IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

Ted Lemon <mellon@fugue.com> Tue, 26 April 2022 00:47 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2A6C2D7373 for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 17:47:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.995
X-Spam-Level:
X-Spam-Status: No, score=-4.995 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkMp-qKeNeo0 for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 17:47:01 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5587DC18D82A for <v6ops@ietf.org>; Mon, 25 Apr 2022 17:47:01 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id r8so19075539oib.5 for <v6ops@ietf.org>; Mon, 25 Apr 2022 17:47:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XFO3Lnf9r9ic55/2X5ShZTlutZP1ba1EBNeo9Wo+Ol0=; b=X8ncB6vy+uQpjyJKcG5IrONdamIuHi9otzx+cgoQZOLUo8n9Ox/B05O+SqArTIBMEw kWI9xQBGmgXbzYl+ue2pFXgTQUIxbQpg9gzE5mFxS1TJqF0ZG1kj1vGXD+csvJt1d55q c74iM79nIvlWN8rU0laOInYpkMvvyhoSWfEjG0R4/dSCs7etoxLWy8WRwwKW5sN8O5Tn XEtR9TyK88fHgx/14+eJB6Vvmbb7OrZbkiW3knTFgRWoetPsyeQilpSArMOJyH9gtKJh lXvBKC2T1CI5LlyCWvJFtGSKx2DDnSv6/hS2BHysqiWrpyvKXYW2BJWwEv4tFfoIbXJW YI6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XFO3Lnf9r9ic55/2X5ShZTlutZP1ba1EBNeo9Wo+Ol0=; b=Wi4oGAj6x8rDd9Lp5bN0jbIqNnWKlLvEpjPvUypCpCJsOIjV4Pob208YaZm7JCMo3p dltH9nJ/OPwywNpbYCdq4K7OVK6NtdybPh1z97qnSfPBpNub2gXY9kv6RVDTQD9Nf5fy ++pkDiyC9maPoXQN5uGMoj0EmlMH0XD+u1xdOFuriyt4s4dWUXptl2WJJ03c+jy/xBXD kc1eCXdeHHlsMntV+EL1w9AeFBy2lPn/UUjQPM80G1Sk66Ym8NBG5GQbvTzXSs+Xzi8E Ty2dXikimogBCqlaJoRwSFwH3acx3LmYjwIlPp0TqdA7LhYdgYMZaTgEDGZ244loeQHb 102A==
X-Gm-Message-State: AOAM531thv8S2MKW9ehS+WP6YK8cRfnbrHs6VFBCCcPFj/By4HDXx6p/ uRn6tQN9lmgO4MBgcKN+5ev4TTRrXjcZSLqegGSR1Q==
X-Google-Smtp-Source: ABdhPJzVhP+xmaJQByYWIIVfTGFrhc6It8Erf+UP9JHqTzCGpF77ZD+WFthxqXLggjiQ2KKCG2jA+Wb/kkT/ltWKzZY=
X-Received: by 2002:a05:6808:d47:b0:323:45e5:a04 with SMTP id w7-20020a0568080d4700b0032345e50a04mr9528078oik.12.1650934019510; Mon, 25 Apr 2022 17:46:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com> <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com> <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com> <CANMZLAYbpZBDA8uFnJqfWfWTQ4S9RN4a-DqWe36qzfAfDtXiQA@mail.gmail.com> <CAN-Dau0BjRR2_7xz38DpJsz0Y=Z_8bV5n-=Eh1QUVEDzqVxmaA@mail.gmail.com>
In-Reply-To: <CAN-Dau0BjRR2_7xz38DpJsz0Y=Z_8bV5n-=Eh1QUVEDzqVxmaA@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 25 Apr 2022 20:46:23 -0400
Message-ID: <CAPt1N1=H=eAyRu0JcHnLpZEUizDZ4Kj0VwPu=0nM=Wn+y3Ho1w@mail.gmail.com>
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>
Cc: Brian Carpenter <brian.e.carpenter@gmail.com>, v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>, Ted Lemon <elemon@apple.com>, Erik Auerswald <auerswald@fg-networking.de>
Content-Type: multipart/related; boundary="000000000000c805ee05dd840796"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/UgE5UqMEmoCxFQbSDyyJq6Q9-hE>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 00:47:03 -0000

That requirement requires that servers' (doesn't say what sort of servers,
I assume that's specified elsewhere) IP addresses can't be visible to
whatever is using the server. NAT is about the least safe way to accomplish
this goal. They explicitly mention several other ways, and do not mention
NAT at all. Sounds fishy.

