Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt
Ray Hunter <v6ops@globis.net> Thu, 20 February 2014 07:40 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88EBB1A036E for <v6ops@ietfa.amsl.com>; Wed, 19 Feb 2014 23:40:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTsNGO82uIqS for <v6ops@ietfa.amsl.com>; Wed, 19 Feb 2014 23:40:16 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 994BD1A0355 for <v6ops@ietf.org>; Wed, 19 Feb 2014 23:40:15 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 71BED87007A; Thu, 20 Feb 2014 08:40:11 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sucapNgJI8gB; Thu, 20 Feb 2014 08:40:11 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 3CE8D87006D; Thu, 20 Feb 2014 08:40:11 +0100 (CET)
Message-ID: <5305B159.2050402@globis.net>
Date: Thu, 20 Feb 2014 08:40:09 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.9 (Macintosh/20140129)
MIME-Version: 1.0
To: Lorenzo Colitti <lorenzo@google.com>
References: <20140214091302.13219.20624.idtracker@ietfa.amsl.com> <m21tz6javn.wl%randy@psg.com> <1442fd6c81e.5859224653900445752.5189762259388794287@internetdraft.org> <52FEBE28.1010006@gmail.com> <8E2A8B56-6F05-4F09-BE7E-651B9CA42458@delong.com> <5300CE32.1050808@gmail.com> <BD473E46-E382-44E6-B474-A56D074318FA@delong.com> <530104B3.3070205@gmail.com> <53010E70.5000401@gmail.com> <20140217110013.GA31822@mushkin> <62FF9B8A-2F21-4FDD-B1D2-82B8C02A21B3@delong.com> <37638184-17C6-4C8B-86B1-C596A5A5504A@nominum.com> <530242C3.4070108@bogus.com> <E91E49CA-7BA6-4DA3-B4F3-46BB0F25F8F1@delong.com> <5303CD3E.1010907@gmail.com> <m2a9dnr4vk.wl%randy@psg.com> <5304BAAF.60608@gmail.com> <53052B43.2070904@gmail.com> <CAKD1Yr2fyZ9FezX5dh=P-PiruiOqKBKO9f5hroD-CHDJS+ZMQQ@mail.gmail.com> <53055FF3.2040605@gmail.com> <CAKD1Yr0SgVtTCTppiJkfgao91xR5jZ-1N+b+dE5m9_6ovky4gQ@mail.gmail.com>
In-Reply-To: <CAKD1Yr0SgVtTCTppiJkfgao91xR5jZ-1N+b+dE5m9_6ovky4gQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/Py-VL_1jgJWgWGg0UtmQoOETv5c
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2014 07:40:17 -0000
Lorenzo Colitti wrote: > On Thu, Feb 20, 2014 at 10:52 AM, Brian E Carpenter > <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote: > > > 2. A piece of remarkably bad luck, rather less likely than > >> winning any lottery I'm aware of. > > > Can you elaborate on exactly how bad this luck is as a function of how > many ULA prefixes you use your organization? > > For example - if two large organizations that each use 200 ULA /48s > (one per site) merge, what is the chance that one of them will collide? > > I don't feel it's satisfactory to say "the probability of a collision > is low" without saying how low it actually is. In fact, I think the > draft should not be published without giving a few examples of these > numbers. If *nobody* among the authors or on this list knows what the > numbers actually are, then we should not advocate using ULAs. It is > not good engineering practice to recommend something that you do not > understand. > > > You assume that people will actually follow the rules instead of > saying > > "let's just do this like IPv4, and use NAT at the border". > > If CERs do the right thing the ULA prefix will be generated > correctly. But you're right, there will be a generation of > old-time IPv4 operators who will do exactly that whatever we > put in RFCs. > > > I'm not talking about home networks here, I'm talking about corporate > IT environments. Having being involved in a number of mergers, de-mergers, and acquisitions, I suspect that a ULA clash will be the least of your worries. [Although I have to admit I've never actually merged or de-merged multiple IPv6 ULA's] IMHO I think the real worry would be any remaining hard coded addresses and ranges [in firewalls, load balancers, name servers, hot standby systems, WAN optimizers, Active Directory servers (which LANs does each DC serve), licence servers .... ] Is there any serious effort underway to solve how exactly you specify network security zones and firewall rules for ULA based systems, and for systems running multiple IPv6 prefixes? Does a ULA prefix need to map 1:1 to a network security zone? Do you also have to map the ULA space onto your GUA space(s) to ensure the classification and filtering rules for different prefixes remain in synch? When de-merging a single ULA into 2 enterprises, how do you draw a line in the sand to separate A from B? Does the "corporate firewall" function have to become distributed so that the filtering really does sit at the network security zone borders (rather than relying on anti-spoof filters, and a single centralised pair of firewalls) At this point, I'd much rather merge or de-merge two sets of GUA space, and have predictable behaviour during any transition. -- Regards, RayH
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Randy Bush
- [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-re… internet-drafts
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… ek
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Sander Steffann
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark ZZZ Smith
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Jan-Frode Myklebust
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… joel jaeggli
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… joel jaeggli
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark ZZZ Smith
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Randy Bush
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Alexandru Petrescu
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ray Hunter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Nick Hilliard
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… David Farmer
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… David Farmer
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Gert Doering
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ray Hunter
- [v6ops] multiple prefixes [no longer draft-ietf-v… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Tore Anderson
- Re: [v6ops] multiple prefixes [no longer draft-ie… Ray Hunter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] multiple prefixes [no longer draft-ie… Brian E Carpenter
- Re: [v6ops] multiple prefixes [no longer draft-ie… Ray Hunter
- Re: [v6ops] multiple prefixes [no longer draft-ie… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Liubing (Leo)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark ZZZ Smith
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Victor Kuarsingh
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mark Andrews
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Mikael Abrahamsson
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… William Cerveny
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usag… Owen DeLong