IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

Nick Buraglio <buraglio@es.net> Tue, 22 March 2022 21:32 UTC

Return-Path: <buraglio@es.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01A723A0BCE for <v6ops@ietfa.amsl.com>; Tue, 22 Mar 2022 14:32:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ3Ea9jbENM6 for <v6ops@ietfa.amsl.com>; Tue, 22 Mar 2022 14:32:46 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA57E3A0B88 for <v6ops@ietf.org>; Tue, 22 Mar 2022 14:32:45 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id a26so13983866lfg.10 for <v6ops@ietf.org>; Tue, 22 Mar 2022 14:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=LsJETkCqG168SkfdAwLxC/Uw14lDNR2RrifzYY+pclI=; b=ZMXq3QTi7ix4srVLt88+2Yk2v+0hb2kJc2EN6yKDCwXoqmmr8JLIRfqxt63jNAR23L XWjMOgTF9U1VJALgE289AGUyzKS8xmDxLzvg81NkUlQu3xZM0nG64uoRAVoogvdzGhs/ wn8rqx8S1SsBO4M/Bujg3klyzhr1S6eRk4LYhflDFhvD5hNNa8/vXE4ply1v3Bxk+w78 Fgg4wuCCdkRnS5BWpW8ivjka2riYUcz1NzmOXCETtpJc6U9kxbon9zRK/UUAt5SP4Hjk LvCVPir0o7J3JT/SJkIv30nbuc2P8g+waQWgxJzNOfrfdIKl0FbE8YCQoVUqh/9HSUtK 8BHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=LsJETkCqG168SkfdAwLxC/Uw14lDNR2RrifzYY+pclI=; b=colVDT/Cl1W3AUGGMhIp6urhsYeD3gvje6dBX9yKDw8Q6GBN8iqz9tCuH+V2wQHCNr et/JGkySopmSqfUw9CBQf4WHM94yT9l56oJiPDDmaDWB+g7+iGfJBegVNYdye4cVAQKS eMNeKjSQHxUnlWsFo7GZs+qdgCNT6C8mNEzUIsNr9WNGjNYNdmoEKOlePeKRog7Z6L0h vrAftG2s4jctMoU4EGTbwaR0T+BnRqzt+54R5JlxeCzcXpaIEaGa8HApHVk17sL+VvVe 9wvn0EriyLKkvyl7JNSnXp3Rlao22pt5ayXlRnQm0bSkxmHVPmKxLBNRmE6xrqV+mNoP Z9cA==
X-Gm-Message-State: AOAM531OnJ/39SbB3AON+2pT9aJmikgNXn9/kuDlp3r6mVhbPOQt8fFs lx+aV0J7DTaqwMTC+xgtciN3iCDewI/V4HS2ZB0KjmZv0W/Uimh9RXXfNG9vGnGUQIlULhuZykX QJNRy0WfpPXvh4gwdT2QXVbQJnslFE3ALF9n/Cs0ZkQZVB6UwcSugIkbxa0tH8lleYRh1DGYyAd U=
X-Google-Smtp-Source: ABdhPJw/2a2H0C3PVUbRIbeZOA2Q0Ft7xjE/X9ncOLwdiNujH3IgSP1IhgIvUXfmDK5hysA7WbSqgsxW4SgwHNRwxBU=
X-Received: by 2002:a05:6512:ac2:b0:44a:2d7b:add4 with SMTP id n2-20020a0565120ac200b0044a2d7badd4mr7972548lfu.299.1647984762893; Tue, 22 Mar 2022 14:32:42 -0700 (PDT)
MIME-Version: 1.0
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <A72CDDDB-CDCE-4EAF-B95E-997C764DB2C4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <fd17a91f-68dc-92b5-0544-51aefa1b7f08@gmail.com> <CAM5+tA-Wq5O4pjQ++VZQi-FTKZGMRAW-LFc6O5dPOyox4QZDEw@mail.gmail.com> <CAPt1N1mK=Xgtt+aYa4ga8YqK2XYhCdQUPrwgVU8xstH+F_RAfQ@mail.gmail.com> <CAM5+tA9zhMpJ1s8keoL8eoEMej5tOM=-imXypHEreUa3wOrt5Q@mail.gmail.com> <2959747f-7b2e-ba95-64ae-95794fa8c4eb@gmail.com> <CAM5+tA8FqinJ0KNw7TuMEZ346bw+LStjGAY=gp7WwrRtii04cg@mail.gmail.com> <CAPt1N1ndx6NNqAaBWD7754DpQqyKzYG24Tmv6ZoKO3tcv4+wKA@mail.gmail.com>
In-Reply-To: <CAPt1N1ndx6NNqAaBWD7754DpQqyKzYG24Tmv6ZoKO3tcv4+wKA@mail.gmail.com>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Tue, 22 Mar 2022 16:32:31 -0500
Message-ID: <CAM5+tA_SHnRu=gwcYJ1tSmbd7HgxZRrF626EzHipjnOoaytHdA@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, v6ops@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Oj-Df4ps11i5zZ1NhonjS__d6xk>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 21:32:59 -0000

