Re: [v6ops] I-D Action: draft-gont-v6ops-ipv6-addressing-considerations-00.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 31 December 2020 01:00 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B336A3A0CF5; Wed, 30 Dec 2020 17:00:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E63SAegW1j6S; Wed, 30 Dec 2020 17:00:37 -0800 (PST)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5C743A0CEB; Wed, 30 Dec 2020 17:00:37 -0800 (PST)
Received: by mail-pj1-x102f.google.com with SMTP id b5so4589464pjl.0; Wed, 30 Dec 2020 17:00:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=qeO8bzy3gZTamCq48Ofo2oUFZtBCj/JR3UmVlFSdJU0=; b=sjyx9IHYrFBckSZRg9qXeK6oos+dv+BFwBBLHXNeEIdGLAYWe2CAQhgJfD087TlB2r SZe6bxH340UmTfQ4xvHtkc4DoXlOqfRGa0yH7dHyTm1PNG9KddVn8sd0BZ4JtcQW1xlv eeKWT/kDdAa1V0/ZgvtXYzOMShbJTfZd4RNfn5lxBBpXKCC3RZhiv4+5aAPwb4Br90jL CZrsFvgBFLFmT29rgjbNyj/N20dkYWDYENEq9wOXGWuP/lUPkqjxrSI/phNp5mfxMN8Z Xcc5refiODCDUCgHeKVMcJIVPZmTcCRJ1oCfq+uJF032X/51rB/pu9XJvFzt8X3z7Yrz r60A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=qeO8bzy3gZTamCq48Ofo2oUFZtBCj/JR3UmVlFSdJU0=; b=ozXlaEvIy4RPl6IClqmjUa2COujiA2CfKixAh193GNFuD9Q0oHjHMHCOl3x0A31obQ z1SpxC4Fj3fjRrD4/Gra8QgoYGKsJ6EHOeFkNXXNPiPhgmnwIkhtSn42pQeae8ZnoD6v uGEZMcsDQdVZRkRGT1Sur/Qh52fNt+84mf7Bsl2m9jwWzhlkBQhewJwqR/8HrtSzngR7 f93Awie9AlomuNVt1iGhNMs6K5gbpqTVyT8hKKV7lHpUI4yTDAFy/FkL2i8jJJoguPy8 Hlysa0KLNEfAQOJS8Dh0wAuIpAbAKVd6raO+zeT5Mjx1NosutMknayaHncZD05T7cL8S tvrw==
X-Gm-Message-State: AOAM533h3AYUaOVtnqvjxETJQn4XNqYtJIFMbRdARRhMu8z/JWR2hbm+ Uq+KOCgmZAdKPp9Ber5W5M2qZ/YoQ76Ksg==
X-Google-Smtp-Source: ABdhPJysA+wi7rvUwq+Z33bF9n2TpcB+dRNBWhJn29MvakAWHKlhKtNcoxSj47GJMtrRvnm0NdxbWw==
X-Received: by 2002:a17:90a:fd08:: with SMTP id cv8mr10768998pjb.29.1609376436721; Wed, 30 Dec 2020 17:00:36 -0800 (PST)
Received: from [192.168.178.20] ([151.210.131.28]) by smtp.gmail.com with ESMTPSA id h10sm40122928pfn.213.2020.12.30.17.00.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Dec 2020 17:00:35 -0800 (PST)
To: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, draft-gont-v6ops-ipv6-addressing-considerations@ietf.org
References: <160770241261.18071.12524922630334294118@ietfa.amsl.com> <fb832698-039e-baa5-ed6f-4d5a97e7b354@gmail.com> <299f492f-4cb7-fa9d-967f-b2a5df49034e@si6networks.com> <759efdb1-a59c-788c-0c7a-5a8ca2ced904@gmail.com> <b20425a3-8069-3823-4610-79c93714ad2f@si6networks.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <fa8c56d3-5d64-ae55-5be1-a3ec7d8f130d@gmail.com>
Date: Thu, 31 Dec 2020 14:00:33 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <b20425a3-8069-3823-4610-79c93714ad2f@si6networks.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Nh3gDebmCvnR3Adl1j5HFi8bEy8>
Subject: Re: [v6ops] I-D Action: draft-gont-v6ops-ipv6-addressing-considerations-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2020 01:00:40 -0000

Hi,

Fernando and I have been chatting off-list, so rather than responding in
detail below, here are just a few general observations:

1. We have a problem with the formal definition of "global". All it really
means in the IPv6 addressing architecture is "not link-local", which is
not "global" in the normal English sense. It really seems too late to
change that, but it's unfortunate.

