Re: [v6ops] new draft: draft-colitti-v6ops-host-addr-availability

"Mukom Akong T." <mukom.tamon@gmail.com> Wed, 15 July 2015 20:58 UTC

Return-Path: <mukom.tamon@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A0E61B2C2B for <v6ops@ietfa.amsl.com>; Wed, 15 Jul 2015 13:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id caoQkGhrDf4S for <v6ops@ietfa.amsl.com>; Wed, 15 Jul 2015 13:58:04 -0700 (PDT)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8ECC91B2C2A for <v6ops@ietf.org>; Wed, 15 Jul 2015 13:58:04 -0700 (PDT)
Received: by oihq81 with SMTP id q81so37284074oih.2 for <v6ops@ietf.org>; Wed, 15 Jul 2015 13:58:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=UE3mzrC4zkJZvw7z3yvmMewG6Zjte2ixx4owbgGlC+c=; b=wkwcJLkeqmShkg9z1+o5OvEjTyygofTQJZsJ7GVhhcHU4kMLahn7siIwt2tkK92BzA vlpaGV8J+eiGwMJHx+924682kHCU3Xi5AeBmQU8lCm9GAoX0pAHf7KPOOoCXehPsH3eZ KliK5jrlJ8pb/St1dW4A6kTRkqlroGW4mqpcY/oeIHGvud9pwug1FBy4YjOgyGK3FXLs xk6sMY4lpkHShYBl/tqikB1yVI2sctYaiNJuO61wNCCcCZAK7Kz0meNFBtAY4c/TdT+f 9zuOmqp96VNHVxhwhjNIXXM8vOOqrPB5Vsr415X0XigTaq85xMC4pHmUGFsyWWsHZ+Dn fGtg==
X-Received: by 10.60.136.131 with SMTP id qa3mr5392838oeb.34.1436993884035; Wed, 15 Jul 2015 13:58:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.16.70 with HTTP; Wed, 15 Jul 2015 13:57:24 -0700 (PDT)
In-Reply-To: <55A6771E.30805@gmail.com>
References: <201507061147.t66Bl1AE028312@irp-lnx1.cisco.com> <9290D0D1-062A-4DE0-A437-9A5F5045ACAC@gmail.com> <39F63B55-977F-4B84-8B55-52E2F0B1A851@cisco.com> <55A6771E.30805@gmail.com>
From: "Mukom Akong T." <mukom.tamon@gmail.com>
Date: Wed, 15 Jul 2015 21:57:24 +0100
Message-ID: <CAHDzDLC55T0PdsGc2L4o4aBCNMeqAzEXDk4Bu8nOaWwMRa4uhA@mail.gmail.com>
To: IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b414f2a00c42e051af036ee
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/ajo3hnZg6NSSwJGWr6mYgCl9zbQ>
Subject: Re: [v6ops] new draft: draft-colitti-v6ops-host-addr-availability
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 20:58:08 -0000

When you read the entire draft, it makes sense and I'd go with the spirit.
And I agree with Fred that the problem statement needs to be more succinct.


Question to Authors:  For addresses that belong to the same interface, is
there a requirement for them to belong to different prefixes?

If not, then for any address gotten from DHCPv6 IA_NA, perhaps a SLAAC
address (or many) can be generated from that prefix. You’d already get
similar behaviour if you used DHCPv6 and configured an IP address from the
same DHCPv6 scope (but in exclude list) statically on the interface towards
the hosts (assuming the default behaviour of some platforms to send our
PIOs in RAs for any addresses manually configured on them).

On 15 July 2015 at 16:07, Alexandru Petrescu <alexandru.petrescu@gmail.com>;
wrote:

