IETF Logo Mail Archive

Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt

Martin Huněk <martin.hunek@tul.cz> Mon, 19 December 2022 10:30 UTC

Return-Path: <martin.hunek@tul.cz>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C3DBC14CEEA for <v6ops@ietfa.amsl.com>; Mon, 19 Dec 2022 02:30:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tul.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSKXWBMXfRY8 for <v6ops@ietfa.amsl.com>; Mon, 19 Dec 2022 02:30:31 -0800 (PST)
Received: from bubo.tul.cz (bubo.tul.cz [147.230.16.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 982ECC14F6EB for <v6ops@ietf.org>; Mon, 19 Dec 2022 02:30:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at tul.cz
Received: from asclepius.adm.tul.cz (unknown [147.230.233.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bubo.tul.cz (Postfix) with ESMTPSA id 96A2F18030D86; Mon, 19 Dec 2022 11:30:26 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 bubo.tul.cz 96A2F18030D86
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tul.cz; s=tul2021; t=1671445827; bh=sIXMpwJnjYXCCa0drLGn25S4AmIu4YKTDgIDnG+g//U=; h=From:To:Subject:Date:In-Reply-To:References:From; b=E0p4ixRj/9go2YwZPNj9yLADjyN4MjbZwBM7VCSTdV1AHyAQOpgljZTfE5U39eUTR 6SJE8hoq53w+2gTrSidBwRgHe7aUYdhVWiU2zl4A0Q2eAeGSClCa56OOCfUKMiQd0S UZflLfywJRHiOLJ/vXUpmCedAkeGCHNCh8ckKiQA3XXexVYUpUyGGhr15wDdePpyj9 je+aywVLrKH+L12zOlC+dY+z+0gG+mRrl6IxpMgGBomHfWySKF05WPA/bpfsGJ3Wnt Z1tc9T8b2+ty9VYm+dcBuTeZ9zJD2bZSB9z2n5/D+n0oIaCYyhJAGBhLpn5e9CpbU0 PqduvQuDVv7ZQ==
From: Martin Huněk <martin.hunek@tul.cz>
To: Jen Linkova <furry13@gmail.com>, v6ops@ietf.org, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>
Date: Mon, 19 Dec 2022 11:30:15 +0100
Message-ID: <2859685.e9J7NaK4W3@asclepius.adm.tul.cz>
Organization: Technická univerzita v Liberci
In-Reply-To: <c66ea3d4279c4af0808f36daec30bf46@huawei.com>
References: <167107554671.48477.568330207202509840@ietfa.amsl.com> <CAFU7BASgMkhP0r4YYhOK8_4aSGJ-AnjN8y14mZEuBaWP46=7Yw@mail.gmail.com> <c66ea3d4279c4af0808f36daec30bf46@huawei.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3204516.aeNJFYEL58"; micalg="sha384"; protocol="application/pkcs7-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/URLNib35J-5VNT9IURkTcD34hWU>
Subject: Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2022 10:30:37 -0000

Eduard, thanks for writing it to the mailing list.

I think that the document should describe on which IID a node would be reachable. I'm not necessarily saying that a node should use one fixed IID for outgoing connections or that it has to listen on fixed IID when it is not providing services, but it has to be reachable on some IPv6 address when it does so. Furthermore, this address has to be predictable for an ISP/netadmin, so it is possible to make an AAAA record for it. Without such property, it would be impossible to manage DNS for it, and it would result in IPv4-only service - the same way as in the case of SLAAC without EUI-64 and the client not supporting DHCPv6.

IMHO the IID should be something simple like all 0 (:: prefix base address), and a node MUST listen on it when it is running services that should be reachable from outside. Also, a node should probably stop asking for new prefixes if it provides services (try to keep the current prefix).

