Re: [v6ops] New Version Notification for draft-ietf-v6ops-dhcp-pd-per-device-05.txt
Mark Elkins <mark@posix.co.za> Wed, 08 November 2023 07:51 UTC
Return-Path: <mje@posix.co.za>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14171C1C5F32 for <v6ops@ietfa.amsl.com>; Tue, 7 Nov 2023 23:51:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.197
X-Spam-Level:
X-Spam-Status: No, score=-7.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=posix.co.za
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pb7EvpF_mwvn for <v6ops@ietfa.amsl.com>; Tue, 7 Nov 2023 23:51:16 -0800 (PST)
Received: from relay.vweb.co.za (relay.vweb.co.za [IPv6:2001:42a0::73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21026C1C02C6 for <v6ops@ietf.org>; Tue, 7 Nov 2023 23:51:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=posix.co.za ; s=2311; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Sender:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=0vA9E/r/5KopSgJIsIadIpQA7DVk8cNhzokxST/l8gM=; b=pU0ahIsEKVF7LIqnMvfqUdQXTm 7Esz0ExYyGK5Dm+DQHcZ+bdJpZV54Sk3oR411gxyH9cBmKb75XcyimGjEoCBqDNoLKcZ/o/fSu1Nr LJ8LGx3D+BpIVwxrAyxEkG5ZQzplrTnTyZN5fBzpjNAhp89IL+IysCKEysmHw1VcPwLQ=;
Received: from [165.255.87.210] (port=34086 helo=[160.124.48.9]) by relay.vweb.co.za with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.96.2) (envelope-from <mark@posix.co.za>) id 1r0dL8-000tGh-0Z for v6ops@ietf.org; Wed, 08 Nov 2023 09:51:06 +0200
Reply-To: mje@posix.co.za
To: v6ops@ietf.org
References: <169919966581.36738.5162400304409089286@ietfa.amsl.com> <4598146.F5Vx1aKkY9@asclepius.adm.tul.cz> <CAKD1Yr0uMvS-ctwf+RcDQG6pEwr7Ho7qyi0H7BLu+MFMA496+A@mail.gmail.com> <5666162.ihCYSUqkRZ@asclepius.adm.tul.cz> <296488E6-9A10-41B7-9C77-8AC03A91B5A7@delong.com> <FA8A635D-C8D8-4BBB-9163-9AB35ADD9763@consulintel.es> <442B4E1C-3F7A-4A47-AE30-8761DD7B9A12@delong.com>
From: Mark Elkins <mark@posix.co.za>
Organization: Posix Systems
Message-ID: <149a38c8-2453-93a9-1ad3-13d89a498ad5@posix.co.za>
Date: Wed, 08 Nov 2023 09:50:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <442B4E1C-3F7A-4A47-AE30-8761DD7B9A12@delong.com>
Content-Type: multipart/alternative; boundary="------------BE3BFF4B6CE13E1B52B06FB8"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/_5g9x221j9Jv_Cky9gRrKrNWa_U>
Subject: Re: [v6ops] New Version Notification for draft-ietf-v6ops-dhcp-pd-per-device-05.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 07:51:24 -0000
Hu? I was the author of the /48 IPv6 policy years back. This lead to 2001:43f8::/48's being given out as PI. The primary opponent to this was Randy Bush. I explicitly did this for the ZACR / UniForum SA - the South African Registry for CO.ZA - etc. This gave the organisation: 2001:43f8:30::/48 2007-07-30 PI6 UNIFORUM-V6-AFRICA Now, if you are asking for PI space for the likes of anything associated with Lu Heng - I wouldn't be surprised if the AfriNIC Staff played hard ball and refused. As you are also associated, perhaps that is why you may find it difficult as well? No offence intended - I don't work for AfriNIC. On 2023/11/07 22:02, Owen DeLong wrote: > Disagree. > > First, the level of restrictiveness in the policy is more restrictive > (for one thing, there is no provision for IPv6 PI to end sites in > AFRINIC). > Second, the AFRINIC staff implementation of policies doesn’t tend to > align very well with the written policies and they can be very > discriminatory about it based on undocumented and unpublished > criteria. There is no consistency of customer experience in trying > to obtain addresses from AFRINIC. > > Hopefully once AFRINIC has a new board, they will appoint new > management and start to fix some of these issues, bu until then, > the fact remains that AFRINIC is the most difficult registry to deal > with and the least prone to processing requests in any reasonable > time frame or equitable manner. > > Owen > > >> On Nov 7, 2023, at 01:31, jordi.palet@consulintel.es >> <jordi.palet=40consulintel.es@dmarc.ietf.org> wrote: >> >> Since the last policy changes that I proposed in AFRINIC, I don’t >> think we can say they are more restrictive than in the other regions. >> Basically, from a practical point of view, all the regions look >> almost the same now. >> >> Regards, >> Jordi >> >> @jordipalet >> >> >>> El 6 nov 2023, a las 22:51, Delong.com >>> <owen=40delong.com@dmarc.ietf.org> escribió: >>> >>> >>> >>>> On Nov 6, 2023, at 11:46, Martin Huněk <martin.hunek@tul.cz> wrote: >>>> >>>> Hi, >>>> >>>> Dne pondělí 6. listopadu 2023 10:00:14 CET, Lorenzo Colitti napsal(a): >>>>> On Mon, Nov 6, 2023 at 2:41 AM Martin Huněk <martin.hunek@tul.cz> >>>>> wrote: >>>>> >>>>>> If you