NAT64? Nothing. It's specifically problematic for dual stacked
networks. NAT64 implies that hosts are IPv6-only, which has its own
unique details.

nb


On Tue, Mar 22, 2022 at 4:09 PM Ted Lemon <mellon@fugue.com> wrote:
>
> Okay, but what does that have to do with ULAs and NAT64?
>
> On Tue, Mar 22, 2022 at 10:05 PM Nick Buraglio <buraglio@es.net> wrote:
>>
>> In RFC6724 section 2.1 states:
>>
>> If an implementation is not configurable or has not been configured,
>> then it SHOULD operate according to the algorithms specified here in
>> conjunction with the following default policy table:
>>
>>       Prefix        Precedence Label
>>       ::1/128               50     0
>>       ::/0                  40     1
>>       ::ffff:0:0/96         35     4
>>       2002::/16             30     2
>>       2001::/32              5     5
>>       fc00::/7               3    13
>>       ::/96                  1     3
>>       fec0::/10              1    11
>>       3ffe::/16              1    12
>>
>> https://datatracker.ietf.org/doc/html/rfc6724#section-2.1
>>
>> Linux is /theoretically/ configurable but implementations are
>> inconsistent. Even so, changing this at scale is operationally
>> impossible and would present as a huge impediment for any deployment
>> of size. My experience has been that most implementations have taken
>> the "...implementation is not configurable" approach, and that has
>> become the de facto standard. Again, if we are talking about
>> impediments to enterprise deployment, this is on the list. It is
>> unrealistic to expect or require a sweeping change to a protocol
>> default by a random enterprise deployment team. We went quite deep in
>> this thread back in August of 2021 on this list. I am also happy to be
>> wrong here.
>>
>> nb
>>
>> ---
>> Nick Buraglio
>> Planning and Architecture
>> Energy Sciences Network
>> +1 (510) 995-6068
>>
>>
>> On Tue, Mar 22, 2022 at 3:48 PM Brian E Carpenter
>> <brian.e.carpenter@gmail.com> wrote:
>> >
>> > Nick,
>> >
>> > Where is the "prefer IPv4 over ULA" preference coded (whereas, presumably, "prefer IPv4 over GUA" is not coded)?
>> >
>> > Regards
>> >     Brian Carpenter
>> >
>> > On 23-Mar-22 09:35, Nick Buraglio wrote:
>> > > Yes, I know I have harped on this many times and have posted some simple examples of the behavior to the list. My experience has been, and continues to be, that if I have dual stacked hosts with A and AAAA records, and the IPv6 clients are using ULA that IPv6 is never used. In an IPv6-only environment ULA has no higher priority protocol to supersede the ULA. In the context of transitioning to an IPv6 world, it is fairly unrealistic to assume any kind of greenfield, and dual-stack
>> > is by and large the standard "permanently temporary" solution for the vast majority of implementations. So in this context, which has been 99% of what I have seen until I began working on the IPv6-only implementation mandated by the USG OMB-M-21-07 document, that was the de facto standard (and will continue to be for enterprise deployments, in my opinion).
>> > > I would be happy to be incorrect about this, honestly it would make my work-life easier if I was. So, yes, I fully acknowledge that your use case is absolutely the right one for ULA. For doing a transition in an existing network (which circles back the the original topic of this thread: getting enterprises to use IPv6 in a meaningful way), this is a really
>> > well put together descriptions of the every-day implications of trying to use ULA:
>> > > https://blogs.infoblox.com/ipv6-coe/ula-is-broken-in-dual-stack-networks/ <https://blogs.infoblox.com/ipv6-coe/ula-is-broken-in-dual-stack-networks/>
>> > >
>> > > nb
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On Tue, Mar 22, 2022 at 3:20 PM Ted Lemon <mellon@fugue.com <mailto:mellon@fugue.com>> wrote:
>> > >
>> > >     I'm sure you believe this assertion, Nick, but you haven't given us
>> > any way of understanding why you believe this. In fact we're using ULAs in the Thread Border Router to enable IPv6 communication between different