>
>
> Le 07/07/2015 02:02, Fred Baker (fred) a écrit :
>
>> Thanks. One question. Chair hat off.
>>
>> Section 2 identifies the current deployment model - each interface
>> has a link-local address, a SLAAC address, and one or more temporary
>> addresses. I haven't heard anyone complaining about that. Section 3
>> goes on to discuss virtual machines/containers, which might each have
>> additional addresses, and the model Facebook is reportedly using,
>> which gives individual addresses to processes. It also mentions
>> draft-herbert-nvo3-ila, which is not a stupid model - I still have
>> some comments on it in a multi-administration environment or for
>> running applications in an "inside" and an "outside" address ("NAT
>> has well-known drawbacks"), but it at least gets rid of the random
>> encapsulations predominant in data centers today.
>>
>> In other words, we already assign multiple addresses, by some means,
>> to each interface in a network.
>>
>> You mention SLAAC. Lorenzo mentions that in section 7. He also
>> mentions DHCP address and prefix allocation.
>>
>> The statement that I don't see in the document, which would help me
>> personally, is a problem statement. I would guess that the problem
>> statement is "we think some networks are limiting host interfaces to
>> a single IPv6 address." I'd want a little more detail, but I'll bet
>> that's the crux of it.
>>
>> So my question is: "precisely what problem are we solving here?".
>>
>
> One problem I see is when operators deliver a single global /64 prefix,
> and that /64 is understood as a single IPv6 global address.
>
> Forming multiple IPv6 addresses out of a single /64 is possible for
> multiple apps running on that device, so that may not be a problem.
> There may be some privacy concerns though, in that an attacker can
> identify there is a single device there (the /64 is unique).
>
> But 'sharing' these IPv6 addresses with some other devices (64share) has
> more serious drawbacks, typically in the number of subnets - only one
> subnet is possible.
>
> (to that, one should add an explanation of why operators deliver a
> single /64 to a device - accounting)
>
> Alex
>
>
>
>
>
>>  On Jul 6, 2015, at 2:39 PM, Andrew Yourtchenko
>>> <ayourtch@gmail.com>; wrote:
>>>
>>> I read the draft and absolutely agree with the spirit.
>>>
>>> Unfortunately, I think it won't work:
>>>
>>> As soon as the devices work "good enough" with a single address,
>>> appealing to increase the amount of work by administrators in the
>>> name of humanity is going to fall on deaf ears.
>>>
>>> The only way I see to solve this is to always use SLAAC on the
>>> devices: either 'externally' from the prefix received within the
>>> RA, or 'internally' from within the prefix received via DHCP-PD,
>>> and provide a mandatory registration mechanism for name-to-IP
>>> mapping.
>>>
>>> If neither of the above works, as a backup effort the device can
>>> try getting N addresses via DHCP IA_NA and release those that it
>>> does not need immediately - and displaying a big yellow warning
>>> "This network may restrict IPv6 functionality and eat your
>>> kittens, contact your system administrator". Because ND is not
>>> going to happen on these 'extra' addresses, forwarding wise there
>>> will be no impact, just some more DHCP traffic after attachment
>>> (the "limited functionality" of course would need just one address
>>> and can start immediately).
>>>
>>> Those who want tracking can track the upper 64bits or use IA_NA
>>> and filter out the addresses that are shortly lived.
>>>
>>> Of course to avoid being a religious crusade such an effort need
>>> to produce something pragmatic - namely, a userland cross-platform
>>> API that would allow getting new addresses on demand by application
>>> and if needs to - implementing custom transport protocols on top
>>> of those on a per-app-per-address basis.
>>>
>>> The above conjecture however is even less realistic than politely
>>> asking the inconveniences away, so the logical conclusion from
>>> that is I fully support this draft.
>>>
>>> --a
>>>
>>>  On 06 Jul 2015, at 13:47, fred@cisco.com wrote:
>>>>
>>>> A new draft has been posted, at
>>>> http://tools.ietf.org/html/draft-colitti-v6ops-host-addr-availability.
>>>>
>>>>
>>>>
>>>>
>>>>  Please take a look at it and comment.
>
>>
>>>> _______________________________________________ v6ops mailing
>>>> list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops
>>>>
>>>
>>
>>
>> _______________________________________________ v6ops mailing list
>> v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops
>>
>>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>



-- 

Mukom Akong T.

http://about.me/perfexcellence |  twitter: @perfexcellent
------------------------------------------------------------------------------------------------------------------------------------------
“When you work, you are the FLUTE through whose lungs the whispering of the
hours turns to MUSIC" - Kahlil Gibran
-------------------------------------------------------------------------------------------------------------------------------------------