IETF Logo Mail Archive

Re: [v6ops] New Version Notification for draft-yourtchenko-ra-dhcpv6-comparison-00.txt (fwd)

Lorenzo Colitti <lorenzo@google.com> Tue, 07 January 2014 04:14 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79D8F1ADF72 for <v6ops@ietfa.amsl.com>; Mon, 6 Jan 2014 20:14:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.916
X-Spam-Level:
X-Spam-Status: No, score=-1.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrHnS84M8ZSK for <v6ops@ietfa.amsl.com>; Mon, 6 Jan 2014 20:14:24 -0800 (PST)
Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1DC1ADF6E for <v6ops@ietf.org>; Mon, 6 Jan 2014 20:14:24 -0800 (PST)
Received: by mail-ie0-f180.google.com with SMTP id tp5so18947245ieb.25 for <v6ops@ietf.org>; Mon, 06 Jan 2014 20:14:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=p/YYmkasBtdEcjWKv8Zj0XSpKAKWIN4wcy7p5uukEbE=; b=Yg2O4Nu+1uZ+Zp2L1IWXOje4k+x9CBOgCxDuD4eqlhHQAwVYcf2RCUTWbukAETmVs1 9S3xZOzBA/6B29B93tXP2Ox++2hI2MQFdssy8rR3xegD2Vsi9aSOAauj1WjaO8OE3dFN Vzv1YKXECiEwM0BVh/oIk9xdm1WmwXmMD2LsS8rbKtbzoQhaj5ZB04bpY3JDgvOiM2Oe xGHT9mvcH401xMkJanY/JY9DLpUQ1JoTF0SlIiAAFKhJGuptYR6hjwMOnioa1prz6kyV muLAixollSykMP0rgMgD1tInweNMUPI0ISx+I95hgCaWytZnSXIEh2yMXoW83iKnGIuO /v1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=p/YYmkasBtdEcjWKv8Zj0XSpKAKWIN4wcy7p5uukEbE=; b=Bg9iHMIoUez29shhx3dVkxykEcTdu8KW9VDJWb6wDz2knBkOaj7HO5uLhPYu2Ly4Zh BLtqs81/QHkRmuzUUFzoEOsTobAYYQA4j6A0JAADOUZwzbExo3tTxFIBqJ5RMUiq4EQc 6ACx/emEEkvFvcKBMA+YdfPsZ4e823UQAQmiwq3582m+sNGSTpzoj4gD8fQ7nszL8KG3 X412JeDZkgpxlK6j/+OMGn27xJdvY8ra2EpmU5CNQOVVxAKXqlRSJqwQTZuazh6nY4kT 8SnQGj4QMlAL43Ahtb3nwGbexgc7PjmwpAvrb/C4bw94YzA1+FF+oQcc7AjbC2mN5fO6 Nytw==
X-Gm-Message-State: ALoCoQlKzcphRKsVSUvSrwwcGrDMHtGgVKQ9djMT01QDp9HcYlSdWDMzZI4Vdqyj4wvWRNH947mrwx8EYKXz8LrUHTWxcGswCylKx/sdDP5t3TPOwE2q6kEugMQ27uSiibQOHTPXgbqqb3pyKpQjcMD7XDCgC5/4Ayvz44GVWGtcr4sCs+WfGbchX6Srs/HC3eqr1Aej9ncA
X-Received: by 10.50.79.228 with SMTP id m4mr22999044igx.47.1389068055613; Mon, 06 Jan 2014 20:14:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.7.36 with HTTP; Mon, 6 Jan 2014 20:13:54 -0800 (PST)
In-Reply-To: <CAEmG1=qLxqWdB8JR4rbAS-TyqQtPcGnZvVb7DSBCrmFcrm0vUA@mail.gmail.com>
References: <alpine.OSX.2.00.1311271353550.3903@ayourtch-mac> <1386274786.29351.YahooMailNeo@web142501.mail.bf1.yahoo.com> <alpine.OSX.2.00.1312060759220.68814@ayourtch-mac> <1386378082.99914.YahooMailNeo@web161901.mail.bf1.yahoo.com> <alpine.OSX.2.00.1312072028290.68814@ayourtch-mac> <F024FF5B-35A6-4221-952C-4A730A68C59D@delong.com> <alpine.OSX.2.00.1312080643090.68814@ayourtch-mac> <B561C767-677A-4A37-BA69-EB24951B2817@delong.com> <52A4C6FD.1080504@gmail.com> <98CACA9B-AD61-460A-93AC-D5EEA1176706@delong.com> <CAEmG1=qLxqWdB8JR4rbAS-TyqQtPcGnZvVb7DSBCrmFcrm0vUA@mail.gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Tue, 07 Jan 2014 13:13:54 +0900
Message-ID: <CAKD1Yr0+GQ-ZAgCbN6ew7FftjJBHE5od4jd_=txyLi008Q72jw@mail.gmail.com>
To: Matthew Petach <mpetach@netflight.com>
Content-Type: multipart/alternative; boundary="089e013a1f16063cda04ef599ced"
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] New Version Notification for draft-yourtchenko-ra-dhcpv6-comparison-00.txt (fwd)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2014 04:14:27 -0000

