IETF Logo Mail Archive

Re: [v6ops] draft-ietf-v6ops-multihoming-without-nat66 WGLC

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 28 February 2011 21:50 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@core3.amsl.com
Delivered-To: v6ops@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 61E373A6CB2 for <v6ops@core3.amsl.com>; Mon, 28 Feb 2011 13:50:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.459
X-Spam-Level:
X-Spam-Status: No, score=-103.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWF0ZEhws5DQ for <v6ops@core3.amsl.com>; Mon, 28 Feb 2011 13:50:01 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id A0AC33A6CA2 for <v6ops@ietf.org>; Mon, 28 Feb 2011 13:50:00 -0800 (PST)
Received: by fxm15 with SMTP id 15so4282066fxm.31 for <v6ops@ietf.org>; Mon, 28 Feb 2011 13:51:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:organization:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=hrxmbqs+ra/dQQDrlkd1GtLs/XaEoH2QLnp7GQbqNz0=; b=SPStb6DPcvpcoAVWkNUxe/WiNZvyNkMDUpkv5M91lZrn7DGdo3Mnc4Atd1hMPRW09W 8YRMMRPwO9OUjTk3H32n1WmFLlkcslkQpWK/essKKrFDhWZuT8qhDPqbZaVVf4cBeVMW xn5s50HJvmPZoz0Ji4d0MWIU6rLhAYYGL3uYE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=k8oKsxkqDfXWJTUHVeth2Eg+c+15KKi7NEsDhNQxdTKjv1AeW39EyFE7lU7vgoDYh2 aZ9Il+otNg+i+Rc2Co8MTbftWHAWK3uFEKkLWLZfuKK8bt+9rGTPT5mkMhDYfD0cXrkS aVnSMbKNCYz+lhaxIVli4UA9SNv8N2mwJG2js=
Received: by 10.223.100.2 with SMTP id w2mr7073517fan.115.1298929861187; Mon, 28 Feb 2011 13:51:01 -0800 (PST)
Received: from [130.216.38.124] (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id y1sm1827996fak.39.2011.02.28.13.50.57 (version=SSLv3 cipher=OTHER); Mon, 28 Feb 2011 13:51:00 -0800 (PST)
Message-ID: <4D6C18BE.2020606@gmail.com>
Date: Tue, 01 Mar 2011 10:50:54 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Fred Baker <fred@cisco.com>
References: <0E87AEAD-8476-499E-8946-C8E31D2E21E9@cisco.com>
In-Reply-To: <0E87AEAD-8476-499E-8946-C8E31D2E21E9@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org, v6ops-chairs@tools.ietf.org, Ron Bonica <ron@bonica.org>
Subject: Re: [v6ops] draft-ietf-v6ops-multihoming-without-nat66 WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Feb 2011 21:50:05 -0000

Hi,

I think this draft still needs a lot of work.

First, quite a bit of rewriting is needed in the Introduction.

>    Multihoming is a blanket term to describe a host or small network
>    that is connected to more than one upstream network.

I suggest a reference to RFC 3582 here, where the IPv6 requirements
are listed.

>    For example, a remote access user may use a VPN to
>    simultaneously connect to a remote network and retain a default route
>    to the Internet for other purposes.

I don't think this is really a red herring. It's a very common scenario
but it does amount to MIF rather than multihoming, since the
VPN usually appears as a virtual interface. The draft should focus
on MH not on MIF, I think.

>    In IPv4 a common solution to the multihoming problem is to employ
>    NAPT...

Probably this should start by saying that RFC 4116 is the most common
method. It should be made clear that avoiding that method, with its
built-in scaling problem, is of equal importance to avoiding NAPT.

There should also be a discussion of NPTv6, which also avoids NAPT and
RFC 4116. Explain why the proposed approach is a better choice than NPT6.

There needs to be a clear statement that the underlying model is
that having multiple PA prefixes for a site is normal. (And once
you say that, you also need to explain why the proposed solution is
better than shim6, or how it will interact with shim6).

> 2.  Terminology
...
>    NAT66 or IPv6 NAT     The terms "NAT66" and "IPv6 NAT" refer to
>                          [I-D.mrw-nat66].

That is plain wrong. Now I don't understand whether you are trying
to avoid NAPT66 (which is evil) or NPT6 (which is much less evil, and
is the actual topic of draft-mrw-nat66). This needs cleaning up
throughout the draft.

> 3.2.  Multihomed network environment
> 
>    In an IPv6 multihomed network, a host is assigned two or more IPv6
>    addresses and DNS resolvers from independent service provider
>    networks. 

Here I have to agree with Randy - this is not *the* model for IPv6 MH,
it is only one model (which you define earlier as MHMP).

And why mention separate DNS resolvers? Since DNS is a single namespace,
you should get the same (multiple) AAAA records from any resolver.
If not, there's a bug in DNS.

>    ...or use a DNS response from an incorrect
>    service provider that may result in impaired IP connectivity.

No, no, no. Not unless you intend to recommend DNS cheating by
CDNs. Making DNS cheating work should never be an IETF goal.

> 4.3.  DNS server selection

I am very worried by this section. I think this draft should focus
on routing issues; just assume that you get back all the AAAA records
for the target in random order, and go from there.

> 5.  Requirements
> 
>    This section describes requirements that any solution multi-address
>    and multi-uplink architectures need to meet.

I'm puzzled by this section.

1. It seems to cover all kinds of solutions and not just the solution
proposed by this document.

2. It should be much earlier in the document, right after the Introduction.

3. It mixes MH and MIF issues.

4. It needs to explain what is added or changed compared to RFC 3582.

> 6.3.  DNS resolver selection

See above. I think this should be out of scope.

> 7.1.  IPv6 NAT

Drop this except for a reference to NPT6.

> 7.2.  Co-exisitence consideration

I think this is no use as it stands because of the last sentence:

>    The implementation of identifying non-MHMP hosts and NAT policy is
>    outside the scope of this document.

I think all you can say is that hosts that don't support MHMP MAY be
supported by NPT6 or shim6, and if they don't have either of those
they will not get the benefit of multihoming. That is today's
situation anyway, so you have done no harm.

> 8.  Security Considerations
> 
>    This document does not define any new mechanisms.  Each solution
>    mechanisms should consider security risks independently.  Security
>    risks that occur as a result of combining solution mechanisms should
>    be considered in another document.

Er, no. Those risks should be analysed right here in this document.

Also, refer to RFC 4218. Which of those threats apply, and are there
any new ones?

    Brian

v2.23.0 | Report a Bug | By Email