IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

"Ackermann, Michael" <MAckermann@bcbsm.com> Fri, 01 April 2022 21:01 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B0D3A08BE for <v6ops@ietfa.amsl.com>; Fri, 1 Apr 2022 14:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=MAckermann@bcbsm.com header.d=bcbsm.com; dkim=pass (1024-bit key) header.d=bcbsm.com header.b=DJSKGLFQ; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=bcbsm.onmicrosoft.com header.b=jMLY/PcD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mp_hEZnoacbp for <v6ops@ietfa.amsl.com>; Fri, 1 Apr 2022 14:00:55 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D7833A07CD for <v6ops@ietf.org>; Fri, 1 Apr 2022 14:00:30 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id 3F9ABC0DBA8F for <v6ops@ietf.org>; Fri, 1 Apr 2022 16:00:30 -0500 (CDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ZIXVPM1670e2ded26; d=bcbsm.com; h=From:To:Subject:Date; b=CEyT0A8a/FbuIkCwYmpE4bcnBwIqRRVB9FaG3RpTsK7E7GWmJzChlUJTpetbVKf+ V1V8GYlmk+SAOrUluczQP5dzs8jZg7bK4YmCdDb7TvH5dXZgeKLLhWMy3QV3Vm 4X3G6CEwQYxHTptwasq95x3RUA8BiPY37UGbAkqKpGTbQ=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.com; s=ZIXVPM1670e2ded26; t=1648846830; bh=bWE+QUxt/sR4UwWrAjmHbfM2zwE6+kMbJATDrNSEZMc=; h=From:To:Subject:Date; b=DJSKGLFQRbY1cHsZ3ZT3TGoOExPMFClxmciur8gFW9J/oSdOqcOW7KdyhlTNIApmX op3AEBGwNPeOeBofiR7ni2IpDHZzasqB2Rf00kyJnU3cq0/bFaTpZPO7Vg6QBctcLU Kn+RAnsozD11mZssrk69qNpZORvsZ5MgYYZoNkhI=
Received: from imsva1.bcbsm.com (inetmta03.bcbsm.com [12.107.172.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.z120.zixworks.com (Proprietary) with ESMTPS id D9C3B4181D34; Fri, 1 Apr 2022 16:00:28 -0500 (CDT)
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7352492071; Fri, 1 Apr 2022 17:00:28 -0400 (EDT)
X-IMSS-DKIM-Authentication-Result: imsva1.bcbsm.com; sigcount=1; dkim=pass(1024-bit key) header.i=@bcbsm.onmicrosoft.com state=0
Received: from imsva1.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 332159206C; Fri, 1 Apr 2022 17:00:28 -0400 (EDT)