On Tue, Jan 7, 2014 at 12:10 PM, Matthew Petach <mpetach@netflight.com>wrote:

> There are multi-billion dollar companies that have a need
> to operate their networks in very specific ways.  If those
> ways are not supported by the RFCs, they will pay money
> to vendors to have options added to the software to allow
> them to operate their networks in that way.  See for example
> the filter-aaaa-on-v4 option in BIND; while there was resistance
> to the idea that DNS servers be configurable to not
> return quad-A records to v4 queries, in the end, the
> needs of the business won out.
>

I think that's a terrible example. AFAIK (and I think I was in the room)
the filter-aaaa-on-v4 hack was originally proposed for use in CPEs, and it
met with opposition even there. Opposition for getting it into bind was
pretty strong, and AIUI - as you say - it was included only because someone
said, "We have a contract. Here's a check. Now honour the contract."

In hindsight, it turned out to be a really bad idea. The hack was never
used for its intended purpose in the CPE, but it did end up being used
basically by an entire country to cling to a fundamentally broken IPv6
deployment model (the NTT walled-garden "here's a global IPv6 address and a
default route, but you can't reach the IPv6 Internet, have a nice day"
fiasco). I think that if filter-aaaa-on-v4 is an example of anything, it's
an example of the law of unintended consequences.


> There are very large networks
> that require DCHPv6-only implementations to work, and they
> will get software to support that model, one way or another,
> because without it, they cannot move to a dual-stack
> environment.  Not from a technical perspective, of course,
> but from an accounting and control perspective; the DHCP
> server must be the source of both v4 and v6 address assignments,
> and the only such source, in order for the staff to know for certain
> who has been assigned a given address on the network.
>

<sidenote>
DHCPv6 is not *necessary* accounting and control. It is one way to do it,
but you can do it just as well with address tracking in the switches.
Address tracking is also much more flexible (allowing multiple addresses,
dynamic addresses) and more secure: while using DHCP for address
verification requires strong first-hop security in the switches (DHCP
snooping, address-to-MAC binding, forced forwarding, etc) address tracking
requires none of that. In fact, there's a fallacy here: I have personally
see security people think that DHCP-provided addresses are secure, when by
themselves they are not secure at all. They can only be made secure if
first-hop security is in place.

In fact, I'd argue that DHCPv4 is not particularly well-suited for address
tracking at all, and the only reason we use DHCP for address tracking in
IPv4 is that in IPv4 there is basically no other mechanism to assign
addresses.
</sidenote>

With that out of the way: why are you talking about address assignment.
DHCPv6-only address assignment is already a standard. Send an RA with M=1
(and optionally a prefix with A=0) and - assuming your hosts implement
DHCPv6 - you're done.


> You can argue back and forth until you're blue in the face;
> but it's rather like trying to persuade a glacier to stop
> advancing by pointing a hair dryer at it.  There *will* be
> networks that will be run with address assignments from DHCP only,
> both for v4 and v6, and it can either happen with support from the
> RFC-discussing community, or it can come via paid-for-knobs in
> software to allow for non-RFC DHCPv4+DHCPv6-only environments.
>

Of course. In the privacy of your own network, or between consenting
networks and implementations, you can do whatever you like. But
standardizing it is a much higher bar. In hindsight, I think it's pretty
clear to that filter-aaaa-on-v4 is a terrible idea (just think of what will
happen to it when DNSSEC rolls around), and I think it's clear that it will
never be standardized. But that doesn't stop people from using it.

Or, you're a company with tens of thousands
>
of desktops, where static configuration is not
> a viable option, but control over address
> assignment from central servers is a must;
> in that environment, DHCPv6-assignment-only is
> a reality, and will exist; it is already being explored
> today, and to to deny that it is coming is equally as
> useful as cursing the coming of nightfall; it
> will happen, with or without your agreement
> or support.
>

It's not entirely clear to me what you're talking about here, since
DHCPv6-only address assignment is already possible today. But take a random
$FEATURE. If you're right and your multi-billion dollar enterprises get all
host operating systems to support $FEATURE, then it will be a de facto
standard. But until then, it would be a mistake for the IETF to to
standardize $FEATURE if there are existing and technically superior ways of
implmenting $FEATURE's functionality just because a subset of users want to
stick to the same practices they used in IPv4.

BTW, I am aware of at least one company that meets your "multi-billion
dollar, tens of thousands of desktops" definition that claims to have
brought IPv6 to 99% of its engineers without using DHCPv6 for address
assignment. In fact, they saw this as an opportunity to not run a DHCPv6
server at all.

Cheers,
Lorenzo

v2.23.0 | Report a Bug | By Email