have at least X+32 of IPv6, you can be in the same >>>>>> situation with >>>>>> IPv6 as you are in IPv4. Now, do we want to be in the same >>>>>> situation? Why >>>>>> migrate to IPv6, then? >>>>>> >>>>> >>>>> It's not the same situation. As the draft explains, x+32 is 32 >>>>> times better >>>>> than IPv4 if we never move beyond 2000::/3. If we move beyond >>>>> 2000::/3, >>>>> it's 256 times better than IPv4. Whether any given network has >>>>> enough space >>>>> for that is up to the operators and the RIRs. Based on your >>>>> comments, it's >>>>> clearly not enough for your network. That's OK - whether a network >>>>> uses >>>>> this model is up to the network, and it's pretty clear that there >>>>> are some >>>>> networks, like home networks with only a /64 or a /60, that will >>>>> never be >>>>> able to run this model due to lack of space. >>>> >>>> I do have /16 of IPv4 and /48 of IPv6. By the formula presented in >>>> the draft I get the exact result: >>>> X = 16 >>>> 16 + 32 = 48 >>>> So I'm in precisely the same situation as I'm with IPv4. How is it >>>> any better than the address-space constraints of IPv4? I do not >>>> necessarily care who is to blame. I just know what I have, and even >>>> if I'm allowed to expand the address space, I would be forced to >>>> renumber. There would be almost zero gain for clients having /64 >>>> compared to /80 (when we do not allow network extension), so for me >>>> personally, having a strict /64 barrier is just a complication and >>>> a poor design choice, especially when a host is not informing how >>>> big a prefix it really needs. >>> >>> Well… In IPv4, you have 65,536 unique addresses and can number (up >>> to) 65,534 unique hosts (assuming a flat network with no subnetting) >>> and each host gets exactly one address. >>> >>> With this proposal, you can (theoretically) number 65,536 unique >>> hosts each of which can either provide a downstream subnet to >>> attached hosts (acting as a router) or unique additional address to >>> containers/VMs/services/whatever on the actual host (or presumably >>> with some creative allocation policy and bridging some combination >>> of both). >>> >>> So I wouldn’t call that “exactly the same situation”. Further, not >>> every host has to ask for or receive a /64, presumably this is being >>> done through PD on request, so you could have entire networks that >>> don’t make use of this draft or parts of networks or… >>> >>> There’s a lot more flexibility here than with IPv4 even in the worst >>> case scenario that you focus on, and the reality is that very few >>> implementations will actually represent the kinds of absolutism >>> being discussed here. >>> >>>>> FWIW, I think you said that in order to use this you'd need to >>>>> assign a /49 >>>>> to your Wi-Fi network? That doesn't seem unreasonable to me, or to >>>>> other >>>>> operators that are part of this discussion. >>>> >>>> It doesn't seem reasonable to me. It is half of my address space, >>>> and I won't be getting more; it is without reserves to expand, and >>>> I had to move several networks to clear it. If a host would have >>>> been fine with /80, I would be just fine with one /64 or /63 (or >>>> /60). I could manage just fine with what I have. It makes even more >>>> sense as we do not allow a network extension. >>> >>> OK, since you don’t allow network extension, and you don’t want to >>> support SLAAC in your environment, presumably you can implement >>> outside of the recommendations contained in this draft. AIUI, this >>> is an informational / best practice draft and not a standards-track >>> document. As such, I think we should document the case that covers >>> the majority of use situations and accept that some corner cases >>> (such as yours) may not fit. >>> >>>>> >>>>> Remember, what we are trying to do here is a compromise: provide >>>>> to network >>>>> operators the control and tracking that they like to have via >>>>> DHCPv6, while >>>>> ensuring that connected devices can support pretty much any use case, >>>>> including hosts forming unlimited addresses, plugging in routers, >>>>> and doing >>>>> a moderate amount of network extension with end-to-end >>>>> connectivity and >>>>> without NAT. We think this model has a lot of advantages, but it's >>>>> definitely not the only one. >>>> >>>> If any user is allowed to extend the network, how do I know who is >>>> the end user? Unsupported, not allowed things should be hard to get >>>> working. If someone tries to extend the network (while not allowed >>>> to do so), I want his/her attempt to fail. Then, the broken >>>> connectivity is desired. >>>> >>>> Btw: Do you have any