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (unknown [104.47.56.44]) by imsva1.bcbsm.com (Postfix) with ESMTPS; Fri, 1 Apr 2022 17:00:28 -0400 (EDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=betx5lBJCz8bYnKenCwTbIujgGmXG4N1jbQuxNAY8v1qyUGkJk7ZXkkFXskq9024X1CJ5pEWfU+WyqGZ/BA4acSipPAYgZK411duuty45taf19zs2VImKGJxyNrLo9EwkL1nt5LMaDHcPqimILoU+D4gsaxClE+31K6vVAbBkX2iiMvjS7+A0WFBHOsFRRMuxGYGlL1x6DyPWFAlPZYtFu0l0PXQwFiI0HObxo5ExmlGmmxb6Yp0lWxZH7mAo09zIMASpuqSgFPaaAOD+1PYQGw2A5LUCzVo4K/nZWrnDQyfMtLUYn+2eszlsIofofrItCGfwOaoa3WH2xyjEXePLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7voRSrS4MsoNGsRIIPvM6AMo0wUb7GwMVxKkvnZJfZI=; b=h1gxRo7MWkVyo5PsHJcGxPhiAW1mdok02jqtnVBpvlyq7QlgipyOfFgiB40blxmiTa6/WKeyug7tjW0bR4qkqNYbHDXtBO76gy4EF9MuTzpsm670Wqm7ffcIsqXvf+Y8RW92vwDqt6Tt0t51OKnv1YcCk06B9s92dy7VhZPWzS/AKH/d6+0mkVEksZ0gh5F3kzIFZYESSpWUTwvxJov0i8Mek/KH1OfDuTSl6wbZ/IyHPQC/Bi1qPxJqL+DthvHnb3erGmIb194YKcrBLHQRLAes0FQFpeGIXDTr7zuAfIEXzYwBhV0OQc9zW1ePtCIOpT+1wES7vhHRFGfrhqlWGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bcbsm.com; dmarc=pass action=none header.from=bcbsm.com; dkim=pass header.d=bcbsm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.onmicrosoft.com; s=selector2-bcbsm-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7voRSrS4MsoNGsRIIPvM6AMo0wUb7GwMVxKkvnZJfZI=; b=jMLY/PcDfLJAPl0L9jYe/1COToZu08Jtv54JHC04nWjdyeY20mDX51OIfScnCMqzFXuO2F9VMjgk3D2DwABqNp8+Dqzu3zApwKOsr0Hjnpx1RHJ4leoIGhST7vBtorMCLHyr7Z2zJRVYI7PIwgMUqmjMYLB9Yi2ogPjYtwWRbsQ=
Received: from DM6PR14MB3178.namprd14.prod.outlook.com (2603:10b6:5:118::30) by BN8PR14MB2642.namprd14.prod.outlook.com (2603:10b6:408:44::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.21; Fri, 1 Apr 2022 21:00:26 +0000
Received: from DM6PR14MB3178.namprd14.prod.outlook.com ([fe80::fc52:941f:cc00:2dd9]) by DM6PR14MB3178.namprd14.prod.outlook.com ([fe80::fc52:941f:cc00:2dd9%5]) with mapi id 15.20.5123.028; Fri, 1 Apr 2022 21:00:26 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: "buraglio@es.net" <buraglio@es.net>, Simon <linux@thehobsons.co.uk>
CC: v6ops list <v6ops@ietf.org>
Thread-Topic: [v6ops] Thoughts about wider operational input
Thread-Index: AQHYPWLxesV8fulCSU6drVXmx0+5BazKU+MAgAAMoQCAAA6FAIAApH0AgAALFICAAAQuAIAAAngAgAAp1QCAAC+pgIAL0TCAgAA04QCAAA74gIAAdlQggAAJkICAAA8igIAAKgIAgAAecYCAAWS0gIAAQyoAgAFfg2A=
Date: Fri, 01 Apr 2022 21:00:05 +0000
Deferred-Delivery: Fri, 1 Apr 2022 21:00:00 +0000
Message-ID: <DM6PR14MB3178554FE613B55712041FCED7E09@DM6PR14MB3178.namprd14.prod.outlook.com>
