
>>
>> That may be the IETF's consensus, but there is a very large fraction of
>> the enterprise network operations community that strongly disagrees, and in
>> fact regards this as a red line issue. It isn't even clear that they'd
>> accept NPTv6 as an alternative to NAPT66. If this is indeed the only way to
>> get IPv6 inside enterprises, what is the right thing for the IETF to do?
>>
>>        Brian
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email