IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 02 January 2023 03:15 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 364CAC14CF02; Sun, 1 Jan 2023 19:15:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Z9oX7HrN7en; Sun, 1 Jan 2023 19:15:00 -0800 (PST)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5637DC14F74B; Sun, 1 Jan 2023 19:15:00 -0800 (PST)
Received: by mail-pj1-x102f.google.com with SMTP id j8-20020a17090a3e0800b00225fdd5007fso17536203pjc.2; Sun, 01 Jan 2023 19:15:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=dkIWUWybu3bEMs1kjMC7h+stGlYgl/bLAUCdFLoM7K0=; b=FsijWfPNWFf59ODk6NIO0A+/tGE0AJKtJ5WQ1CuvHyuMH+0u1NgAaZf645LfaSnwJh xv2WZnt71g/QBue9wJb3IwQKAos5KJEoJB0CCkYY2xBBkdL4uwMMqJe6DFop4GEnh8On cxasLH0dYQPXN+W4i3E+VbNl1bV3fxU1VokuzwhG5WHmKj4g/1q6UaPcNsIChaq/qGDe K0X9xA6GHqbSgEvJgHRq9bivTIk5/E08itMkF4dGstfhbkkHEVadQj+CI0N9xH0z3V0S Sv1Ns3tI5UrxDZlMoek3lArXF13fN2MyRXsFb/+gRyLrwc+o0LRvqzWfu7WCmkamyYQW jcjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dkIWUWybu3bEMs1kjMC7h+stGlYgl/bLAUCdFLoM7K0=; b=pYNj00UWOSCPjC3W6ga/IEjrN3f/5YZxoIPFB93+hwy82iQsKi7uZQGoxxhP1AGnUf NpYkjGgZ5egiACL+s53N5fouHT35ze0peNuzIDkVuwDNTC0SFr3c/6KDipu/mmJEXucL rJymZo76ObjD1NGO6zgLbBRXHuUAmdkWEN37lA9nGmvzbvPmAiRCUKEX2tEpdWER+ivr Fme+lvZLeaSUSXlPERoXfgP1j8FgHYe4Qw6Za9fwC4Qplbn1OYz2M2YOOcz9lnur70Yj eUUr22QNpuygn6FU/XOoeeYi1WGNxVS5HhDBtIFLBf7YBBaWcPh9/t+6uQhgvadac5OJ GD4A==
X-Gm-Message-State: AFqh2kqsbsfI5ufyCVZHtFzXu3KH4uZ2vP+B8/rt9y5OHYzc9ZhPhxzV c5QyOiuJ8V7ld13PN7XyNfI=
X-Google-Smtp-Source: AMrXdXuBD5c1i1al3jWwTxMwbMHrsFDDEp4W/NX7kjxHNchX2gSD9YNbU1tlvCa2u9n5ZTKKNtSEBA==
X-Received: by 2002:a17:90a:2c48:b0:225:efd9:36 with SMTP id p8-20020a17090a2c4800b00225efd90036mr26695048pjm.34.1672629299427; Sun, 01 Jan 2023 19:14:59 -0800 (PST)
Received: from ?IPV6:2406:e003:10c2:2501:6969:5efe:7979:3937? ([2406:e003:10c2:2501:6969:5efe:7979:3937]) by smtp.gmail.com with ESMTPSA id u7-20020a17090a1d4700b00225bc0e5f19sm15933738pju.1.2023.01.01.19.14.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 01 Jan 2023 19:14:59 -0800 (PST)
Message-ID: <31ca0465-19c4-724c-4e31-8b6389f2e477@gmail.com>
Date: Mon, 02 Jan 2023 16:14:53 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Kevin Myers <kevin.myers@iparchitechs.com>, "buraglio@es.net" <buraglio@es.net>, Ted Lemon <mellon@fugue.com>
Cc: 6man list <ipv6@ietf.org>, David Farmer <farmer=40umn.edu@dmarc.ietf.org>, Erik Auerswald <auerswald@fg-networking.de>, Ted Lemon <elemon@apple.com>, v6ops list <v6ops@ietf.org>
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com> <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com> <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com> <CANMZLAYbpZBDA8uFnJqfWfWTQ4S9RN4a-DqWe36qzfAfDtXiQA@mail.gmail.com> <CAN-Dau0BjRR2_7xz38DpJsz0Y=Z_8bV5n-=Eh1QUVEDzqVxmaA@mail.gmail.com> <CAPt1N1=H=eAyRu0JcHnLpZEUizDZ4Kj0VwPu=0nM=Wn+y3Ho1w@mail.gmail.com> <CAM5+tA_4rtSkgEuRUFZ2LYr6i8a7vWeKODYieVARF3RbRvgRww@mail.gmail.com> <BN8PR07MB7076DE3E745CB916FB81879595FA9@BN8PR07MB7076.namprd07.prod.outlook.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <BN8PR07MB7076DE3E745CB916FB81879595FA9@BN8PR07MB7076.namprd07.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/TdlHHUdclF4X37TS2dDEJmlG3Hk>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2023 03:15:04 -0000

Kevin,

While drafting some text for book6 (https://github.com/becarpenter/book6/blob/main/4.%20Security/Topology%20hiding.md) I downloaded the latest version of PCI-DSS, and noticed that it doesn't mention address obfuscation. I guess you were citing the previous version? There is no point 1.3.7 in the March 2022 version.