Note that these same people as far as I know /still/ allow TLS 1.1. Which
suggests to me that exceptions are easy if they are exceptions the examiner
is accustomed to, irrespective of whether those exceptions are more or less
risky than other exceptions the examiner is not accustomed to.

On Mon, Apr 25, 2022 at 8:38 PM David Farmer <farmer=
40umn.edu@dmarc.ietf.org> wrote:

> I’ve asked that too and have never received an answer, I always get
> pointed requirement 1.3.7, that is it.
>
> Sorry, I can’t be more helpful.
>
> On Mon, Apr 25, 2022 at 18:58 Brian Carpenter <brian.e.carpenter@gmail.com>
> wrote:
>
>> No, I explicitly don't want to look at audit rules. I want someone who
>> understands them to explain what the functional requirements are. NAT is
>> not a functional requirement.
>>
>> Regards,
>>     Brian Carpenter
>>     (via tiny screen & keyboard)
>>
>> On Tue, 26 Apr 2022, 11:06 David Farmer, <farmer@umn.edu> wrote:
>>
>>> You want to look at PCI DSS 3.2 requirement 1.3.7.
>>> [image: image.png]
>>>
>>> Compensating controls is an option, but auditors have to sign off on
>>> them, and the whole process is about minimizing exceptions and getting a
>>> clean audit. IT isn't in charge of this, finance people are, it's not
>>> technical, it's all about the money, and numbers with 7 or 8 significant
>>> digits or more.
>>>
>>> I've been on that the merry-go-round several times, I believe in IPv6
>>> E2E, but if anyone asks me just do NPTv6 or NAT66, whatever the
>>> auditor wants you to do.
>>>
>>> Have fun on the merry-go-round, I'll pass.
>>>
>>> Thanks
>>>
>>> On Mon, Apr 25, 2022 at 5:32 PM Brian E Carpenter <
>>> brian.e.carpenter@gmail.com> wrote:
>>>
>>>> Kevin,
>>>>
>>>> > Auditing frameworks and auditors are just not ready for IPv6 and
>>>> without migration strategies like NAT, they'll have no reason to be because
>>>> IPv4 will continue to dominate.
>>>>
>>>> You're describing a vicious circle, and the question is how can we
>>>> break it?
>>>>
>>>> Advocating NPTv6 might achieve that, but many of us dislike that
>>>> strategy.
>>>>
>>>> Can you explain what are the technical requirements in PCI-DSS land
>>>> that have been interpreted as requiring NAT44? Is it time for RFC4864bis,
>>>> because this is exactly what we were aiming at with that RFC?
>>>>
>>>> Regards
>>>>     Brian Carpenter
>>>>
>>>> On 25-Apr-22 17:34, Kevin Myers wrote:
>>>> > This misses the problem entirely though.
>>>> >
>>>> > It's not a choice to reconsider, these are regulatory requirements.
>>>> The
>>>> fact that a handful of enterprises have deployed IPv6 doesn't move the
>>>> needle on compliance for the vast majority of them.
>>>> >
>>>> > No retail enterprise is going to choose IPv6 without NAT internally
>>>> if it means not being permitted to use credit cards because of a failed
>>>> PCI-DSS audit.
