Re: The renumbering problem [Re: [BEHAVE] Comments on the NAT66 draft]
james woodyatt <jhw@apple.com> Thu, 20 November 2008 00:59 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09F7F3A6BC9 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 19 Nov 2008 16:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.796
X-Spam-Level:
X-Spam-Status: No, score=-104.796 tagged_above=-999 required=5 tests=[AWL=-0.901, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DwUpFl4IwSYx for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 19 Nov 2008 16:59:39 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D406D3A6BE0 for <v6ops-archive@lists.ietf.org>; Wed, 19 Nov 2008 16:59:38 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1L2xrr-000LG8-FP for v6ops-data@psg.com; Thu, 20 Nov 2008 00:57:59 +0000
Received: from [17.254.13.23] (helo=mail-out4.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1L2xrm-000LFW-8b for v6ops@ops.ietf.org; Thu, 20 Nov 2008 00:57:56 +0000
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out4.apple.com (Postfix) with ESMTP id DE6554789D44; Wed, 19 Nov 2008 16:57:53 -0800 (PST)
Received: from relay11.apple.com (unknown [127.0.0.1]) by relay11.apple.com (Symantec Brightmail Gateway) with ESMTP id C88E928091; Wed, 19 Nov 2008 16:57:53 -0800 (PST)
X-AuditID: 11807130-ad31dbb000000eb5-9a-4924b6114a51
Received: from [17.151.107.177] (unknown [17.151.107.177]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay11.apple.com (Apple SCV relay) with ESMTP id 65E522808A; Wed, 19 Nov 2008 16:57:53 -0800 (PST)
Cc: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
Message-Id: <5E35A200-5C5A-42D8-B02F-31D92649F0C6@apple.com>
From: james woodyatt <jhw@apple.com>
To: Gert Doering <gert@space.net>
In-Reply-To: <20081119092201.GI89033@Space.Net>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: The renumbering problem [Re: [BEHAVE] Comments on the NAT66 draft]
Date: Wed, 19 Nov 2008 18:57:52 -0600
References: <courier.4914868B.00003F53@softhome.net> <9937716B-A667-4FB6-8337-9596AD356901@muada.com> <courier.4917F518.00002B4D@softhome.net> <20081110143243.GI89033@Space.Net> <courier.491852A1.000070E6@softhome.net> <1568D893-1DC9-48CF-A04A-F2B55F31E416@apple.com> <4920E51C.7070007@gmail.com> <60FD682C-1436-493F-995D-4B2A7241D398@apple.com> <20081118220136.GE89033@Space.Net> <E60CDD5C-0D46-4C50-B300-FFAABA8BB704@apple.com> <20081119092201.GI89033@Space.Net>
X-Mailer: Apple Mail (2.929.2)
X-Brightmail-Tracker: AAAAAA==
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
On Nov 19, 2008, at 03:22, Gert Doering wrote: > On Tue, Nov 18, 2008 at 06:29:54PM -0600, james woodyatt wrote: >> >> >> Please, help me understand why solving this problem requires >> storing IP addresses in persistent storage without a coherent >> caching protocol. I'm not seeing it-- probably because I'm not >> sure I understand the nature and scope of the problem very well. > > Uh, well, people usually configure their VPN endpoints (site-to-site, > not roadwarrior-to-home) with IP addresses. Ah. I've given this more thought now, and I'm going to assume that we're talking about L3 VPN's and not L2VPN's (but I'm not sure that's warranted here). >> For the sake of argument, I'll accept that reasonable people >> currently >> perceive it to be necessary. My hunch is that those folks should >> probably be using DNS-SD instead of the fragile cruftiness they're >> struggling against now. Maybe if I understood the problem better, I >> could suggest a more detailed alternative to their current solution. > > Well. Yes. I've spent some time after my e-mail yesterday to think > about > this, and actually using DNS (plus some sort of "not completely > braindead > IPSEC implementation") might just work, provided one can get old+new > addresses working for long enough to DNS to propagate. > > Which is not instantaneous, as soon as it leaves the local domain. > > Now *this* aspect reduces itself to "educated people that DNS is good" > and "educate firewall vendors to write useful IPSEC code". Now that I've had a chance to think about this more carefully, I'm reminded of the old, old days when I used to work in an enterprise that managed its routing table by copying static routes around with / usr/bin/rcp. This eventually became painful enough that some bright soul noticed that networked computers can executed distributed route- computation algorithms, e.g. Bellman-Ford, link-state, etc. I suspect that large