Re: [v6ops] I-D Action: draft-ietf-v6ops-6to4-to-historic-10.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 11 January 2015 01:10 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0097C1A01F0 for <v6ops@ietfa.amsl.com>; Sat, 10 Jan 2015 17:10:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jSSxq8N4Rag for <v6ops@ietfa.amsl.com>; Sat, 10 Jan 2015 17:09:54 -0800 (PST)
Received: from mail-pd0-x22d.google.com (mail-pd0-x22d.google.com [IPv6:2607:f8b0:400e:c02::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22DE71A1AB1 for <v6ops@ietf.org>; Sat, 10 Jan 2015 17:09:54 -0800 (PST)
Received: by mail-pd0-f173.google.com with SMTP id ft15so24248095pdb.4 for <v6ops@ietf.org>; Sat, 10 Jan 2015 17:09:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=YLXJpCXpZDflORpH9bzWaPkxmk6R+kof7ITOk66IaqM=; b=sQQNwn2UH+JhpUN8uNQlYmL5Lhu8qlrdbiJbky7FT+3CR0wY1e7MSWSXY04Yg8Jorj cgsfdX82mUXyeRbiswalAECQfSJQ74vWDCstDhpziWnKLaiWmKlY/JXjitEEYEaTqGW7 +jYmKVF6M7AJ+JTffabgQ9fSIEcwsMUOdh2aTXkImtNYKvksNzRPpmF1ejkx3q/udVLh qr8WUAHsJUzf7t8SSmovAPk/dmrAFtqyKS+WkHi0VKjeE02MCxz2ll8RUTob0oY5dsqE CkSKOFuhFrvMEDiDdCw5eReZp/N7VAXD5GmxFrrT4DMNZHGmLbU0YTlmdqTsCdguwQ1r uOVg==
X-Received: by 10.70.133.138 with SMTP id pc10mr34214692pdb.47.1420938593382; Sat, 10 Jan 2015 17:09:53 -0800 (PST)
Received: from ?IPv6:2406:e007:5e1b:1:28cc:dc4c:9703:6781? ([2406:e007:5e1b:1:28cc:dc4c:9703:6781]) by mx.google.com with ESMTPSA id wj3sm10786050pab.40.2015.01.10.17.09.50 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Jan 2015 17:09:52 -0800 (PST)
Message-ID: <54B1CD5C.3090107@gmail.com>
Date: Sun, 11 Jan 2015 14:09:48 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: David Farmer <farmer@umn.edu>, v6ops@ietf.org
References: <20150104190416.29186.39009.idtracker@ietfa.amsl.com> <54A99025.4040506@gmail.com> <54B04BC8.1020902@umn.edu>
In-Reply-To: <54B04BC8.1020902@umn.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/_5QrMgnyl0HDjut_w1bjX82w9as>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-6to4-to-historic-10.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jan 2015 01:10:14 -0000

David,

On 10/01/2015 10:44, David Farmer wrote:
> On 1/4/15, 13:10 , Brian E Carpenter wrote:
>> This version is intended to respond to Keith Moore's comments before
>> the holidays, with a number of clarifications and simplifications.
>> There is not intended to be any change to the actual recommendations.
> 
> I think the new draft is an improvement, I did a detailed review and have a list of several items for you to consider;
> 
> 1. In section 3, the second sentence of the first paragraph and the first sentence of the second paragraph seem to say virtually
> the same thing.
> 
> I suggest leaving the first paragraph as-is, deleting the first sentence of the second paragraph, and slightly rewriting the
> remainder of the second paragraph, maybe as follows;
> 
>    In the forward direction a 6to4 node will send native IPv6 traffic
>    to a 6to4 relay router, that is connected both to the 6to4 cloud and
>    to native IPv6.  In the reverse direction a 2002::/16 route is
>    injected into the native IPv6 routing domain to attract traffic from
>    native IPv6 nodes to a 6to4 relay router.  It is expected that
>    traffic will use different relays in the forward and reverse
>    direction.

Agreed.

> 
> 2. The last paragraph of section 3 says;
> 
>    Peer-to-peer usage of the 6to4 mechanism, not depending on the
>    anycast mechanism, might exist in the Internet, largely unknown to
>    operators.  This is harmless to third parties and the current
>    document is not intended to prevent such traffic continuing.
> 
> This could be taken by some to imply that the document intends to prevent anycast 6to4 traffic from continuing, more than simply
> deprecating anycast 6to4, I'd suggest rewriting the paragraph, maybe as follows;
> 
>    Peer-to-peer usage of the 6to4 mechanism exists in the Internet,
>    likely unknown to many operators.  This usage is harmless to third
>    parties and is not dependent on the anycast 6to4 mechanism that this
>    document deprecates.