>>>> >
>>>> > Auditing frameworks and auditors are just not ready for IPv6 and
>>>> without migration strategies like NAT, they'll have no reason to be because
>>>> IPv4 will continue to dominate.
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>> > *From:* Lorenzo Colitti <lorenzo@google.com>
>>>> > *Sent:* Sunday, April 24, 2022, 11:27 PM
>>>> > *To:* Kevin Myers <kevin.myers@iparchitechs.com>
>>>> > *Cc:* Brian E Carpenter <brian.e.carpenter@gmail.com>; Erik
>>>> Auerswald <auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>;
>>>> v6ops list <v6ops@ietf.org>; 6man list <ipv6@ietf.org>
>>>> > *Subject:* Re: [v6ops] ULA precedence [Thoughts about wider
>>>> operational
>>>> input]
>>>> >
>>>> > There are several fortune 500 companies that have publicly stated
>>>> that they have deployed IPv6 with global addressing, so that's definitely
>>>> possible.
>>>> >
>>>> > As for "is it better to deploy IPv6 with NAT66 or not to deploy at
>>>> all", I would guess it depends who you ask. My personal answer would be no.
>>>> It's possible that when faced with app and OS incompatibilities, those
>>>> enterprises might reconsider. Or they might pick the same technical
>>>> solutions as the enterprises that have already deployed with global
>>>> addresses.
>>>> >
>>>> > On Mon, Apr 25, 2022 at 12:42 PM Kevin Myers <
>>>> kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com>>
>>>> wrote:
>>>> >
>>>> >     IPv6 NAT is already being deployed in large enterprises for the
>>>> few
>>>> that want to tackle IPv6. Vendor implementations exist, so that ship
>>>> has sailed regardless of where the IETF lands.
>>>> >
>>>> >     Most of the Fortune 500 fall under regulatory compliance of one
>>>> body or another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well
>>>> for an IPv6 no-NAT world. Most of the discussion I see around enterprise
>>>> adoption on the IETF lists misses this point. It matters very little
>>>> whether NAT is a "good" or "bad" practice when it comes to selecting an
>>>> operational model. Enterprises choose operational models that will pass
>>>> audits
>>>> and the overwhelming majority rely heavily on NAT.  We can make the
>>>> argument that compliance bodies and auditors should update their guidance
>>>> and standards and they absolutely should, but it will probably take
>>>> close
>>>> to a decade to change the regulatory compliance auditing landscape to
>>>> the
>>>> point that IPv6 without NAT is commonplace.
>>>> >
>>>> >     If auditors won't sign off on end to end GUA addressing, then NAT
>>>> is going to remain.
>>>> >
>>>> >     Enterprises are more than willing to punt IPv6 for another decade
>>>> and will likely have no issues in doing so given how little IPv4 space most
>>>> of them need compared to service providers. Even when IPv6 becomes the
>>>> predominant transport type for an Internet handoff everywhere, it will
>>>> still just live in the underlay while IPv4 remains the predominant choice
>>>> in the overlay, in apps,  and internally in the DC for enterprises.
>>>> >
>>>> >     At what point does it become more important to have IPv6
>>>> implemented, than to have it "perfectly" implemented?
>>>> >
>>>> >     Kevin Myers
>>>> >     Sr. Network Architect
>>>> >     IP ArchiTechs
>>>> >
>>>> >     -----Original Message-----
>>>> >     From: v6ops <v6ops-bounces@ietf.org <mailto:
>>>> v6ops-bounces@ietf.org>> On Behalf Of Brian E Carpenter
>>>> >     Sent: Sunday, April 24, 2022 9:48 PM
>>>> >     To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:
>>>> 40google.com@dmarc.ietf.org>>; Erik Auerswald <
>>>> auerswald@fg-networking.de
>>>> <mailto:auerswald@fg-networking.de>>; Ted Lemon <elemon@apple.com
>>>> <mailto:elemon@apple.com>>
>>>> >     Cc: v6ops list <v6ops@ietf.org <mailto:v6ops@ietf.org>>; 6man
>>>> list <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>>>> >     Subject: Re: [v6ops] ULA precedence [Thoughts about wider
>>>> operational input]
>>>> >
>>>> >     On 25-Apr-22 12:16, Lorenzo Colitti wrote:
>>>> >      > On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <
>>>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de> <mailto:
>>>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>> wrote:
>>>> >      >
>>>> >      >       "Since ULAs are defined to have a /48 site prefix, an
>>>> implementation
>>>> >      >        might choose to add such a row automatically on a
>>>> machine with
>>>> >      >        a ULA."