data about how big a share of a company allows >>>> the "bring your own router" policy in their corporate network? >>>> Network extension in corporate networks is not a common use case, >>>> in my opinion. >>> >>> Network extension within policy is not a common use case. >>> >>> As someone whose job has regularly included tracking such extensions >>> down and extinguishing them due to policy != user intent, I can >>> absolutely guarantee you that it is a much more common use case than >>> you’d like to believe. I’ll also guarantee you that users will go to >>> impressive and bizarre lengths to do so. In the IPv4 world, the >>> common solution is just more layers of NAT which (IMHO) is even >>> worse because now the extension is virtually transparent, nearly >>> undetectable, and a major pain to identify and resolve. >>> >>> At least if the host is asking for a /64 and extending the network, >>> you have some visibility into what is happening, even if the exact >>> topology isn’t 100% transparent. >>> >>> Bottom line, today, what you don’t want to allow is already super >>> easy in IPv4. >>> >>>>> I agree with Gert. You can have /80s all you want, but you are not >>>>> getting >>>>>> /64s from me. If your implementation requires it, then it is >>>>>> NAT66 for you, >>>>>> ND proxy, or IPv4 only. You choose. >>>>>> >>>>> >>>>> I hate to say it, but... network operators saying, "my network, my >>>>> rules" >>>>> and insisting that devices will only have the amount of address >>>>> space that >>>>> they think they need is precisely why host implementers don't trust >>>>> networks to do the right thing. >>>> >>>> The implementers know less about the network the device is >>>> connected to than the admins running it. Quite frankly, you would >>>> not be able to know local restrictions, nor would you care. >>>> >>>> Yes, we can make this mutual distrust basis to reconsider BYOD >>>> policies. >>> >>> This is a religious issue that isn’t (and probably shouldn’t) going >>> to get resolved in the IETF, IMHO. >>> >>> Each network operator and the hosts administrators using said >>> network ends up having to find some balance they can both accept on >>> a case-by-case basis. >>> >>> In environments where there are professionals on both sides of the >>> equation able to work as a team, this can go fairly smoothly. In >>> environments where host administration is the Wild West of software >>> developers doing whatever they think they need without regard to >>> network or corporate policy, this can be a much bigger adventure. In >>> environments where the networking team went to the BOFH school of >>> network management, this can also be a much bigger adventure. >>> >>> I’ve seen examples of all three of these scenarios. The obvious >>> worst case is Wild West developers + a BOFH trained network team >>> (and I’ve seen that too). >>> >>>>> This is why we need a fixed boundary - otherwise we end up with a >>>>> race to >>>>> the bottom that ends at /128. At the moment, the only possible fixed >>>>> boundary is /64, because once the device gets a /64, it can do >>>>> whatever it >>>>> wants, and extend the network all it wants, using SLAAC. If we >>>>> make SLAAC >>>>> run on longer prefixes, then maybe we'll all agree on one size. >>>>> But who >>>>> knows if that will work. Just like you say, "you can have all the >>>>> /80s you >>>>> want, but you're not getting /64s", some other operators saying, >>>>> "you can >>>>> have all the /128s you want, but you're not getting /80s". One >>>>> thing at a >>>>> time. If we make this model work with /64s, maybe it's possible to >>>>> imagine >>>>> changing SLAAC. >>>>> >>>> Do you really think that? Yes, there will be some networks that >>>> will use IPv4 principles and try to conserve IP space so much that >>>> they try to give too little to clients. However, many more are >>>> adhering to recommendations made by IETF or RIR. At ISP, I give /56 >>>> to residential clients, /48 to companies (or upon request). I could >>>> give just /64 or /60, but I know what I would like to have at home >>>> and how many I can assign to maintain a reasonable addressing plan. >>>> It is up to me as a Network administrator to make the plan and >>>> configure my routers accordingly. >>> >>> Last I looked, the largest US Cable MSO is giving out /64 to >>> residential end users unless they request up to a /60. The won’t >>> give anything shorter than /60 to a residential customer. >>> >>> I believe their business customers can get up to a /56. >>> >>> There’s a guy running around most of the WISP conferences in the US >>> that unfortunately has the ear of lots of WISPs and