IETF Logo Mail Archive

Re: [v6ops] ULA precedence [Thoughts about wider operational input]

Nick Buraglio <buraglio@es.net> Sun, 24 April 2022 21:09 UTC

Return-Path: <buraglio@es.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 884C13A175F for <v6ops@ietfa.amsl.com>; Sun, 24 Apr 2022 14:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBWYfCGkZ5Zt for <v6ops@ietfa.amsl.com>; Sun, 24 Apr 2022 14:09:54 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEDAC3A175C for <v6ops@ietf.org>; Sun, 24 Apr 2022 14:09:53 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id c15so15624552ljr.9 for <v6ops@ietf.org>; Sun, 24 Apr 2022 14:09:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=LKoVb9A8jaAzRu5zX8JTgf55WMX7NkgdiAktF6nob6g=; b=gjaCRDQ7fiyEZYZQG7lW7B446hJq0cw6cXMt9zy7l4mide9mIoT6n/cmCTquRE36ny 3C4mJHgDgBhNaM4zDUQCYCs56ZWmgwKUSme/kieqkSotJmH7zheydz2vXdOE6jZlB+hz yf7LLZE9vUxCQanMYC0edqByHAOpMk0c6t4+nrHALvnOsn8SJH+j54a9rMYpZARtfqX+ 1Et3oxlP7EnBIFFx0R6llp4iDq4FJupws85dOH/5Ak0NEpscLMLirsUXTHGj3ZPsiAu8 x6knIhPam/9mvBb4WSnAPLRYHFQ0QW8srSjs88dBw/UixJ1jUO38n1WfOhe6YJW3U8/J aZcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=LKoVb9A8jaAzRu5zX8JTgf55WMX7NkgdiAktF6nob6g=; b=hr37N8aVDqZuiHUDF3nKO7jmjk3rwq/Fz/T06ZYtl2kT74zPIUsGiDME3y2GapHLBh p3oaMtZ51H+rzp0CPs2Ntw6XTRwKPpTio3gEjHngMqaMZs/qZJfU/aROTp50CN73bgSF 49oosnl5Ys7Aerv7/zes+LjMCattlCcZz+j+WHhcXpnan3LIwMZNo98W7hMIx+GEjafB vg4q7HJR2HfpRj6Z3mA1vpZwcnw00+VCTPJUvIdzOyOCoHBw7VfnnKmrhl4Ju6wBrA7q 6AfGz2oKd9WfA3P4cM5xLn37w6I1u9o7Z14uJ+QmFiRGdRUIpIFrpQUV2B56ALeTnQFg ExoQ==
X-Gm-Message-State: AOAM532UVWXg/mzzcpQaY06/tz3VPWdD/aGGB/yg2ShKjdZUlXxWxZRF iLVR+oMJRt1vapS8KR8COpQkA8Z2ldbqTP+RSUp/VN7PDJfhuT7+OgWmQpBL8jcIP1c08Gpsd81 iR582vdQyoJELKGmyHeLCoNnpZz622Bx9SF96kJaa/yNyo0BuvFSkbPr9A5cJEVoVJO8CG3fiBs 0=
X-Google-Smtp-Source: ABdhPJydUPCLF+w0vLJ4vdFtwcHvq6ub43N1zL+SRF25Xb+UurDjI4ZoSYQL2jotzK5APTwwmjJCQJ4EbrYIwXLyQZo=
X-Received: by 2002:a2e:bf08:0:b0:247:f79c:5794 with SMTP id c8-20020a2ebf08000000b00247f79c5794mr8968515ljr.398.1650834591401; Sun, 24 Apr 2022 14:09:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de>
In-Reply-To: <20220424172743.GA218999@fg-networking.de>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Sun, 24 Apr 2022 16:09:40 -0500
Message-ID: <CAM5+tA-hPuZY=SN_og=ju+ryqPoOeLzq2STmgbaw-bts__ZKUw@mail.gmail.com>
To: Erik Auerswald <auerswald@fg-networking.de>
Cc: v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000067c35305dd6ce1fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/TJo1Kp5tOWs60aNFOJiB7y57pik>
Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Apr 2022 21:10:00 -0000

