IETF Logo Mail Archive

Re: The renumbering problem [Re: [BEHAVE] Comments on the NAT66 draft]

james woodyatt <jhw@apple.com> Thu, 20 November 2008 00:59 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09F7F3A6BC9 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 19 Nov 2008 16:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.796
X-Spam-Level:
X-Spam-Status: No, score=-104.796 tagged_above=-999 required=5 tests=[AWL=-0.901, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DwUpFl4IwSYx for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 19 Nov 2008 16:59:39 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D406D3A6BE0 for <v6ops-archive@lists.ietf.org>; Wed, 19 Nov 2008 16:59:38 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1L2xrr-000LG8-FP for v6ops-data@psg.com; Thu, 20 Nov 2008 00:57:59 +0000
Received: from [17.254.13.23] (helo=mail-out4.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1L2xrm-000LFW-8b for v6ops@ops.ietf.org; Thu, 20 Nov 2008 00:57:56 +0000
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out4.apple.com (Postfix) with ESMTP id DE6554789D44; Wed, 19 Nov 2008 16:57:53 -0800 (PST)
Received: from relay11.apple.com (unknown [127.0.0.1]) by relay11.apple.com (Symantec Brightmail Gateway) with ESMTP id C88E928091; Wed, 19 Nov 2008 16:57:53 -0800 (PST)
X-AuditID: 11807130-ad31dbb000000eb5-9a-4924b6114a51
Received: from [17.151.107.177] (unknown [17.151.107.177]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay11.apple.com (Apple SCV relay) with ESMTP id 65E522808A; Wed, 19 Nov 2008 16:57:53 -0800 (PST)
Cc: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
Message-Id: <5E35A200-5C5A-42D8-B02F-31D92649F0C6@apple.com>
From: james woodyatt <jhw@apple.com>
To: Gert Doering <gert@space.net>
In-Reply-To: <20081119092201.GI89033@Space.Net>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: The renumbering problem [Re: [BEHAVE] Comments on the NAT66 draft]
Date: Wed, 19 Nov 2008 18:57:52 -0600
References: <courier.4914868B.00003F53@softhome.net> <9937716B-A667-4FB6-8337-9596AD356901@muada.com> <courier.4917F518.00002B4D@softhome.net> <20081110143243.GI89033@Space.Net> <courier.491852A1.000070E6@softhome.net> <1568D893-1DC9-48CF-A04A-F2B55F31E416@apple.com> <4920E51C.7070007@gmail.com> <60FD682C-1436-493F-995D-4B2A7241D398@apple.com> <20081118220136.GE89033@Space.Net> <E60CDD5C-0D46-4C50-B300-FFAABA8BB704@apple.com> <20081119092201.GI89033@Space.Net>
X-Mailer: Apple Mail (2.929.2)
X-Brightmail-Tracker: AAAAAA==
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Nov 19, 2008, at 03:22, Gert Doering wrote:
> On Tue, Nov 18, 2008 at 06:29:54PM -0600, james woodyatt wrote:
>>
>>
>> Please, help me understand why solving this problem requires  
>> storing IP addresses in persistent storage without a coherent  
>> caching protocol.  I'm not seeing it-- probably because I'm not  
>> sure I understand the nature and scope of the problem very well.
>
> Uh, well, people usually configure their VPN endpoints (site-to-site,
> not roadwarrior-to-home) with IP addresses.

Ah.  I've given this more thought now, and I'm going to assume that  
we're talking about L3 VPN's and not L2VPN's (but I'm not sure that's  
warranted here).

>> For the sake of argument, I'll accept that reasonable people  
>> currently
>> perceive it to be necessary.  My hunch is that those folks should
>> probably be using DNS-SD instead of the fragile cruftiness they're
>> struggling against now.  Maybe if I understood the problem better, I
>> could suggest a more detailed alternative to their current solution.
>
> Well.  Yes.  I've spent some time after my e-mail yesterday to think  
> about
> this, and actually using DNS (plus some sort of "not completely  
> braindead
> IPSEC implementation") might just work, provided one can get old+new
> addresses working for long enough to DNS to propagate.
>
> Which is not instantaneous, as soon as it leaves the local domain.
>
> Now *this* aspect reduces itself to "educated people that DNS is good"
> and "educate firewall vendors to write useful IPSEC code".

Now that I've had a chance to think about this more carefully, I'm  
reminded of the old, old days when I used to work in an enterprise  
that managed its routing table by copying static routes around with / 
usr/bin/rcp.  This eventually became painful enough that some bright  
soul noticed that networked computers can executed distributed route- 
computation algorithms, e.g. Bellman-Ford, link-state, etc.

I suspect that large enterprise sites with massive collections of  
static VPN tunnel configurations, which need their tunnel endpoint  
addresses renumbered when adding or dropping a PA allocation, would do  
well to think about how such distributed algorithms could be used to  
ease the pain of renumbering.

I would imagine that enterprises with this problem would have an  
incentive to develop a standard protocol for automatically managing  
the routes for complicated VPN topologies.  (I'll even go so far to  
say that something like BGP might be easily adapted to serve in this  
capacity, but I'm not sure.)  I do feel pretty certain about this  
point: before we set about systematically dismantling the utility of  
the provider aggregated addressing architecture in IPv6 as it relates  
to our problems maintaining the scalability of the default-free zone,  
I'd like to see an explanation for why enterprises view automating VPN  
tunnel management as a non-viable alternative solution.

> Another thing that is regularily mentioned regarding "why  
> renumbering is
> hard" is access-lists (aka "firewall rules").  DNS as well?

Sigh.  It's probably a good idea for large sites to use network  
operations and management systems that recognize the distinction  
between the network prefix and the host identifier parts of IPv6  
address.

I recognize that not all IPv6 addresses have such a distinction, but  
enterprises worried about this could conceivably choose IPv6  
deployments where the distinction is significant-- because they can  
use [or build] tools that easily allow access-lists to be composed  
automagickally by combining the host identifiers (don't need  
renumbering) with network identifiers (do need renumbering) without  
requiring a human person to have to sweat all that tedious arithmetic  
and typing.

I anticipate a rebuttal to my arguments above along the lines of this:  
"That's nice, James... but those routing protocols and network  
management tools don't exist today, and we need them!"  My response is  
quite simple: "True, but those are problems worth solving, and I don't  
see how it's a good idea to *avoid* the work of solving them at the  
cost of A) introducing NAT66 into the Internet architecture and/or B)  
exploding the routing tables in the default-free zone."

I could be wrong about that, but I remain unconvinced.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

v2.23.0 | Report a Bug | By Email