What it does say is this (in point 1.4.5):

"Examples
Methods to obscure IP addressing may include, but are not limited to:
• IPv4 Network Address Translation (NAT).
• Placing system components behind proxy servers/NSCs.
• Removal or filtering of route advertisements for internal networks that use registered addressing.
• Internal use of RFC 1918 (IPv4) or use IPv6 privacy extension (RFC 4941) when initiating outgoing sessions to the internet."

A shame that they cite an obsolete RFC, but it's clear that they have moved on from the previous situation.

(As a side comment, I'm very surprised that the document says essentially nothing about load balancers. As I understand things, in an installation of any size, there will always be load balancing in the path.)

Regards
    Brian Carpenter

On 28-Apr-22 06:02, Kevin Myers wrote:
> Here is some context on the question “what requirements force the use of NAT?” in PCI-DSS 4.0.
> 
> As others have noted, it’s up to the auditor to interpret this (because they bear the financial and legal liability as well as the org) to determine which aspects of PCI drive protocols like NAT – it’s not just one thing. 1.3.7 is a clear call out for the use of NAT and is the **only** reference to IPv6 in over 300 pages of the PCI-DSS standard which was just updated in March 2022 and probably won’t be again for another 2 to 4 years. The single mention of IPv6 is also not cleanly reconciled against the other requirements nor is it on the radar of most any of the auditors and existing processes.
> 
> To give a more recent example from a large financial enterprise we currently do the global DC design for - here are some of the PCI sections we had to reference that required this org to use NAT and RFC1918 to pass their audit.
> 
> PCI 1.4.1 is one of the more common call outs for NAT + RFC1918 as the auditors interpret them.
> 
> 
> 
> It advocates for the use of a DMZ that will control access between untrusted networks (generally interpreted as the Internet as well as Non-PCI internal networks) and is often combined with 1.3.7’s requirement for address obfuscation. From a network engineering standpoint as the auditors see it, the enterprise DC must have:
> 
> 1. An NSC – Network Security Device to form the DMZ and provide NAT (ref 1.4)
> 2. NAT as part of the 1.4.1 control for trusted to untrusted (and to satisfy address obfuscation - ref 1.3.7)
> 3. Rulesets that prohibit untrusted to trusted communication except for authorized systems. (1.3.1 and 1.3.2)
> 
> Again to align this to real world ops – this is exactly what we had to implement for the fintech org I’m using as an a example and satisfy the auditor’s requirements.
> 
> Clearly, we can technically achieve all of these in an IPv6 network without the use of RFC1918 or NAT – that’s not the challenge. The problem is that the auditors (again – these are accountants and biz people) have a framework that’s been developed around RFC1918 and NAT to sign off on a PCI compliant network for these sections.
> 
> But it gets a bit harder, here's where things get murky for IPv6 without NAT in 1.4.4
> 
> 
> 1.4.4 states “System components that store cardholder data are NOT directly accessible from untrusted networks.” Most auditors also interpret 1.4.4 as a requirement for NAT in the DMZ and puts IPv6 “end to end” connectivity in direct conflict with audit compliance. Not only does it imply NAT, it also is interpreted by the auditors to mean non-publicly routable space in the trusted zone. The technical definition of “direct accessibility” as we would view it in network engineering is irrelevant to the average auditor because they have a list of acceptable ways to solve this and IPv6 end to end isn’t on that list – however RFC1918 and NAT very much are.
