[v6ops] draft IETF91-v6ops minutes
Lee Howard <Lee@asgard.org> Thu, 13 November 2014 21:23 UTC
Return-Path: <Lee@asgard.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D60341AD5D0 for <v6ops@ietfa.amsl.com>; Thu, 13 Nov 2014 13:23:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xeoCLCsqNYhe for <v6ops@ietfa.amsl.com>; Thu, 13 Nov 2014 13:23:40 -0800 (PST)
Received: from atl4mhob17.myregisteredsite.com (atl4mhob17.myregisteredsite.com [209.17.115.110]) by ietfa.amsl.com (Postfix) with ESMTP id 5824A1AD5AB for <v6ops@ietf.org>; Thu, 13 Nov 2014 13:23:39 -0800 (PST)
Received: from mailpod.hostingplatform.com ([10.30.71.206]) by atl4mhob17.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id sADLNRVr020678 for <v6ops@ietf.org>; Thu, 13 Nov 2014 16:23:27 -0500
Received: (qmail 5935 invoked by uid 0); 13 Nov 2014 21:23:27 -0000
X-TCPREMOTEIP: 31.133.167.98
X-Authenticated-UID: lee@asgard.org
Received: from unknown (HELO ?31.133.167.98?) (lee@asgard.org@31.133.167.98) by 0 with ESMTPA; 13 Nov 2014 21:23:26 -0000
User-Agent: Microsoft-MacOutlook/14.4.5.141003
Date: Thu, 13 Nov 2014 11:23:25 -1000
From: Lee Howard <Lee@asgard.org>
To: 'IPv6 Operations' <v6ops@ietf.org>
Message-ID: <D08A452D.760FE%Lee@asgard.org>
Thread-Topic: draft IETF91-v6ops minutes
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3498722607_12781117"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/W1fkUK4O3m9rYSwteILRvUnu-A8
Subject: [v6ops] draft IETF91-v6ops minutes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 21:23:52 -0000
Below, my notes from this week's meetings. I'd like some review before I post them as meeting minutes. Lee IPv6 Operations IETF91 Monday, 10 November 2014 Deprecating Connection of IPv6 Domains via IPv4 Clouds (6to4) <https://tools.ietf.org/html/draft-ietf-v6ops-6to4-to-historic> Brian Carpenter Proposed as BCP, 6to4 NOT RECOMMENDED in product support, MUST disable by default, SHOULD consider dropping 6to4 relay servers, p2p 6to4 (not depending on anycast) might still be okay Dave Thaler: If we deprecate 6to4, Teredo is next in line in preference table. Opposite of what we want. Thus, do not deprecate rfc3056 (p2p mode) without also deprecating Teredo. But Xbox uses Teredo for p2p, so can¹t deprecate it yet. Lorenzo Collitti: We must show harm to deprecate p2p mode (3056). We can¹t show harm, so we shouldn¹t deprecate. Cameron: I null route 6to4 prefixes, especially 192.88.99.0/24 so it doesn¹t create half-open CGN state. Maybe need a sunset4 draft saying weird IPv4 brokenness like this will pop up. Michael Richardson: deprecate rfc3068 only, too much risk in deprecating p2p James Woodyatt: agree. Also agree that content providers should (instead of may) keep return relays running. Maybe also NAT64 ops should do. Yourtchenko: Yes, filter 192.88.99.0/24 Abramsson: Don¹t spend brain cycles on new relays Hums: Should we deprecate 3068? YES: Strong hum. Should we deprecate 3056? YES: Hum, NO: slightly stronger hum Should we recommend filtering 192.88.99.0/24? YES: Weak hum. NO: Very weak hum Should we recommend filtering 2002::/16? YES: One hum Outcome: Revise draft accordingly, then WGLC SIIT-DC Tore Anderson, remote Needs a better name than ³SIIT-DC² Needs co-authors Yourtchenko: Could also do CLAT function as bump in the API Cameron would use this, may review but couldn¹t co-author Thaler: This isn¹t a new protocol, just good use cases. Prefer the name ³Stateless NAT64². Clarify rationale for static mapping. Still need a better name. Adopt both SIIT drafts as WG? YES: Strong hum Call it stateless NAT64? Weak hum SIIT-DC? Quiet Other? Quiet Outcome: repost as draft-ietf-v6ops-siit-dc and draft-ietf-v6ops-siit-dc-2xlat. Cameron Byrne to review DHCPV6/SLAAC Interaction Bing Liu Bernie Volz: DHC WG is working on 3315-bis. (Revising dhcpv6) Lorenzo Collitti: There is no