>>>> >      >
>>>> >      >     The result is that only the local ULA prefix,
>>>> i.e., exactly the
>>>> >      >     local IPv6 addresses, are preferred over IPv4
>>>> (and IPv6 GUA).
>>>> >      >     This should be exactly what is needed to use ULA addresses
>>>> inside
>>>> >      >     an organization, or for a lab.
>>>> >      >     [...]
>>>> >      >     Implementing the non-normative suggestion from Section
>>>> 10.6 of RFC
>>>> >      >     6724 would in all likelihood result in making
>>>> ULA usable for local
>>>> >      >     tests and even first steps in deploying IPv6.  ULA
>>>> addresses would
>>>> >      >     only be used locally.  Existing IPv4 based Internet access
>>>> would not
>>>> >      >     be impaired by adding IPv6 ULA.
>>>> >      >
>>>> >      >
>>>> >      > That does seem like it might make ULA more useful, yes.
>>>> >      >
>>>> >      > Additionally, maybe we could clarify that the longest-prefix
>>>> match rule
>>>> >     does not apply to ULAs outside the same /48? I think that would
>>>> fix
>>>> the issue observed by +Ted Lemon <mailto:elemon@apple.com <mailto:
>>>> elemon@apple.com>> in home networks:
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>>>> <
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>
>>>> <
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>>>> <
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>>
>>>> .
>>>> >
>>>> >     When two networks each with its own ULA prefix are intentionally
>>>> merged, longest match would be the right thing, wouldn't it? (Assuming that
>>>> the split DNSs are also merged, and of course internal routing.) In
>>>> that case there is no "foreign" ULA prefix.
>>>> >
>>>> >      >     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT
>>>> could be
>>>> >      >     considered.  To make this work as intended, the address
>>>> selection
>>>> >      >     policy table could be adjusted to contain the
>>>> local ULA prefix
>>>> >      >     with precedence greater or equal to GUA and the same label
>>>> as GUA.
>>>> >      >
>>>> >      >
>>>> >      > This seems like it would encourage the use of IPv6 NAT. I
>>>> think there is reasonably strong consensus within the IETF that that is not
>>>> the
>>>> right way to go, because it pushes problems on to application
>>>> developers.
>>>> This adds costs for NAT traversal software development and maintenance,
>>>> and requires devices to implement NAT keepalives, increasing battery usage.
>>>> >
>>>> >     That may be the IETF's consensus, but there is a very large
>>>> fraction of the enterprise network operations community that strongly
>>>> disagrees,
>>>> and in fact regards this as a red line issue. It isn't even clear that
>>>> they'd accept NPTv6 as an alternative to NAPT66. If this is indeed the only
>>>> way to get IPv6 inside enterprises, what is the right thing for the
>>>> IETF to do?
>>>> >
>>>> >             Brian
>>>> >
>>>> >     _______________________________________________
>>>> >     v6ops mailing list
>>>> >     v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>> >     https://www.ietf.org/mailman/listinfo/v6ops <
>>>> https://www.ietf.org/mailman/listinfo/v6ops>
>>>> >
>>>> >
>>>>
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>
>>>
>>>
>>> --
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota
>>> 2218 University Ave SE
>>> <https://www.google.com/maps/search/2218+University+Ave+SE?entry=gmail&source=g>
>>>       Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> ===============================================
>>>
>> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email