preaches /60 for >>> customer end sites. >>> >>> As such, I think your statement about “most” might hold water, but >>> in terms of most customers impacted, no, it does not. >>> >>>> I'm not really in the camp of let's change an SLAAC prefix size as >>>> we would not see practical results in years to come. However, if it >>>> provides me with additional tools to manage my networks, then why not? >>> >>> I could care less about changing the SLAAC prefix size, but I >>> wouldn’t oppose a draft requiring support for greater prefix size >>> flexibility in SLAAC. My concern is that if we manage to make SLAAC >>> with /80 (for example) default working configuration across a wide >>> variety of residential gateways, you’ll see MSOs treat that as an >>> excuse to start handing out /76 instead of /60. >>> >>>> This draft is a bit different. If every device required a /64 and >>>> it would like to extend the network, I would be pushed around, and >>>> I hate that. Clients would push me to give them /64, SCO would push >>>> me on network security front, and RIPE policy and upstream >>>> addressing plan are constraining me with address space. Having an >>>> OS vendor pushing me with the substantial number of devices is the >>>> thing I need the least. >>> >>> Actually, RIPE policy isn’t constraining you here. RIPE policy would >>> allow you to request additional space. >>> >>> RIPE already defaults to /29 and virtually any half-way believable >>> justification for a shorter prefix is acceptable under their policy. >>> Similarly, ARIN policy provides a great deal of flexibility here >>> with pretty generous nibble-boundary round-ups. I believe the most >>> restrictive IPv6 policy remains AFRINIC and even it provides >>> relatively easy ways to get enough address space to accommodate this >>> draft. >>> >>> Owen >>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops >> >> >> ********************************************** >> IPv4 is over >> Are you ready for the new Internet ? >> http://www.theipv6company.com >> The IPv6 Company >> >> This electronic message contains information which may be privileged >> or confidential. The information is intended to be for the exclusive >> use of the individual(s) named above and further non-explicilty >> authorized disclosure, copying, distribution or use of the contents >> of this information, even if partially, including attached files, is >> strictly prohibited and will be considered a criminal offense. If you >> are not the intended recipient be aware that any disclosure, copying, >> distribution or use of the contents of this information, even if >> partially, including attached files, is strictly prohibited, will be >> considered a criminal offense, so you must reply to the original >> sender to inform about this communication and delete it. >> >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops -- Mark James ELKINS - Posix Systems - (South) Africa mje@posix.co.za Tel: +27.826010496 <tel:+27826010496> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za <https://ftth.posix.co.za> Posix SystemsVCARD for MJ Elkins
- Re: [v6ops] New Version Notification for draft-ie… Jen Linkova
- Re: [v6ops] New Version Notification for draft-ie… Brian E Carpenter
- Re: [v6ops] New Version Notification for draft-ie… Gert Doering
- Re: [v6ops] New Version Notification for draft-ie… Lorenzo Colitti
- Re: [v6ops] New Version Notification for draft-ie… Jen Linkova
- Re: [v6ops] New Version Notification for draft-ie… Martin Huněk
- Re: [v6ops] New Version Notification for draft-ie… Martin Huněk
- Re: [v6ops] New Version Notification for draft-ie… Lorenzo Colitti
- Re: [v6ops] New Version Notification for draft-ie… Delong.com
- Re: [v6ops] New Version Notification for draft-ie… jordi.palet@consulintel.es
- Re: [v6ops] New Version Notification for draft-ie… Owen DeLong
- Re: [v6ops] New Version Notification for draft-ie… Frank Habicht
- Re: [v6ops] New Version Notification for draft-ie… Owen DeLong
- Re: [v6ops] New Version Notification for draft-ie… Mark Elkins
- Re: [v6ops] New Version Notification for draft-ie… jordi.palet@consulintel.es
- Re: [v6ops] New Version Notification for draft-ie… Alexandre Petrescu
- Re: [v6ops] New Version Notification for draft-ie… owen@Delong.com
- Re: [v6ops] New Version Notification for draft-ie… Martin Huněk
- Re: [v6ops] New Version Notification for draft-ie… Owen DeLong
- Re: [v6ops] New Version Notification for draft-ie… Philipp S. Tiesel
- Re: [v6ops] New Version Notification for draft-ie… Nick Buraglio
- Re: [v6ops] New Version Notification for draft-ie… Brian E Carpenter
- Re: [v6ops] New Version Notification for draft-ie… Tim Chown