2. The "globally reachable" term added by RFC 8190 isn't perfect either.
All it really means is "potentially globally reachable" because prefixes
don't *have* to be advertised in BGP4.

3. If we're picky, "local" in ULA isn't perfect either, since there's
nothing in the laws of physics to prevent a ULA prefix being advertised
in BGP4.

4. The following table attempts to show some of the distinctions
involved (simplified). View in a fixed-width font. You may not
agree with it...

Unicast       Prefix      IID        Routeable   Announced
address       assigned    assigned
types         by          by
-----------------------------------------------------------
Link-local    fixed       host       no          no
              by RFC
  
ULA           user/RA     host or    yes         IGP only
              (random)    DHCPv6

GUA           IANA/RIR/   host or    yes         IGP,
              ISP/user/RA DHCPv6                 BGP4 by policy

Regards
   Brian

On 30-Dec-20 04:00, Fernando Gont wrote:
> Hi, Brian,
> 
> Thanks for following up! In-line.....
> 
> On 24/12/20 19:15, Brian E Carpenter wrote:
> [....]
>>>
>>> Now, my question is: why do this in the first place? What I would expect
>>> is that you simply use the address. Then, if the same node attaches to
>>> two networks that employ the same prefix, that's a configuration
>>> problem. Period. *If* in such scenario, *and for debugging purposes* you
>>> want to be able to specify which interface to use to send packets to a
>>> site-local address (that looks like "on-link" on two different
>>> interfaces), then you use the zone index -- but that's for *debugging*
>>> purposes, since having two subnets employ the same site-local prefix
>>> would be an error.
>>
>> If you read RFC4007 
> 
> I had read RFC4007 in the past -- *years* ago. So I've just given it a 
> fresh read.
> 
> Some initial questions:
> 
> * Any reason why this document is a separate/stand-alone document rather 
> than part of RFC4291 (or RFC3513)?  Or, at the very least, any reasons 
> why it does not even *update* one of those? (RFC3513, since RFC4007 
> obviously predates RFC4291)  (particularly since it's Std Track)
> 
> * Section 5 states:
>     Each interface belongs to exactly one zone of each possible scope.
>     Note that this means that an interface belongs to a scope zone
>     regardless of what kind of unicast address the interface has or of
>     which multicast groups the node joins on the interface.
> 
> This would seem to imply that an interface cannot employ two different 
> ULA prefixes? -- Why?  (unless their scope is considered global, and all 
> ULAs plus GUAs are all considered to be part of the same global scope zone)
> 
> 
> 
>> you will *not* find that a zone index is formally
>> equated to an interface index. The "zone" terminology is confusing since
>> it did originally assume a nested scope model, link-local inside site-local
>> inside global. 
> 
> (me thinking out loud) It seems that it *cannot* be equated, since an 
> interface may (and usually will) belong to multiple zones.
> 
> So the zone index somehow ends up being the combination of "address" + 
> "interface index", where the implementation infers the scope from the 
> "address"?    (this isn't really a "zone index", though).
> 
> 
> 
>> By some magic the host was supposed to understand enough
>> of the network topology to use a single value "zone index" to capture
>> the topology and tell the drivers which interface to use. See diagrams
>> at https://sites.google.com/site/bcabrc/miscellany .
>> Slides 3 and 4 show scenarios that simply can't be captured
>> by a one-dimensional zone index. In practice, of course, the zone index
>> is only meaningful within the host. 
> 
> Isn't this the case *by definition*?
> 
> 
> 
>> So the whole concept of a zone
>> index for nested scopes was a mistake. With hindsight, we should
>> have cleaned that up more definitively in RFC4007.
> 
