IETF Logo Mail Archive

Re: [v6ops] AWS ipv6-only features

Vasilenko Eduard <vasilenko.eduard@huawei.com> Tue, 30 November 2021 08:40 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92B03A1158 for <v6ops@ietfa.amsl.com>; Tue, 30 Nov 2021 00:40:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXEb4vl3EHLh for <v6ops@ietfa.amsl.com>; Tue, 30 Nov 2021 00:40:36 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 320903A1155 for <v6ops@ietf.org>; Tue, 30 Nov 2021 00:40:36 -0800 (PST)
Received: from fraeml742-chm.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4J3Fxr0BGrz688sd for <v6ops@ietf.org>; Tue, 30 Nov 2021 16:39:12 +0800 (CST)
Received: from mscpeml100001.china.huawei.com (7.188.26.227) by fraeml742-chm.china.huawei.com (10.206.15.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Tue, 30 Nov 2021 09:40:33 +0100
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml100001.china.huawei.com (7.188.26.227) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Tue, 30 Nov 2021 11:40:32 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2308.020; Tue, 30 Nov 2021 11:40:32 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: "buraglio@es.net" <buraglio@es.net>
CC: IPv6 Ops WG <v6ops@ietf.org>
Thread-Topic: [v6ops] AWS ipv6-only features
Thread-Index: AQHX4fsZSlp8ExgGPkarucfdaUPk/qwUenAAgAAJBgCABlg2FP//99yAgAAK2wCAAOXvUA==
Date: Tue, 30 Nov 2021 08:40:32 +0000
Message-ID: <0c0c5389e8364c1787e303a168813189@huawei.com>
References: <CAD6AjGRAkpMDaAh31mVL=+Gcz5PHejUxxLazr4Xb=vVRHfaSpw@mail.gmail.com> <CAO42Z2z8u_DQMd9eNSQp_RhBinXk2KyH4pdbVLMEqOta-hoG1w@mail.gmail.com> <CADzU5g5odQ82FJ0TsdNxFB42OkgLZ+PWanLLrK1roLojAUS54A@mail.gmail.com> <CAO42Z2z+ZJ_pLwZmBjZ_HFsNXQ6jok-PMRTP23ZD2UMch61wtw@mail.gmail.com> <CAM5+tA9JhRWfZ2VLLQnT8Mg+Xng-+Rc-oQnX8Ma5DguL2uDO8w@mail.gmail.com> <771a145e-8483-63e5-5200-a1ff32a0e781@gmail.com> <CAM5+tA_AAfLaH-bP_1q3FR7ssJFgUAJuqN401aJJVcWWDnBL1g@mail.gmail.com>
In-Reply-To: <CAM5+tA_AAfLaH-bP_1q3FR7ssJFgUAJuqN401aJJVcWWDnBL1g@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.203.124]
Content-Type: multipart/alternative; boundary="_000_0c0c5389e8364c1787e303a168813189huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/WatgS4w2_c3f6VBnasWseXbq5Vo>
Subject: Re: [v6ops] AWS ipv6-only features
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 08:40:53 -0000

Hi Nick,
Thanks for the discovery.
ULA has a few purposes. What you have disclosed defeats stability purpose (probably, the primary ULA purpose).
If the internal session is initiated on GUA, but GUA is correctly reclaimed (and deprecated) later then the session is interrupted
despite ULA being available to avoid interruption.

It effectively makes low value for all recommendations of RFC 7084 on ULA.
And the same problem for all other cases when ULA has been used for stability (like Homenet).

IMHO: It is the big problem. It is bigger than filtered EHs on the Internet.
How is it possible to fix it?

Eduard
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Nick Buraglio
Sent: Tuesday, November 30, 2021 12:45 AM
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] AWS ipv6-only features


On Mon, Nov 29, 2021 at 3:06 PM Brian E Carpenter <brian.e.carpenter@gmail.com<mailto:brian.e.carpenter@gmail.com>> wrote:
Nick,

On 30-Nov-21 07:33, Nick Buraglio wrote:
> Thank you for writing some information on ULA, it's an important part of IPv6 and not really discussed enough. Perhaps we should start another thread, but I'd like to hear more about when you see this behavior:
>
> /"ULAs are preferred over GUAs, so when a host is presented with both a
ULA and GUA as possible ways to reach a destination, the host will select
the ULA. Once the ULA destination address is chosen, the host will then choose its ULA as a source address to reach the ULA destination. This preference of ULA addressing over GUA addressing is the mechanism that provides internal network connectivity independence from concurrent external Internet connectivity."/
>
> In testing and in practice I have experienced that exactly the opposite
of this is true in both day-to-day use and every single explicit test I have done where ULA and GUA are present on both sides with a variety of hardware platforms and operating systems. GUA is used in every scenario I test when the AAAA records are all matching (i.e. appropriately correct DNS).

Please be more precise about the scenario. Do you mean that both hosts have AAAA records for their GUAs *and* ULAs, and that the app uses DNS names, or what?