On Sun, Apr 24, 2022 at 12:28 PM Erik Auerswald <auerswald@fg-networking.de>
wrote:

> Hi Nick,
>
> I saw your Internet-Draft draft-buraglio-v6ops-ula on "The Daily
> Dose of IETF" <https://tools.ietf.org/dailydose/>, issue 4085 from
> 2022-04-22.  I found the title of interest to me, because some
> years ago I tried to deploy ULA and came to the conclusion that
> this resulted in more problems than solutions.  But my experience
> differs markedly from what I read in the draft.
>
> What I have experienced is implementing ULA addressing inside
> an organization some years ago.  But back then IPv6 ULA was
> preferred over IPv4, and NAT for IPv6 was not widely available.
> We did have NAT for IPv4, but not for IPv6.  But with ULA treated
> the same as GUA, connections to external hosts with both IPv4
> and GUA IPv6 addresses were attempted with ULA source addresses.
> This obviously did not work.  Additionally, we encountered address
> selection problems where some host would prefer a ULA source address
> to reach external GUA destinations, even though it could have used
> a GUA source address.  We then reverted to only using GUA for IPv6.
>

Yes, this was basically what process I went through as ULA has become
increasingly mentioned as part of large IPv6 migrations I am involved with
right now.


>
> The policy table from RFC 6724 Section 2.1 addresses all of the
> above problems.  RFC 6724 also describes extensions for specific
> use cases, including that of preferring ULA for use inside an
> organization (or lab).
>
> Section 2.1 of RFC 6724 contains:
>
>  "An implementation MAY automatically add additional site-specific
>   rows to the default table based on its configured addresses,
>   such as for Unique Local Addresses (ULAs) [RFC4193] [...] (see
>   Sections 10.6 [...])."
>
> Section 3.1 of RFC 6724 contains:
>
>  "Also, note that ULAs are considered as global, not site-local,
>   scope but are handled via the prefix policy table as discussed
>   in Section 10.6."
>
> Section 10.6 of RFC 6724 contains:
>
>  "By default, global IPv6 destinations are preferred over
>   ULA destinations, since an arbitrary ULA is not necessarily
>   reachable[.]"
>
>  "However, a site-specific policy entry can be used to cause ULAs
>   within a site to be preferred over global addresses as follows."
>
> Then the site specific ULA /48 prefix is inserted into the policy
> table, with precedence higher than that of GUA, and with a different
> label.  Because of the higher precedence, ULA is preferred over GUA.
> Because of the different labels of ULA and GUA, connections to GUA
> destinations prefer GUA source addresses over ULA.
>
> This can be done automatically, as described in the same section:
>
>  "Since ULAs are defined to have a /48 site prefix, an implementation
>   might choose to add such a row automatically on a machine with
>   a ULA."
>
> The result is that only the local ULA prefix, i.e., exactly the
> local IPv6 addresses, are preferred over IPv4 (and IPv6 GUA).
> This should be exactly what is needed to use ULA addresses inside
> an organization, or for a lab.
>
> It seems to me as if RFC 6724 already includes the general solution
> for the problem described in your draft, i.e., adding the locally
> used ULA /48 prefix with appropriate precedence and label to the
> address selection policy table.
>
> Sure, I've done this just to see that it worked, but as stated in the
draft it is not a scalable or supportable solution since a great number of
implementations do not make this available. Embedded systems and other
speciality devices are particularly difficult here making it operationally
unviable.



> Implementing the non-normative suggestion from Section 10.6 of RFC
> 6724 would in all likelihood result in making ULA usable for local
> tests and even first steps in deploying IPv6.  ULA addresses would
> only be used locally.  Existing IPv4 based Internet access would not
> be impaired by adding IPv6 ULA.
>

The issue lies with the inconsistency. As the preference table is
inaccessible on many platforms, it becomes operationally untenable, and
since ULA operates differently than GUA by design, it imposes yet another
fairly large impediment to enterprise adoption, which will almost certainly
remain dual-stacked for the foreseeable future, looking to closely mirror
their IPv4 architectures.