> You mean that it's problematic for the node to *automatically* determine 
> which zone an address belongs to?
> 
> If so, yes -- that seems unfeasible. The best you can hope is the 
> "default zone index" (which can indeed fail), or manual specification of 
> the "zone index".
> 
> 
> 
> 
>>> Regarding #2:
>>> Modulo the above, for the most part non-global addresses *are*
>>> ambiguous. So this is kind of a feature.
>>
>> Yes, but not a *good* feature since it leads to the problems
>> in my slides 3 and 4.
> 
> But... are site-locals special in this respect?  -- As with link-locals 
> on multi-interface nodes, you either manually pick the outgoing 
> interface (and hence the zone), or your rely on the default zone index 
> (and cross your fingers :-) ).
> 
> 
> 
> [....]
>>>>> 3.2.  Unique Local IPv6 Unicast Addresses (ULAs)
>>>> ...
>>>>> However, the only reasons for which these addresses are considered
>>>>> to have "global scope" are:
>>>>>
>>>>> o  given two different networks that employ ULAs, it's unlikely
>>>>> that they will employ the same ULA prefix
>>>>
>>>> Not at all. The reason they formally have global scope is because
>>>> when site-local was scrapped (as being meaningless and unenforcable,
>>>> see RFC3879), only two scopes were left: link-local and global.
>>>> There was no other choice.
>>>
>>> Why not, say, "IPv6 Private Address Space"? -- Yes, in the light of
>>> "ipv6 is all about the global addresses", mimicking IPv4's private
>>> addresses probably wasn't "sexy", but IMO the concept is useful, and
>>> well understood.
>>
>> I think that adds confusion. They are only private because of the
>> requirement to block them in border routers; it's not a property
>> of the address itself. 
> 
> In a way, isn't that the case for all non-global addresses?  e.g. for 
> link-locals as Destination Addresses it's kind of hardcoded. But for 
> link-locals employed as Src Address, you also need the requirement for 
> routers to drop the packets to prevent these addresses from leaking out 
> of their zone. (But yes, for link-locals this check can also be hardocded).
> 
> 
> 
>> (Thumbs down to the Python ipaddress module
>> by the way, which has invented an "is_private" property and gets
>> "is_global" wrong for ULAs.)
> 
> Assuming ULAs are flagged as "global", I guess that's a consequence of 
> RFC4291 (or it's antecessor) not being updated by the ULA spec?
> 
> 
> 
> 
> 
>>>> What that means is that protocols treat
>>>> them *exactly the same* as RIR-assigned prefixes. That applies to
>>>> all protocols: ND, RA, DHCPv6, and every routing protocol. They are
>>>> only treated differently by policy, such as address selection policy
>>>> or boundary router policy.
>>>
>>> Wouldn't this also be the case if they were redefined as "IPv6 private
>>> address space"?  i.e., from the point of routing, modulo the link-local
>>> prefixes, you simply have prefixes that you distribute information
>>> about.  i.e. "Private address space" (i.e., non-global) shouldn't be
>>> treated differently by routing protocols.
>>
>> It's true, but that's what the "global" property means, and it's different
>> from "globally reachable". 
> 
> You mean "global" as in "global scope"?
> 
> Section 4 of RFC4007 says:
>     Every IPv6 address other than the unspecified address has a specific
>     scope; that is, a topological span within which the address may be
>     used as a unique identifier for an interface or set of interfaces.
> 
> As you noted in a previous email, this is probably unlikely for 40-bit 
> global IDs (but should compute the birthday problem for this case) -- 
> this might improve with RFC7217 (assuming randomized secret_keys for the 
> algorithm)... but you could still have manually configured IIDs. So in 
> that sense, I wouldn't consider ULAs as "global scope", either.
> 
> (must admit had to go through RFC8190 and friends a few times...)
> 
> Thanks, and Happy Holidays!
> 
> Regards,
>