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <A72CDDDB-CDCE-4EAF-B95E-997C764DB2C4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <B49417F7-3EFB-4A4D-9D1A-0D21574EA4F2@consulintel.es> <44B01ACA-3D5C-4618-B608-3B3479D29875@consulintel.es> <62447DCB.1010206@jmaimon.com> <7228D9A7-54A8-4BAE-9299-204C049F600B@consulintel.es> <6244BA91.3060306@jmaimon.com> <67762447-43D4-4393-851C-99370D3BF623@thehobsons.co.uk> <CAM5+tA9+O8WeqXzZ6VozgSVstTktjWScRaE5S1KErZqcOmej3w@mail.gmail.com>
In-Reply-To: <CAM5+tA9+O8WeqXzZ6VozgSVstTktjWScRaE5S1KErZqcOmej3w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=bcbsm.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3cd83217-0c3e-42e9-bae4-08da1422a597
x-ms-traffictypediagnostic: BN8PR14MB2642:EE_
x-microsoft-antispam-prvs: <BN8PR14MB26425AE29197622DE6FD90D7D7E09@BN8PR14MB2642.namprd14.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dA7lYRQNOJCBFfuhXSh2MP8XXfKdWuydSES2hpgEF6dp1zt1zXwx/Tq01IUG+hd/u1wx26m4RAcEglz/xzSanR9nF/P3rdR1aXTZ/GLdZITUjPt/miFA3zlZO5o9Iv9JSt6RbtcA3REoA3dPT//lm/4ZO+krj9OTlwD84DqK05OLBev//LUDxVv+Nvquji9RSyTaqquxKPe6I62FjTHqh1uaq6lEXSh82k7rkwCbQSCIBytg0u18RgCnspjHsOM7mY0IuUkJOANHibRlOHXvqq+SBMJztcdbdzYHZosjCN6o+z0xXtjWBkHkLv0HSaANoc5p1GkA4vX8lsHTdWyjEA+cC/2fM9W58/WeG0D0pshEX5pYM0E1VLGiPWFJf6CKqW8TakcxWimH0wOyaFickSGaJxfDSJwAeGCt/U/o/ld8coLJoKe8acXYz24VSEVWU7smXAivpUHurcqSblI+ggT8vJBaIcD4wUnNhsUpCjD64r6mU7fsjxg14WikqYlNnPZQ2zypFLDyyzoacafc1xsdoag2qD7HQ7OyX3imwi7fwHazg+j4jj/SQIbEz9wwdGrZkDK2Gj1EKnFL+QHaPI+NHL1z03U2omhukwIuZsbnXF0uYfmHtmJY+unh3JEoN/GQOEDY2+ssSHNytaVXtiLWcSSQ5OVMHBo8FXKzoY+fl9mM4XKZvg+nZDIXUaREaa+mReWo/fqa1eJZd3RWxL/MfpgXB6FV+bGuxVMxE34kSSikNLc3O7EJdAUT97K9MEVZp36TPcMp5IHAhx+9oJsWqPaSzFYmBJUjM9EOeWk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB3178.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(55016003)(33656002)(966005)(508600001)(5660300002)(52536014)(9686003)(30864003)(166002)(38070700005)(8936002)(66574015)(110136005)(122000001)(71200400001)(316002)(76116006)(86362001)(53546011)(8676002)(64756008)(66446008)(66476007)(66556008)(66946007)(6666004)(2906002)(83380400001)(38100700002)(7696005)(26005)(55236004)(6506007)(186003)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: m05ABxI41tpahVeTA0CpqEB/k3lrUpu//KcS1JRH8GbFqTYI8l6WnPoj1mZcdgByUYP70biy2JGSSE/edTSJb51/+hn1DtkVg8hLIt1lauYutlyQ4ivJmjKQ1NDJpg8cyzxdMldxcKlsy7XfdgdWdqXUPLln5M1n5SEN23hIyVHPVYjWzUBGP3I6x+VO5WHkoFv+n9oso5MEPgxOkorQA/2+cT5eK0KOg9lc9xt6FdCsTJgdQfti+z4/mivNlECrAxtKv/9Lbm+vNfwafmNzFrTUIuDplrXNaMOWJRJK4CuCbuizFqiHz8NX32ehlhvoZEpNBffNj119Y6TXsBLTZ6mybLMCcHKD4+j1xoYlh3dCzAU/BHL5+YlF2F3mLWac7d228mvT2us4ptyVbk2K8jNT1iV+JJqlS67iUsb7fMd1bJmPuaxdGl/1/LrDNyd8g3U53m2PP7MJoym4dVp/gzZ2DW1imoAbrqBecmxmAWAarn0biM4ljEyosUPNnjoYWg/0x+7iAEu7dftnTjhCOGz1vzsZd2OgwWU4mBtEV5/Iyqr+h6aXjWbN7d00Flnt26EmT7GXjzZTU0bKHjOSh0izkxVb/9moASQrhNI4yHRgXATxBBkQ/k+3yYuZOsWWiK+3V51oQS1VVghyGXFVmXmki5HhaCok5mktERwqt6hlzZG7gomtSejqQCeNMEqaMskYWT8QpbGb4I6aocQpqR9WwfoIxAoB456DOnTzqtFRxDG/YLO5xx9DuhczWmQ92GrJ5WZWUk9LsGZ7haKZsjdhtMFZ5oLzdDO2Tfz2DC7aa+yMCgw4ZKNEqMi7eKMOOtTvzpL5yyRXbAb9b22my57JIgrpm5BQHc9xtUQV8WKAMEzfdcm2BI03pMCN3KAoaoow8L40cWdRBej/0apPApcnhcECTG/wFVLbCGyfCNYCUxouzmqyU13+BCEGxOkcH0ebdgsN6nLaAzJ8PQ/h0ob8hAzxL7C+qGOTvjgfWJowtttSBGcRQTPrzrcvpaPFXux+56T/+b43wKZP8MAbgkA9vvYrmk6axbicZXIOJES0iNgCYQxBUqTj7SeuP+AeA8TScVJVQaC+bOPf6yOZKjKCaqkYR1mbByhrInCOHkeUwg2elmrscGdFBnUbyndXujhpr+bhVkWDFn/RPCAtp51uxZhpHlUCeePr8KUAkTIDlFFKHt0psjahp9lJP5PFq8RXkKwBe77hAa7+8nV0ROFeacREXo9Js1noZLB8FNLSMsAQjDlo/thpAMoDsHGzf5lf9ScuBgFa/03m5MQTUWsBWHYtlZeVJrII6vzsC0XIaWHi2VvDjUUd6d+K08aaBMlt9Mxmo8gu3uyabpcuseOVRpBczjVsaiZIhrp+wUxHDZ5LHzK9avkKDQBqt3JATBn5e2hroqokeoMhHpIJUA7WRU2tmz8V9FbkR36lF8cSmdt7y3ZMjfPKTo/DQ/f8JQFLkfrwwI+JID6jrKA14pg53Fs/XcuHxAcd197vRHEej3gdXc8fPJnAJ2kR/9ExviMpiU2F/f9TMn+7x+BxHpdgRlZi7+vSCLY7wY73swlAR4Hnn3BjehBKihLsLIl+LS5d17glDKZM3sSI4rvvXzUbsCe9Ql9rulO1P1RaITj8Sa/OIylxMEY6f7KUQiAZdfANlMsU3frXsBKZlNZF5siDeX1oPo2tsSjlBK5muBQUCuiw5auDx60nXbGvv0DeBd7BaEXacTqMG+//Y28BNw==
Content-Type: multipart/alternative; boundary="_000_DM6PR14MB3178554FE613B55712041FCED7E09DM6PR14MB3178namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB3178.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3cd83217-0c3e-42e9-bae4-08da1422a597
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2022 21:00:26.5505 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0tcisMxtqd327YQMy6RdQuRJuGJznYS9MByf0i4CpdUyMyUWkm1qxXsbAmO+RdXcLOT4FGEXjhG1Y8UzRBH11w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR14MB2642
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: ecd1037c-c8e6-400c-a50d-f395af57e4c8
X-VPM-MSG-ID: 2ce07961-9890-4138-a78b-75471e5f36b3
X-VPM-ENC-REGIME: TLS,Plaintext
X-VPM-IS-HYBRID: 0
X-VPM: TLS Sent
X-VPM-TLS-SENDER: vmvpm01.z120.zixworks.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/WBijsyj_j-xrPwMLk5OgdouzjSY>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2022 21:01:06 -0000