>
> Application layer gateways could be deployed with ULA on the inside
> and GUA on the outside.
>

My testing shows that IPv6 NAT options and this type of architecture works
in an IPv6 only environment, but without being able to address the IoT and
OT systems preference tables, it's stuck with IPv6-only. This works for
what I need right now, but that is an edge case for the vast majority of
other deployments that still require IPv4.

>
> Local servers with external IPv6 services only available via GUA,
> but without IPv4, would be reachable using ULA source addresses.
> This would allow to, e.g., host an IPv6 web page using a DNS entry
> without A record as part of those first steps towards implementing
> IPv6, and transparently combine it with ULA on local clients,
> without negatively affecting said clients' Internet access which
> is still based on IPv4 (often private addresses with NAT).
>

With my operational hat on, that feels fairly over-complicated as it
requires double the overhead in most cases, therefore will almost always
solicit a "nope, not worth the effort" from the enterprise world.


>
> In order to keep IPv6 deployment similar to IPv4, IPv6 NAT could be
> considered.  To make this work as intended, the address selection
> policy table could be adjusted to contain the local ULA prefix
> with precedence greater or equal to GUA and the same label as GUA.
> The automatic ULA row addition from RFC 6724 should then be disabled
> using the "Automatic Row Additions flag" from RFC 6724 Section 2,
> if it were implemented and enabled otherwise.
>

While not my first choice, I recognize the high likelihood of environments
requiring address translation and have tested various forms of IPv6 NAT,
which do work, but it falls right back into the issue of the option to
update said table being unavailable, because it's not required anywhere so
dual stacking with ULA is a non-starter for any useful IPv6 dual stack
deployment that involves anything remotely out of the ordinary.


> After gaining some experience with IPv6, one has a better basis
> to decide how to proceed, i.e., if GUA addresses shall be used for
> Internet access, or ULA + NAT instead.  This experience gathering
> process might include deploying IPv6 NAT, GUA on client subnets,
> IPv6 ALGs, or a combination of those.
>
> If after the first steps in IPv6 use one should decide that ULA +
> NAT shall be used instead of GUA without NAT, local policy could
> be implemented by adjusting the address selection policy table as
> described above.  Such adjustments are within the possibilities
> provided by RFC 6724.
>
> It might be helpful to ask operating system vendors for full support
> of RFC 6724, including section 10.6, i.e., automatically adding a
> local ULA /48 prefix with appropriate precedence and label to the
> address selection policy table.
>
> It might also be helpful to ask operating system vendors for
> improved administrative tools to ease adjustment of the address
> selection policy.  To support testing different variants, such
> adjustments should be possible dymanically, without needing to
> restart processes or reboot systems.  As such the GNU C Library
> (glibc) implementation that is not thread safe and thus discourages
> use of its "reload" functionality seems to show potential for
> improvement (https://man7.org/linux/man-pages/man5/gai.conf.5.html).
>
> It might even be helpful to ask operating system vendors to implement
> a simple toggle to enable or disable an address selection policy
> that caters towards ULA with IPv6 NAT (e.g., removing the policy
> table entry for fc00::/7, or changing both preference and label to
> be identical to the GUA entry ::/0).
>

Sure, but as noted in the draft (and the one of the main points we're
trying to make), is that there is a huge runway to get any usable options
in operational gear, and an impossibly long ramp up for anything ! =
mainstream Linux. Noting these shortcomings at least highlights the
significant operational gaps involved with ULA.


>
> With kind regards,
> Erik
> --
> Dipl.-Inform. Erik Auerswald
> Gesellschaft für Fundamental Generic Networking mbH
> Geschäftsführung: Volker Bauer, Jörg Mayer
> Gerichtsstand: Amtsgericht Kaiserslautern - HRB: 3630
>
ᐧ

v2.23.0 | Report a Bug | By Email