> 
> To sum up, that’s three different sections that would require an exception and compensating control from the auditor to implement IPv6. Not only do exceptions risk audit non-compliance, exceptions also cost exorbitant amounts of money for the org to justify with the auditor. As David Farmer correctly pointed out, exceptions are the kiss of death in audit land – no enterprise will push for multiple exceptions when a viable alternative (from the PoV of the enterprise and auditor) is available – in this case it’s RFC1918 and NAT. As for the question around RFC4864 and updating it, I need to dig into that beyond the abstract and give it some thought as it would apply to the Enterprise I’m referencing in this example.
> 
> This is a bit of a glimpse into why companies that are bound by PCI compliance aren’t rushing to go put IPv6 into their networks without transition technologies like NAT.
> 
> *From:* v6ops <v6ops-bounces@ietf.org> *On Behalf Of * Nick Buraglio
> *Sent:* Monday, April 25, 2022 7:50 PM
> *To:* Ted Lemon <mellon@fugue.com>
> *Cc:* 6man list <ipv6@ietf.org>; David Farmer <farmer=40umn.edu@dmarc.ietf.org>; Erik Auerswald <auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>; v6ops list <v6ops@ietf.org>
> *Subject:* Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
> 
> With PCI it seems to be all about the auditor. Kevin definitely knows this experience inside out, he personally and his company have been neck deep in this stuff for a long time.
> 
> nb
> 
> On Mon, Apr 25, 2022 at 19:47 Ted Lemon <mellon@fugue.com <mailto:mellon@fugue.com>> wrote:
> 
>     That requirement requires that servers' (doesn't say what sort of servers, I assume that's specified elsewhere) IP addresses can't be visible to whatever is using the server. NAT is about the least safe way to accomplish this goal. They explicitly mention several other ways, and do not mention NAT at all. Sounds fishy.
> 
>     Note that these same people as far as I know /still/ allow TLS 1.1. Which suggests to me that exceptions are easy if they are exceptions the examiner is accustomed to, irrespective of whether those exceptions are more or less risky than other exceptions the examiner is not accustomed to.
> 
>     On Mon, Apr 25, 2022 at 8:38 PM David Farmer <farmer=40umn.edu@dmarc.ietf.org <mailto:40umn.edu@dmarc.ietf.org>> wrote:
> 
>         I’ve asked that too and have never received an answer, I always get pointed requirement 1.3.7, that is it.
> 
>         Sorry, I can’t be more helpful.
> 
>         On Mon, Apr 25, 2022 at 18:58 Brian Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> 
>             No, I explicitly don't want to look at audit rules. I want someone who understands them to explain what the functional requirements are. NAT is not a functional requirement.
> 
>             Regards,
>                  Brian Carpenter
>                  (via tiny screen & keyboard)
> 
>             On Tue, 26 Apr 2022, 11:06 David Farmer, <farmer@umn.edu <mailto:farmer@umn.edu>> wrote:
> 
>                 You want to look at PCI DSS 3.2 requirement 1.3.7.
> 
>                 Compensating controls is an option, but auditors have to sign off on them, and the whole process is about minimizing exceptions and getting a clean audit. IT isn't in charge of this, finance people are, it's not technical, it's all about the money, and numbers with 7 or 8 significant digits or more.
> 
>                 I've been on that the merry-go-round several times, I believe in IPv6 E2E, but if anyone asks me just do NPTv6 or NAT66, whatever the auditor wants you to do.
> 
>                 Have fun on the merry-go-round, I'll pass.
> 
>                 Thanks
> 
>                 On Mon, Apr 25, 2022 at 5:32 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> 
>                     Kevin,
> 
>                      > Auditing frameworks and auditors are just not ready for IPv6 and without migration strategies like NAT, they'll have no reason to be because IPv4 will continue to dominate.
> 
>                     You're describing a vicious circle, and the question is how can we break it?
> 
>                     Advocating NPTv6 might achieve that, but many of us dislike that strategy.
> 
>                     Can you explain what are the technical requirements in PCI-DSS land that have been interpreted as requiring NAT44? Is it time for RFC4864bis, because this is exactly what we were aiming at with that RFC?
> 
>                     Regards
>                          Brian Carpenter
> 
>                     On 25-Apr-22 17:34, Kevin Myers wrote:
>                      > This misses the problem entirely though.
>                      >
>                      > It's not a choice to reconsider, these are regulatory requirements. The
>                     fact that a handful of enterprises have deployed IPv6 doesn't move the needle on compliance for the vast majority of them.