Hi Nick

As a typical clueless enterprise guy, I am not only way behind in responding to  emails and to your note below,  but also attempting to get good info & advice from all the messages on this chain from you and Joe and Simon, Paolo  and many other SME's who have responded.
My belated response to what you wrote below, is that it sounds well thought out,  objective and pretty right on to me,  based on my experiences.
At most organizations I work with or talk to,  NAT is not going away,  no matter what we think or say.   I say sometimes that it has become part of our network architecture thinking.   This was originally due to address limitations and (decreasingly now) due to perceived Security benefits.  You called that address obfuscation and that seems to be the most prevalent security sub driver, I see.   We now have FWs, Proxies, IPS, micro segmentation and many other Security tools and techniques that may obviate the need for NAT in most situations, but like you say,  IT AIN'T GOIN AWAY.

I also agree that enterprises are driven by cost and risk models.   Part of that is that if something appears to be working today, we are concerned that if we change it,  in any way,  that introduces risk.   Another reason NAT AIN'T GOIN AWAY SOON,  even if we do find better alternatives and set new directions.
I personally am in favor of NAT reduction or elimination because my role is primarily: diagnostics, performance and monitoring,  all of which NAT certainly does not help me with.   But in the bigger picture there are those that think they still want/need it, so I accept that.

But what I also say,  to the few enterprises that listen to ANYTHING about IPv6,  is that if we continue to scale NAT up,  at the pace we historically have,  the NAT solution may become a problem or the source of  problems on it's own.    So we need to consider alternatives.  And,  that IPv6 may provide some better alternatives.   I then (if anyone is still listening),  go on to talk about GUA end to end (which I think will be great for some,  but not all situations), or ULAs, etc.      My hope/dream is that these and other alternatives eventually produce deployments with less NAT,  but even in my dreams it may not all be eliminated.

What I would like to know,  from all of you SME's,  is if what I am saying in the previous paragraph, is good advice to prospective IPv6 enterprises and if I should change or add anything?      I definitely do not want to give enterprises any bad advice,  because if we/they finally do go down the IPv6 road,  and have issues,  they will recoil.   And we will have lost another decade.
For example I do frequently get interest & questions about ULA implementations and usually provide caveats that ULA still has some issues that need to be addressed, before enterprises seriously deploy it.   But there are some very good people already looking into this and I have great confidence that these issues will be handled.

So once again thanks for all the great info / advice  and my ears are wide open for more.

Have a great weekend all!

Mike

From: v6ops <v6ops-bounces@ietf.org> On Behalf Of Nick Buraglio
Sent: Thursday, March 31, 2022 5:33 PM
To: Simon <linux@thehobsons.co.uk>
Cc: v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] Thoughts about wider operational input

[External email]
For 20+ years security vendors have conflated NAT and Firewall. That isn't going to go away, frankly, and from the point of view of the security engineer at an organization of a sufficient size, it doesn't matter if it is technically correct or not. Obfuscating addressing is a very engrained design model, largely because of this fact. I believe there is no a way around that at least in the short term, probably also in the long term.
Understanding that what "enterprises" want is going to be driven by two things: cost and risk. Address obfuscation is very, very, very (95%?) present in enterprise architectures. Deviating from that is largely a non-starter because it deviates from existing risk profiles and completely changes the decades old architectures of application proxies and address translation devices in strategic locations and like Joe M. has stated, the fail closed model is by-and-large a requirement for many large organizations.
If we want to understand what the enterprises want, we need to understand their cost models and risk profiles.  Enterprises aren't going to fret much about state tables, they'll buy bigger boxes. They aren't going to worry as much about performance as, say, a service provider or a supercomputing center. They care that their compliance requirements are met [see address obfuscation, default deny, etc.], that their risk remains as low as possible, and that their widget sells.
I hate to say it because I truly want the end to end connectivity, but I believe that address translation with IPv6 is not going anywhere, and in fact, will probably encourage deployment of v6 in the enterprise space.  It's a useful tool to get to where they want to be (again, see risk and cost).
I think we need to rectify the fact that enterprises don't necessarily want end to end connectivity for the above reasons, and I have seen significant evidence pointing to that fact.

nb

On Thu, Mar 31, 2022 at 12:33 PM Simon <linux@thehobsons.co.uk<mailto:linux@thehobsons.co.uk>> wrote:


> On 30 Mar 2022, at 21:16, Joe Maimon <jmaimon@jmaimon.com<mailto:jmaimon@jmaimon.com>> wrote:

> JORDI PALET MARTINEZ wrote:
>> Because if you don't have NAT, you are forced to properly configure a firewall.

> That is backwards.