Agreed.

> 
> 3. In section 4, first paragraph, I believe anycast 6to4 needs to be default disabled in any new 6to4 implementation.  Maybe add
> the following to the paragraph;
> 
>    However, if included in any new implementations, the anycast 6to4
>    mechanism MUST NOT be enabled by default.

Yes, that is certainly intended and I'm surprised that it isn't already
there.

> 
> 4. Section 4, fourth paragraph, is confusing me. It says;
> 
>    Implementations capable of acting as 6to4 routers MUST NOT enable
>    6to4 without explicit user configuration.  In particular, enabling
>    IPv6 forwarding on a device MUST NOT automatically enable 6to4.
> 
> As written the first sentences seems to be repeating the last sentence of third paragraph, just above it.  I think maybe it was
> meant to say;
> 
>    Implementations capable of acting as IPv6 routers MUST NOT enable...

Yes.

> 
> 5. In previous discussions of the text in section 4, sixth paragraph, the issue of uRPF came up.  I think something about uRPF,
> BCP38, and BCP84 should get added to this paragraph.  Maybe something like this;
> 
>    This includes ensuring that traffic from a local 6to4 return relay
>    with a source address of 192.88.99.1 is allowed through
>    Anti-spoofing filters such as those described in [BCP38] and [BCP84]
>    or through Unicast Reverse-Path-Forwarding (uRPF) checks.

Agreed.

> 
> 6. On the more general question of filtering and the intended affect of deprecation, I would like to see the issue more strongly
> addressed with something like the following added;
> 
>    This deprecation does not constitute a recommendation for the
>    generalized filtering of traffic or routes for 6to4 or even anycast
>    6to4.  Both the basic 6to4 and anycast 6to4 mechanisms remain valid
>    traffic to be carried on the Internet.  In general terms this
>    document simply recommends against further deployment of the anycast
>    6to4 mechanism, calls for current 6to4 deployments to evaluate the
>    efficacy of continued use of the anycast 6to4 mechanism, and makes
>    recommendations intended to prevent any use of 6to4 from hampering
>    broader deployment and use of native IPv6 on the Internet as a
>    whole.

I suspect that would be controversial because of the "remains valid"
phrase, so I would delete that sentence.

> 
> 7. We should have recommendations applicable to operators of the hosts, something like the following;
> 
>    All hosts using 6to4 SHOULD support the IPv6 address selection
>    policy described in [RFC6724] or be manually configured with an
>    address selection policy preferring IPv4 over a 6to4 source
>    address.  Further, 6to4 hosts SHOULD support "Happy Eyeballs"
>    [RFC6555] or use a browser supporting "Happy Eyeballs".  Any hosts
>    not meeting these requirements SHOULD NOT use, or continue to use,
>    the deprecated anycast 6to4 mechanism.

I agree with the sentiments. But I'd like to hear a positive echo from
the WG, because this seems like a substantive addition.

> 
> 9. On a higher level, section 4 seem to be a bit of a hodgepodge of issues and ideas;  I'm thinking split out the
> recommendations into a separate section.  Maybe even split the recommendations into separate operational and implementation
> sections or sub-sections if you prefer.

It's true that this section has grown a bit organically. I think I agree
with your proposal, but I'll only find out for sure when I get my
editing fingers going. That seems unlikely to happen for the next couple
of weeks.