>                      >
>                      > No retail enterprise is going to choose IPv6 without NAT internally if it means not being permitted to use credit cards because of a failed PCI-DSS audit.
>                      >
>                      > Auditing frameworks and auditors are just not ready for IPv6 and without migration strategies like NAT, they'll have no reason to be because IPv4 will continue to dominate.
>                      >
>                      >
>                     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>                      > *From:* Lorenzo Colitti <lorenzo@google.com <mailto:lorenzo@google.com>>
>                      > *Sent:* Sunday, April 24, 2022, 11:27 PM
>                      > *To:* Kevin Myers <kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com>>
>                      > *Cc:* Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>>; Erik Auerswald <auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>; Ted Lemon <elemon@apple.com <mailto:elemon@apple.com>>; v6ops list <v6ops@ietf.org <mailto:v6ops@ietf.org>>; 6man list <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>                      > *Subject:* Re: [v6ops] ULA precedence [Thoughts about wider operational
>                     input]
>                      >
>                      > There are several fortune 500 companies that have publicly stated that they have deployed IPv6 with global addressing, so that's definitely possible.
>                      >
>                      > As for "is it better to deploy IPv6 with NAT66 or not to deploy at all", I would guess it depends who you ask. My personal answer would be no. It's possible that when faced with app and OS incompatibilities, those enterprises might reconsider. Or they might pick the same technical solutions as the enterprises that have already deployed with global addresses.
>                      >
>                      > On Mon, Apr 25, 2022 at 12:42 PM Kevin Myers <kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com> <mailto:kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com>>> wrote:
>                      >
>                      >     IPv6 NAT is already being deployed in large enterprises for the few
>                     that want to tackle IPv6. Vendor implementations exist, so that ship has sailed regardless of where the IETF lands.
>                      >
>                      >     Most of the Fortune 500 fall under regulatory compliance of one body or another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well for an IPv6 no-NAT world. Most of the discussion I see around enterprise adoption on the IETF lists misses this point. It matters very little whether NAT is a "good" or "bad" practice when it comes to selecting an operational model. Enterprises choose operational models that will pass audits
>                     and the overwhelming majority rely heavily on NAT.  We can make the argument that compliance bodies and auditors should update their guidance
>                     and standards and they absolutely should, but it will probably take close
>                     to a decade to change the regulatory compliance auditing landscape to the
>                     point that IPv6 without NAT is commonplace.
>                      >
>                      >     If auditors won't sign off on end to end GUA addressing, then NAT is going to remain.
>                      >
>                      >     Enterprises are more than willing to punt IPv6 for another decade and will likely have no issues in doing so given how little IPv4 space most of them need compared to service providers. Even when IPv6 becomes the predominant transport type for an Internet handoff everywhere, it will still just live in the underlay while IPv4 remains the predominant choice in the overlay, in apps,  and internally in the DC for enterprises.
>                      >
>                      >     At what point does it become more important to have IPv6 implemented, than to have it "perfectly" implemented?
>                      >
>                      >     Kevin Myers
>                      >     Sr. Network Architect
>                      >     IP ArchiTechs
>                      >
>                      >     -----Original Message-----
>                      >     From: v6ops <v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org> <mailto:v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org>>> On Behalf Of Brian E Carpenter
>                      >     Sent: Sunday, April 24, 2022 9:48 PM
>                      >     To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org> <mailto:40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>>>; Erik Auerswald <auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>
>                     <mailto:auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>>; Ted Lemon <elemon@apple.com <mailto:elemon@apple.com> <mailto:elemon@apple.com <mailto:elemon@apple.com>>>
>                      >     Cc: v6ops list <v6ops@ietf.org <mailto:v6ops@ietf.org> <mailto:v6ops@ietf.org <mailto:v6ops@ietf.org>>>; 6man list <ipv6@ietf.org <mailto:ipv6@ietf.org> <mailto:ipv6@ietf.org <mailto:ipv6@ietf.org>>>
>                      >     Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]
>                      >
>                      >     On 25-Apr-22 12:16, Lorenzo Colitti wrote:
>                      >      > On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <auerswald@fg-networking.de <mailto:auerswald@fg-networking.de> <mailto:auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>> <mailto:auerswald@fg-networking.de <mailto:auerswald@fg-networking.de> <mailto:auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>>> wrote:
>                      >      >
>                      >      >       "Since ULAs are defined to have a /48 site prefix, an implementation
>                      >      >        might choose to add such a row automatically on a machine with
>                      >      >        a ULA."
