IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

David Conrad <drc@virtualized.org> Sat, 02 April 2022 21:54 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F3A63A1785 for <v6ops@ietfa.amsl.com>; Sat, 2 Apr 2022 14:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zuk5JIctoTsU for <v6ops@ietfa.amsl.com>; Sat, 2 Apr 2022 14:54:13 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 131B33A177E for <v6ops@ietf.org>; Sat, 2 Apr 2022 14:54:13 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id f10so5261761plr.6 for <v6ops@ietf.org>; Sat, 02 Apr 2022 14:54:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20210112.gappssmtp.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=31bDnhpVdQ9jxZhsNErEo62H4zf6Jfyo54oJbVSCJJ4=; b=t2EpUP1VecQUrurhQZ5QqItpR2p+eiBmjIQD7asawIwqVtH/0pDCfNun5LbymrlMpq gdxsxx4iFsEKca/wovjp/VmpBE5yUdoGbwfFcuuOgnFlGsb/oOj9HHpf9kVdIU7dourc 6qkkY8KmNLLV2/vFLiE4uEZizxiVXbn1vR/7D2/XCiVXg4MtXoEUXePUD0ZTVecNoihF T7X4iHM8M66EXNNLKKH5hpaVzavoEkb+dt81YX6ZBEVKoHhyWWPY0Zvz2bR4vhAJUaJg EqguTWyXT8XQrJJEjn5SA/hpVZaaZ4a4p/Kb6tXdTDB/MwETpYuqr6122VlpoLgTgnF2 72/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=31bDnhpVdQ9jxZhsNErEo62H4zf6Jfyo54oJbVSCJJ4=; b=2oY1Nreb1uS68FtTSWodUEvCPTFjDpX++qUL2ofHb5SWxexaMb/b7u5l6Vs1rgJeK1 fePXslPIJLtSOvkrAm7PoeD6K6nbOPpzLl4Ea86/X/wZIs2IWTbR3zkNpSKR5owSSa7Z okuA1/dQz0tAT1IkwKqb9baDaF4IQh4TKunH4zBIMpPtIliGLL18f3wQLCdhVs7xst/E eIkijzo3b1sRQ0CpcwCvjR91tN/vrgNx/EChsv22sn1stAxGFZ+mke41NtvWGg4IOgQH gI8UeawPbDfaRpp8d8fiazMM8hKEgdQOlkJoGFkUNwPxCS/h//OZ8ZvESxPCk5qUOnQu udZg==
X-Gm-Message-State: AOAM530EZZw9PkyXgOKZgHT5I3nvff8rjcZ5QAFVU0ZuX+dd2ggSkw0z 1cCC8HEwXwxWtHqw+DWtAlrZTXsDwl/K+A==
X-Google-Smtp-Source: ABdhPJzOSMbuCLUlZZM2+KmO/X6Koes+NIr144GuBd7fBBEOYVB3Jfhz7dsBS0nADowgPfkwfH8alQ==
X-Received: by 2002:a17:902:b48d:b0:156:7f54:8ffc with SMTP id y13-20020a170902b48d00b001567f548ffcmr3952484plr.95.1648936451801; Sat, 02 Apr 2022 14:54:11 -0700 (PDT)
Received: from smtpclient.apple ([2600:1700:5135:f1f:88bc:dde5:36ac:7b3b]) by smtp.gmail.com with ESMTPSA id f14-20020a056a0022ce00b004fabe9fac23sm7629712pfj.151.2022.04.02.14.54.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 02 Apr 2022 14:54:10 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_F2F8E9D9-DFBA-4C06-AB65-C1882E6C6333"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <4ADAA521-00A2-4FAF-9A1B-500C8598164F@thehobsons.co.uk>
Date: Sat, 02 Apr 2022 14:54:09 -0700
Cc: v6ops list <v6ops@ietf.org>
Message-Id: <D43294DA-E57A-44B4-AB1A-B0A766665FB0@virtualized.org>
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <B49417F7-3EFB-4A4D-9D1A-0D21574EA4F2@consulintel.es> <44B01ACA-3D5C-4618-B608-3B3479D29875@consulintel.es> <62447DCB.1010206@jmaimon.com> <7228D9A7-54A8-4BAE-9299-204C049F600B@consulintel.es> <6244BA91.3060306@jmaimon.com> <67762447-43D4-4393-851C-99370D3BF623@thehobsons.co.uk> <6246126C.1030609@jmaimon.com> <259B108A-C3DD-4460-B41A-A0028ACA9594@thehobsons.co.uk> <624759B1.8060700@jmaimon.com> <89D652EB-8920-4992-99EC-CC3C3A856D57@thehobsons.co.uk> <62477058.6020901@jmaimon.com> <4ADAA521-00A2-4FAF-9A1B-500C8598164F@thehobsons.co.uk>
To: Simon <linux@thehobsons.co.uk>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Y5fkN96L2HvJ_g3fSZi6V3DcYQQ>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Apr 2022 21:54:18 -0000