Regards
    Brian

> 
> Taking this into account, including the issues for section 4 from above and taking editorial license to rearrange and rewrite a
> few things, I suggest something like the following;
> 
> ---
> 
> 4.  Deprecation
> 
>    This document formally deprecates the anycast 6to4 transition
>    mechanism defined in [RFC3068] and the associated anycast IPv4
>    address 192.88.99.1. It is no longer considered to be a useful
>    service of last resort.
> 
>    The prefix 192.88.99.0/24 MUST NOT be reassigned for other use except
>    by a future IETF standards action.
> 
>    The guidelines in Section 4 of [RFC6343] remain valid for those who
>    choose to continue operating Anycast 6to4 despite its deprecation.
>    However, 6to4 Provider Managed Tunnels [RFC6732] will no longer be
>    necessary, so they are also deprecated by this document.
> 
>    The basic unicast 6to4 mechanism defined in [RFC3056] and the
>    associated 6to4 IPv6 prefix 2002::/16 are not deprecated.  The
>    default address selection rules specified in [RFC6724] are not
>    modified.
> 
>    This deprecation does not constitute a recommendation for the
>    generalized filtering of traffic or routes for 6to4 or even anycast
>    6to4.  Both the basic 6to4 and anycast 6to4 mechanisms remain valid
>    traffic to be carried on the Internet.  In general terms this
>    document simply recommends against further deployment of the anycast
>    6to4 mechanism, calls for current 6to4 deployments to evaluate the
>    efficacy of continued use of the anycast 6to4 mechanism, and makes
>    recommendations intended to prevent the use of 6to4 from hampering
>    broader deployment and use of native IPv6 on the Internet as a
>    whole.
> 
>    Incidental references to 6to4 should be reviewed and possibly removed
>    from other IETF documents if and when they are updated.  These
>    documents include RFC3162, RFC3178, RFC3790, RFC4191, RFC4213,
>    RFC4389, RFC4779, RFC4852, RFC4891, RFC4903, RFC5157, RFC5245,
>    RFC5375, RFC5971, RFC6071 and RFC6890.
> 
> 5. Implementation Recommendations
> 
>    Implementations MUST NOT enable the basic unicast 6to4 mechanism
>    defined in [RFC3056] without explicit user configuration.  Further,
>    it is NOT RECOMMENDED to include the anycast 6to4 mechanism defined
>    in [RFC3068] in any new implementations.  However, if included in
>    any new implementations, the anycast 6to4 mechanism MUST NOT be
>    enabled by default.
> 
>    All implementations that include 6to4 SHOULD also include "Happy
>    Eyeballs" [RFC6555] and the default address selection rules
>    specified in [RFC6724].
> 
>    Implementations capable of acting as IPv6 routers MUST NOT enable
>    6to4 without explicit user configuration.  In particular, enabling
>    IPv6 forwarding on any device MUST NOT automatically enable 6to4.
> 
> 6. Operational Recommendations
> 
>    All hosts using 6to4 SHOULD support the default address selection
>    rules specified in [RFC6724] or be manually configured with an
>    address selection rule preferring IPv4 over a 6to4 source
>    address.  Further, 6to4 hosts SHOULD support "Happy Eyeballs"
>    [RFC6555] or use a browser supporting "Happy Eyeballs".  Any hosts
>    not meeting these requirements SHOULD NOT use, or continue to use,
>    the deprecated anycast 6to4 mechanism.
> 
>    Current operators of an anycast 6to4 relay with the IPv4 address
>    192.88.99.1 SHOULD review the information in [RFC6343] and the
>    present document, and then consider carefully whether the anycast
>    relay can be discontinued as traffic diminishes.  Internet service
>    providers that do not operate an anycast relay but do provide their
>    customers with a route to 192.88.99.1 SHOULD verify that it does in
>    fact lead to an operational anycast relay, as discussed in
>    Section 4.2.1 of [RFC6343].  Furthermore, Internet service providers
>    and other network providers MUST NOT originate a route to
>    192.88.99.1, unless they actively operate and monitor an anycast 6to4
>    relay service as detailed in Section 4.2.1 of [RFC6343].
> 
>    Operators of a 6to4 return relay responding to the IPv6 prefix
>    2002::/16 SHOULD review the information in [RFC6343] and the present
>    document, and then consider carefully whether the return relay can be
>    discontinued as traffic diminishes.  To avoid confusion, note that
>    nothing in the design of 6to4 assumes or requires that return packets
>    are handled by the same relay as outbound packets.  As discussed in
>    Section 4.5 of RFC 6343, content providers might choose to continue
>    operating a return relay for the benefit of their own residual 6to4
>    clients.  Internet service providers SHOULD announce the IPv6 prefix
>    2002::/16 to their own customers if and only if it leads to a
>    correctly operating return relay as described in RFC 6343.  IPv6-only
>    service providers, including those operating a NAT64 service
>    [RFC6146], are advised that their own customers need a route to such
>    a relay in case a residual 6to4 user served by a different service
>    provider attempts to communicate with them.
> 
>    Networks SHOULD NOT filter out packets whose source address is
>    192.88.99.1, because this is normal 6to4 traffic from a 6to4 return
>    relay somewhere in the Internet.  This includes ensuring that traffic
>    from a local 6to4 return relay with a source address of 192.88.99.1
>    is allowed through Anti-spoofing filters such as those described in
>    [BCP38] and [BCP84] or through Unicast Reverse-Path-Forwarding
>    (uRPF) checks.
> 
> Thanks
>