>                      >      >
>                      >      >     The result is that only the local ULA prefix,
>                     i.e., exactly the
>                      >      >     local IPv6 addresses, are preferred over IPv4
>                     (and IPv6 GUA).
>                      >      >     This should be exactly what is needed to use ULA addresses inside
>                      >      >     an organization, or for a lab.
>                      >      >     [...]
>                      >      >     Implementing the non-normative suggestion from Section 10.6 of RFC
>                      >      >     6724 would in all likelihood result in making
>                     ULA usable for local
>                      >      >     tests and even first steps in deploying IPv6.  ULA addresses would
>                      >      >     only be used locally.  Existing IPv4 based Internet access would not
>                      >      >     be impaired by adding IPv6 ULA.
>                      >      >
>                      >      >
>                      >      > That does seem like it might make ULA more useful, yes.
>                      >      >
>                      >      > Additionally, maybe we could clarify that the longest-prefix match rule
>                      >     does not apply to ULAs outside the same /48? I think that would fix
>                     the issue observed by +Ted Lemon <mailto:elemon@apple.com <mailto:elemon@apple.com> <mailto:elemon@apple.com <mailto:elemon@apple.com>>> in home networks: https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00 <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>
>                     <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00 <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>> <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00 <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00> <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00 <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>>> .
>                      >
>                      >     When two networks each with its own ULA prefix are intentionally merged, longest match would be the right thing, wouldn't it? (Assuming that
>                     the split DNSs are also merged, and of course internal routing.) In that case there is no "foreign" ULA prefix.
>                      >
>                      >      >     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT could be
>                      >      >     considered.  To make this work as intended, the address selection
>                      >      >     policy table could be adjusted to contain the
>                     local ULA prefix
>                      >      >     with precedence greater or equal to GUA and the same label as GUA.
>                      >      >
>                      >      >
>                      >      > This seems like it would encourage the use of IPv6 NAT. I think there is reasonably strong consensus within the IETF that that is not the
>                     right way to go, because it pushes problems on to application developers.
>                     This adds costs for NAT traversal software development and maintenance, and requires devices to implement NAT keepalives, increasing battery usage.
>                      >
>                      >     That may be the IETF's consensus, but there is a very large fraction of the enterprise network operations community that strongly disagrees,
>                     and in fact regards this as a red line issue. It isn't even clear that they'd accept NPTv6 as an alternative to NAPT66. If this is indeed the only
>                     way to get IPv6 inside enterprises, what is the right thing for the IETF to do?
>                      >
>                      >             Brian
>                      >
>                      >     _______________________________________________
>                      >     v6ops mailing list
>                      > v6ops@ietf.org <mailto:v6ops@ietf.org> <mailto:v6ops@ietf.org <mailto:v6ops@ietf.org>>
>                      > https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops> <https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>>
>                      >
>                      >
> 
>                     _______________________________________________
>                     v6ops mailing list
>                     v6ops@ietf.org <mailto:v6ops@ietf.org>
>                     https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
> 
> 
>                 -- 
> 
>                 ===============================================
>                 David Farmer Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>                 Networking & Telecommunication Services
>                 Office of Information Technology
>                 University of Minnesota
>                 2218 University Ave SE <https://www.google.com/maps/search/2218+University+Ave+SE?entry=gmail&source=g>        Phone: 612-626-0815
>                 Minneapolis, MN 55414-3029   Cell: 612-812-9952
>                 ===============================================
> 
>         -- 
> 
>         ===============================================
>         David Farmer Email:farmer@umn.edu <mailto:Email%3Afarmer@umn.edu>
>         Networking & Telecommunication Services
>         Office of Information Technology
>         University of Minnesota
>         2218 University Ave SE <https://www.google.com/maps/search/2218+University+Ave+SE?entry=gmail&source=g>        Phone: 612-626-0815
>         Minneapolis, MN 55414-3029   Cell: 612-812-9952
>         ===============================================
> 
>         _______________________________________________
>         v6ops mailing list
>         v6ops@ietf.org <mailto:v6ops@ietf.org>
>         https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
> 
>     _______________________________________________
>     v6ops mailing list
>     v6ops@ietf.org <mailto:v6ops@ietf.org>
>     https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
> 
> -- 
> 
> ---
> Nick Buraglio
> 
> Planning and Architecture
> Energy Sciences Network
> +1 (510) 995-6068
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email