In the testing I was performing to double check my notes I had this scenario:

host 1 (linux, A for IPv4, AAAA for IPv6 GUA, AAAA for IPv6 ULA)
host 1 (linux, A for IPv4, AAAA for IPv6 GUA, AAAA for IPv6 ULA)
host 1 (MacOS 12.0.1, A for IPv4, AAAA for IPv6 GUA, AAAA for IPv6 ULA)
RouterOS based router 1 (RouterOS, A for IPv4, AAAA for IPv6 GUA, AAAA for IPv6 ULA) - RouterOS seems to default to IPv4 for some dumb reason, even when the source address is set to v6
All A and AAAA records match their respective hosts (i.e. host1.lab.int<http://host1.lab.int>, host2.lab.int<http://host2.lab.int>, etc.)

In each case when I attempt to reach the devices I use the DNS record the default is to the GUA, from the GUA, with the exception of Mikrotik which by default uses IPv4 if it exists as an A record, even if specifying an IPv6 src address.



Nevertheless, default address selection in RFC6724 is that GUAs win over ULAs, so what you report is correct out-of-the-box behaviour. The description in Mark's blog is not the default scenario, but you could make it true by changing the RFC6724 policy table in all your hosts.

If an individual app *wants* to prefer ULAs, it's not hard, but it does have to be an explicit choice. (My implementation of GRASP, for example, explicitly picks ULA over GUA if both are available, and reverts to link-local if neither is available.)

Understood.


> I'm happy to learn that I am incorrect, as it would make certain things
easier, but nothing so far in my experience has shown the described behavior.
>
> Seemingly relevant to the discussion at hand, and definitely relevant to enterprises and providers actively using or considering ULA.

The default in RFC6724 was chosen precisely to avoid surprises for enterprises and providers. If you want ULAs as the default preference, you have
to change something.

Right, which is functionally impossible for most commercial platforms meaning it generally doesn't happen so get consistent behavior of ULA being deprioritized.


     Brian

>
> nb
>
> On Thu, Nov 25, 2021 at 2:49 PM Mark Smith <markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com> <mailto:markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com>>> wrote:
>
>
>
>     On Fri, 26 Nov 2021, 07:41 Clark Gaylord, <cgaylord@vt.edu<mailto:cgaylord@vt.edu> <mailto:cgaylord@vt.edu<mailto:cgaylord@vt.edu>>> wrote:
>
>         Yeah AWS hold their cards close and don't seem to engage the community, but they do have decent IPv6 coverage across the services. Notwithstanding that the whole VPC concept has the whiff of ancient days about
it; tonight we're gonna network like it's 1999!
>
>         EC2 as part of the address is a great idea. I am so stealing that (can't believe I haven't thought of it.)
>
>
>     It's a terrible idea. The "Unique" in ULA is on purpose.
>
>
>       Getting IPv6 private addressing right
>
>     https://blog.apnic.net/2020/05/20/getting-ipv6-private-addressing-right/ <https://blog.apnic.net/2020/05/20/getting-ipv6-private-addressing-right/>
>
>
>
>         On Thu, Nov 25, 2021, 15:09 Mark Smith <markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com> <mailto:markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com>>> wrote:
>
>
>
>             On Thu, 25 Nov 2021, 23:51 Ca By, <cb.list6@gmail.com<mailto:cb.list6@gmail.com> <mailto:cb.list6@gmail.com<mailto:cb.list6@gmail.com>>> wrote:
>
>                 Fyi, aws has gone beyond perfunctory ipv6 support and has released a series of enhancements, with a focus on ipv6-only scenarios, including nat64 / dns64
>
>                 https://aws.amazon.com/about-aws/whats-new/2021/11/aws-nat64-dns64-communication-ipv6-ipv4-services/ <https://aws.amazon.com/about-aws/whats-new/2021/11/aws-nat64-dns64-communication-ipv6-ipv4-services/>
>
>                 AWS has lapped Google and Azure in advanced network features, which is really surprising given the early muscle Google developed
at IPv6 launch and a stronger need to differentiate …
>
>
>             AWS failed to do ULAs properly. 'ec2' could be a random global ID, but unlikely when their service is "EC2".
>
>             Matters more here because they're exposing that to all of their tenants. I think GUAs would have been better for these internal all tenant services.
>
>             I've never seen AWS participate here in 20 years, unlike G and M.
>
>
>                 _______________________________________________
>                 v6ops mailing list
>                 v6ops@ietf.org<mailto:v6ops@ietf.org> <mailto:v6ops@ietf.org<mailto:v6ops@ietf.org>>
>                 https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
>
>             _______________________________________________
>             v6ops mailing list
>             v6ops@ietf.org<mailto:v6ops@ietf.org> <mailto:v6ops@ietf.org<mailto:v6ops@ietf.org>>
>             https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
>
>     _______________________________________________
>     v6ops mailing list
>     v6ops@ietf.org<mailto:v6ops@ietf.org> <mailto:v6ops@ietf.org<mailto:v6ops@ietf.org>>
>     https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org<mailto:v6ops@ietf.org>
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email