On Apr 2, 2022, at 10:37 AM, Simon <linux@thehobsons.co.uk> wrote:
>> What you dont know is what IP address YOU have from the point of view of the other endpoint.
> Indeed, and that’s why Nat == broken. Pretty well the entire foundation of networking falls over if you have no idea who *you* are.

No. An IP address identifies and locates a connection point for IP service.  What is behind that service, including identity, is determined by higher layers. The service connection point could be a single process, or multiple processes, or, in the case of NAT, an entire network. You cannot rely on an IP address alone as any indication of “who *you* are”.

> That is the foundation of IP - globally unique addresses, so that an address can only refer to one end node;

Even ignoring NAT, no.  See, for example, https://datatracker.ietf.org/doc/html/rfc4786.

> and end-end communication, so any end node can communicate with any other end node. NAT plus private addressing breaks this - I can tell someone that I’m at 192.168.1.1 and that doesn’t differentiate me from the thousands or millions of other 192.168.1.1 nodes in other 192.168.0.0/16 (or 192.168.1.0/24) address spaces; nor does it enable them to send a packet to me. I.e. the network is broken.


Given the vast majority of Internet users (including myself, don’t know about you) are behind NAT boxes and we’re having this conversation, I gather you’re using the term “the network is broken” in a non-traditional way.

All communication over IP must be demultiplexed by higher-layer processes via protocol and/or port. NAT adds an additional form of demultiplexing, mapping a single address plus port into multiple addresses.  NAT breaks things because higher-layer protocol designers violated layer boundaries, granting those higher-layer protocols knowledge of lower-layer identifiers, which should have been opaque. Given the actual endpoint of communication (i.e., the application) cannot rely on the IP address, swapping out one IP address for another should have no impact on the integrity of the communication. The fact that current applications have intimate knowledge of the underlying identifiers means e.g., changing an endpoint’s connection to the IP network topology fatally breaks communication. This is not a feature.

However, bringing this back to the original question: if you want to bring more enterprises into the IPv6 fold, arguments about how NAT is evil are worse than a complete waste of time, they’ll probably result in your input being ignored. For good or ill, NAT is embedded into the architecture of the Internet for the foreseeable future (IPv4-only devices are not going to magically vanish) and, with the possible exception of mergers of multiple, conflicting RFC 1918-based networks, the benefit of deploying IPv6 is overwhelmed by the risk and cost. I’d assume most enterprises see the Internet as they do other utilities: a necessary evil (because of the cost) they need to have to get their job done.  I imagine they couldn’t care less about the first 4 bits of the IP header or the length of the address; what they care about is reducing costs and/or improving services. This isn’t religion, it’s business. Understanding, without condescension, what enterprises’ business requirements are would probably be a good first step.

Regards,
-drc

v2.23.0 | Report a Bug | By Email