Martin

Dne pondělí 19. prosince 2022 9:21:48 CET, Vasilenko Eduard napsal(a):
> Martin made a good point that a DNS extension would be needed to register prefixes in the DNS.
> Because this solution makes it extremely difficult to update DNS for IIDs that are fully "local matter".
> Is it a new "AAAP" record? But stub resolvers are asking only "AAAA".
> On the other side, such a record would greatly decrease the load on the whole DNS infrastructure.
> Ed/
> -----Original Message-----
> From: Jen Linkova [mailto:furry13@gmail.com] 
> Sent: Friday, December 16, 2022 4:03 AM
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: V6 Ops List <v6ops@ietf.org>; draft-collink-v6ops-ent64pd@ietf.org; xiaom@google.com
> Subject: Re: [v6ops] Fwd: New Version Notification for draft-collink-v6ops-ent64pd-01.txt
> 
> On Fri, Dec 16, 2022 at 1:23 AM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
> > I like this proposal for the SLAAC deprecation in the limited (Enterprise) domain. It would greatly help for IPv6 Enterprise adoption. DHCP's absence is the biggest issue for this market segment.
> > The solution needs a name for a short reference. Something like "DHCP prefix per host".
> >
> > 1.      What is the point to keep SLAAC if DHCP infrastructure is mandatory? I do not understand what SLAAC is left in this solution. DAD, PIO - all looks gone. In fact, this proposal is the SLAAC deprecation (despite many claims that it is not). It is visible in section 8 when discussing "SLAAC" against "prefix per host" methods.
> 
> Eventually, if the administrator of the particular network can be 100% sure that all devices support PD, the SLAAC prefix can be indeed removed from the router configuration.
> However I'd expect it would be a while till we get to that point.
> In other networks using PD might not be desirable at all (the draft has a section on applicability). I do not want it in my home network - OK, I have 10 devices, it's OK to have 100 ND entries, not a big deal.
> It's completely different in my VXLAN network, when I suddenly get 10 times more Type 2 routes.
> 
> So we are not going to deprecate SLAAC as a protocol. Some networks would be still using it. Even more, the hist itself would be using SLAAC to assign addresses from the delegated prefix.
> 
> > 2.      Choosing the IID is a fully "local matter" for this solution. The host could easily choose from /96. It is discussable how many bits are needed for good IID randomization (is 32 bits enough?).
> > It is a good opportunity to move the prefix to something much longer. It is not a problem for DHCP.
> 
> I have a number of concerns:
> - there are still devices out there which are not particularly happy with processing routes with prefix length between 65 and 126 in hardware.
> - how long would it take before /96 would become /128? ;)
> - that would require changing the address assignment logic for the device - now it's just doing SLAAC using the delegated prefix (incl.
> privacy address generation), which would complicate things and slow the adoption, probably.
> 
> 
> > 3.      The proposal would not resolve MHMP (on PA addresses): the host is still not capable of properly choosing which prefix to use. The root cause is that the next hop is chosen before the source address (by getaddrinfo()). It could be discussed separately.
> 
> The draft is solving the different problem: how to let the host to have as many addresses as the host needs/wants w/o creating scalability issues for the network.
> Multihoming issue is still here.
> 
> > 4.      It was possible to improve a little routing (aggregation) by asking the DHCP server to delegate prefixes closest (by mask) to the router interface on the link. In the case of longer prefixes (/96) - it is possible to delegate from the single /64.
> 
> Yes, the server might need to map the relay link-address field in the relay-forward message and the pool.
> 
> > it is probably needed to have two /64 for the router on the link to 
> > support the transition period of the new solution and the SLAAC at the 
> > same time.ot
> 
> I do not think it's needed.
> I configure 2001:db8::/64 on the router interface and use it for SLAAC.
> The DHCP server is instructed to allocate /64 subnets from
> 2001:db8::/46  (assigned, for example, for the guest wifi on that
> site) with the first /64 being reserved.
> 
> > 5.      The current privacy RFC is broken by this solution but it is not a problem - it may be updated later.
> 
> I do not think it's "broken". The host still uses RFC8981 for assigning addresses from /64.
> If you mean that an eavesdropper may assume that the same /64 is always the same host, Section 11 talks about that.
> 
> > Indeed, it could be v6ops RFC because it is "local matters" for hosts and routers.
> 
> A separate 6MAN document would be required indeed, but it would be the next step.
> 
> > It does not break SLAAC. It just deprecates it.
> 
> It provides an alternative for the networks which need it.
> 
> > Some sort of SLAAC replacement by DHCP.
> 
> A hybrid, taking the best of both ;)
> 
> > Exactly what many Enterprise people were demanding for a long time.
> 
> Glad to hear that you find it useful, thanks!
> 
> --
> SY, Jen Linkova aka Furry
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email