[v6ops] review of draft-ietf-v6ops-ula-usage-recommendations-01

Lee Howard <Lee@asgard.org> Wed, 06 November 2013 15:42 UTC

Return-Path: <Lee@asgard.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C453A21F9DC9 for <v6ops@ietfa.amsl.com>; Wed, 6 Nov 2013 07:42:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.607
X-Spam-Level:
X-Spam-Status: No, score=-1.607 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4j+bHM2UA6yX for <v6ops@ietfa.amsl.com>; Wed, 6 Nov 2013 07:42:38 -0800 (PST)
Received: from atl4mhob17.myregisteredsite.com (atl4mhob17.myregisteredsite.com [209.17.115.57]) by ietfa.amsl.com (Postfix) with ESMTP id 121B821E8127 for <v6ops@ietf.org>; Wed, 6 Nov 2013 07:42:35 -0800 (PST)
Received: from mailpod.hostingplatform.com ([10.30.71.208]) by atl4mhob17.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id rA6FgZmb018462 for <v6ops@ietf.org>; Wed, 6 Nov 2013 10:42:35 -0500
Received: (qmail 20740 invoked by uid 0); 6 Nov 2013 15:42:35 -0000
X-TCPREMOTEIP: 208.181.207.235
X-Authenticated-UID: lee@asgard.org
Received: from unknown (HELO ?208.181.207.235?) (lee@asgard.org@208.181.207.235) by 0 with ESMTPA; 6 Nov 2013 15:42:34 -0000
User-Agent: Microsoft-MacOutlook/14.3.8.130913
Date: Tue, 05 Nov 2013 18:38:57 +0200
From: Lee Howard <Lee@asgard.org>
To: 'IPv6 Operations' <v6ops@ietf.org>
Message-ID: <CE9EEBC1.36CA4%Lee@asgard.org>
Thread-Topic: review of draft-ietf-v6ops-ula-usage-recommendations-01
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: [v6ops] review of draft-ietf-v6ops-ula-usage-recommendations-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 15:42:43 -0000

I confess, I skipped to Section 3, "Enumeration of Scenarios Using ULAs"

I'd like some qualification on this sentence:"And since ULA support
multiple subnets, it is scalable."

ULA scales to /48, which is admittedly pretty good, but isn't what I think
of when I describe something as "scalable."  Unless you mean multiple ULA
prefixes, but I don't think that's what you're describing here; more on
routing in a minute.

"The global uniqueness of prefixes is not guaranteed, however,
      the probability is extremely low"
Actually, the probability (of uniqueness) is extremely high.  The
probability of collision is low.

The "Prefix Announcement" section is a problem.  You want to say that ULAs
can be freely routed between networks, but that has significant technical
issues:
* As you point out, you could extend RAs.  Unless that's done, this is
actually a drawback to ULAs.
* Scaling is limited, again, to however many route entries devices can
handle.
* And all the problems of an ad hoc, non-hierarchical networks.

Home network:  I understand the use case described, though it's worth
repeating that ULA fits between LLA and GUA; in other words, only provides
a benefit for a multiple-segment home network.  There may be other issues
in the home network, still being discovered by Homenet, like source
selection for service advertsiements, and naming.

I like the use of ULA for an enterprise's management network.

There's also the consideration (raised in the NAT64-experience draft) that
a dual-stack node with IPv4, GUA and ULA may get confused about source
address selection.   Especially in the renumbering case; IPv6 connectivity
works, but IPv4 will be used in preference to ULA. . .

There's another consideration in 3.2.2, ULA+GUA: if you run forward DNS,
you may need a split DNS, where depending on where the query comes from
(inside or outside) you return a ULA or GUA.  You might just use GUAs for
everything that is externally available, or you might have different
policies depending on whether you use the GUA or ULA (for instance,
internal vs external firewall policy).  You do mention this later in 4.2.

There are several places where the address selection problem is mentioned,
and there's a suggestion to configure policy to force the desired
behavior.  This may be possible in an enterprise (using a group policy
object, or maybe other configuration mechanisms) but I don't think it's
realistic in a home network, and I think you should say so.

The first paragraph of 4.1 says "on the other hand," but I think the point
is consistent with the previous point.  Don't say "on the other hand"
here.  :-)

Please clarify the case of using ULA as the internal prefix for NAT64.  If
you do that with no GUA, you are giving IPv6-only hosts IPv4-only access;
there's no native IPv6 (because of ULA) and all IPv4 will use the NAT64.
It's the worst of both worlds.

THe point made in 5.3.3 is a good one.  So good that more words may be
needed.  A GUA would be a good identifier in the same way, except that a
GUA prefix may change.

Security considerations probably needs more.  There are several places in
the document describing NAT and (enterprise) security considerations.
These should at least be referenced.  It also improves security for
hosts/nodes that are not intended to be globally reachable; instead of
applying a filter, there is simply no route from outside the network.

I do agree that this document is striking the right balance in its
considerations.

Lee