problem, just different implementations. The problem statement draft can just document what implementations do. Document undocumented-unspecified behaviors. Don¹t call it a problem statement; add more testing and give it to operators documenting these corner cases. Don¹t think we should adopt Guidance, until/unless we see real operational problems. Fred: So should the Guidance draft go to DHC to inform their update? Brian Carpenter: Disagree with everything Lorenzo said. 6renum noted that changing mechanisms really breaks stuff. Stall on Guidance doc. DHC should look at it, to make sure they don¹t make anything worse, need 6man to fix what exists now. Yourtchenko: For some of the inconsistent behaviors, we don¹t know what the ³right² behavior is. Lorenzo Collitti: If we do what Brian says, 6man will say, ³We deprecated M and O.² Ole Troan: If someone proposed a solution, we would listen to it. Barbara Stark: The ambiguity exists; document the ambiguous behavior. If you want to make it less ambiguous, go to 6man. Suresh Ramasubramanian: See rfc4861 and rfc4862 Summary: DHCPv6/SLAAC problem statement: Focus on behaviors in real implementations (and maybe rename it). Outcome: Adopt Guidance as WG doc? YES: Silence, NO: weak hum Considerations For Using Unique Local Addresses <https://tools.ietf.org/html/draft-ietf-v6ops-ula-usage-recommendations> Bing Liu Brian Carpenter: Is this consistent with what Homenet is saying? Bing: Yes, currently compatible Considerations for Running Multiple IPv6 Prefixes <https://tools.ietf.org/html/draft-liu-v6ops-running-multiple-prefixes> Sheng Jiang Erik Kline: Strike all text about IPv6 NAT Mikael Abrahamsson: work in progress at MIF, but not sure we need to say it Lorenzo Collitti: Security isn¹t unique to multiple prefixes. Specifically, let¹s not put a lot of text saying ³multiple prefixes will exhaust ND cache,² when hosts give multiple addresses anyway. Take the text out, and put it in a new document. Maybe not call attention to LLA as multiple prefixes. But if you take that out, you¹re only left with stuff MIF is still doing, and ULA. Brian: Targeted at enterprises, so it¹s different and useful. Summary: wait Introducing IPv6 vulnerability test program in Japan <https://tools.ietf.org/html/draft-jpcert-ipv6vullnerability-check> Ruri Hiromi Vyncke: all in Japanese? Yes. DOS to router or host? Outcome: not a WG document Discovery of the IPv6 Prefix in 464XLAT <https://tools.ietf.org/html/draft-wang-v6ops-xlat-prefix-discovery> No presentation IPv6 Extension Headers in the Real World <https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-in-real-world> Fernando Gont Packets with EH are often dropped. 20% drop rate for fragments 10% drops for Destination Options 40% drops for Hop-by-Hop options 25% for fragmented traffic 20-60% of drops occur at an AS other than Destination AS Thus, if you design stuff relying on EH that uses the Internet, you need a fallback mechanism Several comments about how terrible it is that people are dropping packets with EH. In a network that filters EH, there¹s a vulnerability: an attacker could send Packet Too Big, resulting in atomic fragments, which require EHs, so traffic gets dropped. Dave Thaler: dropping IPv6 EHs ³for security reasons² (to avoid DOS attacks) simply creates an alternate vulnerability (for DOS attacks) Tony Hain offers to host measurement tools, too Draft authors Jen Linkova used Atlas probes, Fernando used his own tools Eric Vyncke: can we identify the problem ASNs? Would also test on his p2p network Mike Ackerman: what can we do about it? Nalini Elkins: Is it that 90% on one network and 1% on another network are getting dropped which totals out to the percentages above? Joel Jaeggli: I have to find the L4 header, so I make edge decisions about what to drop, but they only affect me Merike Kaeo: need data on mobility and IPSec Would you like to see a data development study as a WG item? YES: hum, NO: slightly weaker hum Do we want a draft that would work through recommendation on how to configure? YES: Very weak hum, NO: even weaker Outcome: Split the document into problem measurements and recommendations Design Choices for IPv6 Networks <https://tools.ietf.org/html/draft-ietf-v6ops-design-choices> Victor Kuarsingh presenting à This needs usefulness review on NOG Dave Thaler: Right now, content doesn¹t match scope of title and abstract. It¹s okay to identify ³future work² or other documents. ULA, DHCPv6 vs SLAAC; at least say, ³Here are some design choices discussed in other documents.² Security Considerations section is TBD, do not go to WGLC SeND, SAVI, etc. etc. Jen Linkova: Say ISIS multi-topology. Saying LLA doesn¹t go beyond link turns out to be untrue. Eric Vyncke: Go to WGLC quick, before scope increases. Tighten title and abstract and go. Don¹t forget to mention EH. To do: Change title and abstract Add ULA, DHCPv6 vs SLAAC references Add Security considerations Outcome: Make those revisions, then solicit review (maybe via WGLC) A Special Purpose TLD to resolve IPv4 Address Literal on DNS64/NAT64 environments <https://tools.ietf.org/html/draft-osamu-v6ops-ipv4-literal-in-url> Hiroaki Hazeyama Dan Wing: Yes, there are still problems with IPv4 literals Andrew Sullivan: I think NAT64/DNS64 is a kludge, and we¹ve always known this was going to break. Strongly opposed to creating a special purpose TLD. If you must, use v4only.arpa Joel Jaeggli: I know of a company that embeds v4 literals in HTTP. Surprisingly often a problem in apps other than web browsers. Also may break SSL. Dave Thaler: yes, doesn¹t cover cookies. Doesn¹t mention that DNSSEC doesn¹t work. Doesn¹t mention 464xlat as an alternative. Erik Nygren: cookie problem should also be in security consideration section. If we need to do this for IPv4, consider whether we should do it for IPv6 literals. If that¹s bad, it may also be bad in IPv4. Cameron Byrne: have you tested this? I did something similar, and Apache virtual host expects name in header to be the same as the name. Maybe we should say ³IPv4 literals should go away.² As in rfc1958. Joel Jaeggli: Referring URL case where it breaks is when you expect to see the IPv4 literal. Outcome: update, and take to DNSOP Considerations on IPv6-only DNS Development <https://tools.ietf.org/html/draft-song-sunset4-ipv6only-dns> Lianjing Song Mark Andrews: Android isn¹t an IPv6-compliant node because it doesn¹t support EDNS0. 512bytes isn¹t an effective limit anyway. Erik Kline: How do you know EDNS0 works everywhere? Mark Andrews: Yes, I have been measuring EDNS0. I¹ve found exactly one server (.is) that blocks on 512bytes. Cameron Byrne: Not so much the auth servers, but it¹s the endpoint support for EDNS0. We just heard from an Android developer asking if it works. Dear DNSOP: please develop EDNS0 Happy Eyeballs. Mark Andrews: Can¹t we just get IPv6 hosts to do the right thing? Andrew Sullivan: I know there are endpoints (and proxies) that can¹t do EDNS0. Frankly, message sizes are getting bigger and people are counting on that. We can¹t come up with another kludge. If Android is broken, it¹s broken. If middleboxes are broken, they¹re also broken. Erik Kline: I would love to see EDNS0 support in Android. How many home CPEs will do bad things with this kludge, and the implied performance problem. Outcome: Take to DNSOP and SUNSET4. IPv6 Considerations for NFV Hui Deng ³Floating IP² means NAT John Brzozowski: OpenStack networking isn¹t networking, it¹s bridging large domains. Fred: See other drafts with ³openstack² in the title Outcome: Discuss on mailing list
- [v6ops] draft IETF91-v6ops minutes Lee Howard
- Re: [v6ops] draft IETF91-v6ops minutes Brian E Carpenter