ONLY if you start from the premise that NAT is not in fundamental conflict with IP basics - namely that "packets can be routed from any end point to any other end point" (with the modern security proviso of "subject to administrative policies".)
In any case, I'm used to configuring a firewall anyway. Most CE devices come with a stateful firewall installed and configured - most of them even with sensible defaults !

> NAT is an operational requirement. You have it because without it something does not work the way you want it to.

Not for IPv6. You are applying the "lets take IPv4 with all its faults and tack on some extra address bits" attitude. We should be taking the opportunity to fix the things that weren't perfect/right with IPv4.
And for the record, in my last job we were lucky enough to have a whole /24 to play in - and we did, without NAT for the most part. And guess what, it worked very well thank you.
NAT is not strictly an operation requirement anyway, NAT is a sticking plaster on the festering sore of insufficient IP addresses. I would argue that NAT is the fundamental evil that is holding back adoption of a proper fix to the underlying problem - because it's been "sold" as a solution by people who do not also mention that it's broken and should be treated as a stopgap at most rather than the saviour of the internet it's been hailed as.

Most of the discussions in this thread have come down to "the problems with NAT haven't been a big enough pain point to trigger properly adopting IPv6" - mostly because many of the people making the decisions don't actually get to see the problems and costs they are subjected to.
In a way there's a parallel with the Y2k problem - I was one of many IT people doing work up front only to have both users and management ask "so what was the fuss about". Of course, by fixing most problems invisibly up front, and the remaining ones as they cropped up, management never saw the underlying problem.


> On 30 Mar 2022, at 22:22, Joe Maimon <jmaimon@jmaimon.com<mailto:jmaimon@jmaimon.com>> wrote:
>
>
>
> Simon wrote:

>> Any form of NAT breaks things<period> That's the short answer.
>>
>> Longer answer, any protocol that embeds addresses in it gets broken - e.g. during session setup one end tells the other, please contact me at address X and port Y. That is quite common once you get past a basic "open connection, squirt some data, close session". Examples that come immediately to mind :

> In OSI speak thats a layering violation. An upper level protocol incorporates details and assumptions about lower layers as part of its operations.

Citation ?

> Unfortunately, TCP/IP and its application protocols are rife with them. Well more than one should expect were proper attention have been given to ensure that there was absolutely no equivalent proper way to do it.

So do you agree that HTTP is fundamentally broken then ? Either that, or it's a protocol violation to run a service on anything but ports 80 and 443 ? Put another way, it's a protocol violation to have a link to say my server:8443 ?

> Just because its common and convenient and usually works or can be made to work does not make it correct.

And of course, it's usually done because it is the most sensible way to do it. Lets look at SIP for an example.

The device (lets assume a simple phone to keep things simple) needs to talk SIP in order to control sessions. But it makes complete sense to use a different protocol to transfer the audio streams (multiple) - and note what I said about the audio streams not necessarily going to the same place as the SIP user registration.
What you've said is that it should be "illegal" to allow my phone to exchange audio streams directly with someone else's phone - OSI layer violation. Yet that is the most efficient way to do it (where it's possible). The alternative is something like IAX where the application is effectively embedding a chunk of protocol stack - the ability to multiplex the packets of multiple streams inherent in IP (TCP or UDP) over one network - into the application. And in the world where all the traffic must be carried in one session, it means your voice traffic must pass through an "exchange" at both ends, adding delay and jitter as well as processing load to what would otherwise be a very lightweight application.

>> They all involve developers, and support people, putting effort into implementing the workaround code and support (e.g. adding the settings to the config pages) and users waste effort getting them set up right. All effort that could be better put to productive use rather than fighting broken networks.
>
> In theory, the protocols are broken. If they hadnt taken the easy way out, we would not have to work around so many of them.

Again, citation. According to whom, other than the "NAT is beautiful" brigade are they broken ?

> RAM is cheap.

Not in many lightweight devices it isn't.



Simon

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops


The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.


This message was secured by Zix(R).

v2.23.0 | Report a Bug | By Email