enterprise sites with massive collections of static VPN tunnel configurations, which need their tunnel endpoint addresses renumbered when adding or dropping a PA allocation, would do well to think about how such distributed algorithms could be used to ease the pain of renumbering. I would imagine that enterprises with this problem would have an incentive to develop a standard protocol for automatically managing the routes for complicated VPN topologies. (I'll even go so far to say that something like BGP might be easily adapted to serve in this capacity, but I'm not sure.) I do feel pretty certain about this point: before we set about systematically dismantling the utility of the provider aggregated addressing architecture in IPv6 as it relates to our problems maintaining the scalability of the default-free zone, I'd like to see an explanation for why enterprises view automating VPN tunnel management as a non-viable alternative solution. > Another thing that is regularily mentioned regarding "why > renumbering is > hard" is access-lists (aka "firewall rules"). DNS as well? Sigh. It's probably a good idea for large sites to use network operations and management systems that recognize the distinction between the network prefix and the host identifier parts of IPv6 address. I recognize that not all IPv6 addresses have such a distinction, but enterprises worried about this could conceivably choose IPv6 deployments where the distinction is significant-- because they can use [or build] tools that easily allow access-lists to be composed automagickally by combining the host identifiers (don't need renumbering) with network identifiers (do need renumbering) without requiring a human person to have to sweat all that tedious arithmetic and typing. I anticipate a rebuttal to my arguments above along the lines of this: "That's nice, James... but those routing protocols and network management tools don't exist today, and we need them!" My response is quite simple: "True, but those are problems worth solving, and I don't see how it's a good idea to *avoid* the work of solving them at the cost of A) introducing NAT66 into the Internet architecture and/or B) exploding the routing tables in the default-free zone." I could be wrong about that, but I remain unconvinced. -- james woodyatt <jhw@apple.com> member of technical staff, communications engineering
- RE: Comments on the NAT66 draft Wes Beebee (wbeebee)
- RE: [BEHAVE] Comments on the NAT66 draft Wes Beebee (wbeebee)
- Re: Comments on the NAT66 draft EricLKlein
- Re: [BEHAVE] Comments on the NAT66 draft Iljitsch van Beijnum
- RE: [BEHAVE] Comments on the NAT66 draft Wes Beebee (wbeebee)
- Re: Comments on the NAT66 draft Rémi Després
- Re: [BEHAVE] Comments on the NAT66 draft Brian E Carpenter
- Re: [BEHAVE] Comments on the NAT66 draft Margaret Wasserman
- Re: [BEHAVE] Comments on the NAT66 draft Rémi Després
- Re: [BEHAVE] Comments on the NAT66 draft Rémi Després
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft Gert Doering
- Re: Comments on the NAT66 draft Rémi Denis-Courmont
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft Gert Doering
- Re: [BEHAVE] Comments on the NAT66 draft Rémi Després
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft Iljitsch van Beijnum
- Re: Comments on the NAT66 draft EricLKlein
- RE: Comments on the NAT66 draft Gunter Van de Velde (gvandeve)
- Re: Comments on the NAT66 draft Tim Chown
- Re: Comments on the NAT66 draft Margaret Wasserman
- Re: Comments on the NAT66 draft Gert Doering
- Re: Comments on the NAT66 draft Gert Doering
- Re: Comments on the NAT66 draft Gert Doering
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft EricLKlein
- Re: Comments on the NAT66 draft Gert Doering
- Re: [BEHAVE] Comments on the NAT66 draft Rémi Després
- Re: Comments on the NAT66 draft james woodyatt
- Re: Comments on the NAT66 draft Gert Doering
- Re: Comments on the NAT66 draft ericlklein
- Re: Comments on the NAT66 draft Gert Doering
- The renumbering problem [Re: [BEHAVE] Comments on… Brian E Carpenter
- Re: The renumbering problem [Re: [BEHAVE] Comment… james woodyatt
- Re: The renumbering problem [Re: [BEHAVE] Comment… Gert Doering
- Re: The renumbering problem [Re: [BEHAVE] Comment… james woodyatt
- Re: The renumbering problem [Re: [BEHAVE] Comment… Gert Doering
- Re: The renumbering problem [Re: [BEHAVE] Comment… james woodyatt
- Re: [BEHAVE] The renumbering problem [Re: Comment… Iljitsch van Beijnum