>> > subnets, which literally could not be done with IPv4. So at least for this use case, ULAs work well. Would it work better to have a GUA? Comme ci comme ça. On the one hand, prefix delegation and real routing would make the solution more general. On the other, GUAs are great for reaching
>> > out to the internet, which we may or may not want light bulbs to be able to do.
>> > >
>> > >     On Tue, Mar 22, 2022 at 9:13 PM Nick Buraglio <buraglio@es.net <mailto:buraglio@es.net>> wrote:
>> > >
>> > >         ULA is an operational non-starter in the presence of any dual stacked hosts.  Per its design, it just won't ever use IPv6 in any meaningful way and that time and effort are better served on adding GUA addressing of one kind or another.
>> > >
>> > >         nb
>> > >
>> > >
>> > >
>> > >         On Tue, Mar 22, 2022 at 2:55 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>> > >
>> > >             Hi Gert,
>> > >
>> > >             I see that the discussion has been going on while I was sleeping, but I want to clarify below...
>> > >             On 22-Mar-22 21:30, Gert Doering wrote:
>> > >              > Hi,
>> > >              >
>> > >              > On Tue, Mar 22, 2022 at 11:42:12AM +1300, Brian E Carpenter wrote:
>> > >              >> I agree with Jordi that multihoming is a genuine impediment. What isn't generally realised is that it's a problem of scale when considering at least 10,000,000 enterprises, much more than it's a problem of IPv6 itself.
>> > >              >
>> > >              > What is "an enterprise"?
>> > >              >
>> > >              > My stance on this is that for "largely unmanaged SoHo networks" - which
>> > >              > could be called "small enterprise" - dual-enduser-ISP with dual-/48 or
>> > >              > NPT66 gets the job done in an easy and scalable way (HNCP would have
>> > >              > been great, but IETF politics killed it).
>> > >              >
>> > >              > "Enterprise that truly need their own independent fully managed network
>> > >              > with multiple ISP uplinks and fully routed independent address space"
>> > >              > are probably way less than 10 million...
>> > >
>> > >             I came up with 10 million quite some years ago as a reasonable estimate
>> > >             of the number of medium to large businesses in the world, all of which
>> > >             might depend on *reliable* Internet access to survive (and WfH during
>> > >             COVID has made this even more important recently). So all of them
>> > >             should have two independent paths to the Internet to assure
>> > reliability.
>> > >             That means two different ISPs (or less good, two completely
>> > independent
>> > >             paths to the same ISP).
>> > >
>> > >             So, if PI addressing is the answer, that really does take us to
>> > >             10M /48s to be routed.
>> > >
>> > >             If PA is the answer, that's why I worked on SHIM6 (may it rest in
>> > >             peace). Which is why I worked on RFC 8028. If that's not the
>> > >             answer, we're back to NPTv6. Possibly even to ULA+NPTv6.
>> > >
>> > >              > Half of them do not want Internet access anyway, just access to their
>> > >              > ALGs that will do the filtering and TLS inspection and everything, and
>> > >              > then out to the Internet as a new TCP session (= could
>> > be done with
>> > >              > DMZ islands of upstream-provider-allocated space just fine).
>> > >              >
>> > >              >
>> > >              > We need to work on our marketing regarding multihoming.  "What is it that
>> > >              > you get, what is the cost, which of the variants do you want, and why...?"
>> > >
>> > >             Yes.
>> > >                  Brian
>> > >
>> > >             _______________________________________________
>> > >             v6ops mailing list
>> > >             v6ops@ietf.org <mailto:v6ops@ietf.org>
>> > >             https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
>> > >
>> > >         _______________________________________________
>> > >         v6ops mailing list
>> > >         v6ops@ietf.org <mailto:v6ops@ietf.org>
>> > >         https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
>> > >
>> >

v2.23.0 | Report a Bug | By Email