IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

David Farmer <farmer@umn.edu> Mon, 25 April 2022 23:06 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB95EC159A28 for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 16:06:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSxoxzXoDSMe for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 16:06:11 -0700 (PDT)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145A2C1D4682 for <v6ops@ietf.org>; Mon, 25 Apr 2022 16:06:10 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 4KnLGn6qV3z9wBc3 for <v6ops@ietf.org>; Mon, 25 Apr 2022 23:06:09 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNv7tl7EW6dj for <v6ops@ietf.org>; Mon, 25 Apr 2022 18:06:09 -0500 (CDT)
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 4KnLGm5zj3z9wBbw for <v6ops@ietf.org>; Mon, 25 Apr 2022 18:06:06 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p7.oit.umn.edu 4KnLGm5zj3z9wBbw
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p7.oit.umn.edu 4KnLGm5zj3z9wBbw
Received: by mail-ed1-f71.google.com with SMTP id c23-20020a50d657000000b00425d5162a0dso3293219edj.16 for <v6ops@ietf.org>; Mon, 25 Apr 2022 16:06:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YBmrHUqgTOkcuP+g1hJRZLx4zc0T/prVkycoU6R7xf4=; b=eJfZdCJOjSkMS/d2Br1WLSfLU4cWZt0SYAEg8KtG2Yd7Nm7l19zS3Fgbdz2eJaWPOj o8WtbtGwB5H3fEtQMuQMSdvGMySPJKZ3tpXD92ef8H2+nRTARDbQsNwdlOBzboSnFreb ohPw+1A169iv88HIB1DwxoLoeU9STczodScpJtFIXKVniU6uHl4STfs0lMpSU3x6Jmn5 DEKgxqu4k1bSL7Whf2Lb6kWkClXErzVFAIJk8L1JwLVwI+4guGlTIZdTkbOGKpbOGzLR 6eaB4vu41f9o8DHXdx2lrCj5sqH/3l1O6BRSkyxBITWBl/bWFqdhmiKyuSjPPsRl0xM3 fXEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YBmrHUqgTOkcuP+g1hJRZLx4zc0T/prVkycoU6R7xf4=; b=372+ZyPbP94jHMLicMh4LKr88AxtTDoSMqvmvTZBEqfNy78mPrieZjUi6eU+wt4+Y/ 5phn+A15oR1bb7RgyNtXQ3nEyAJI7IcfD+sP6b4WRNjBG9qgagBklcCaCR/bqnn3VBJZ KYSn5rkagH4gtgBr68GTjwCIh9iFFMe4SWuxDwQFJwXAI99qym6k6NqeHhoUF9/CQE/f yTjNYwUKwqT05/O6Von1UQFK95jdxW1NZTjbhryigIgODWcTRkl+pEHeLZvlHY+HcACo vmdz2ac3vmywnPlrv0kv404dxaMjMYTULpwZjQaW/cRiCR9+1hwLrmBUpwu2RBrg9XuR TcOg==
X-Gm-Message-State: AOAM5336no4Ojkxin+RGhymcakv4ofjCKVT0fM2suEjo2byk+3FDQu/8 hyuA8bBRDYlfJAJFVfjuoncKLfFli5GaEZxrQnIA4eqAFikqpO/+VjJA5WWCS7eqoIEobjZ60NG OERd/Mvd3y5q4S5xnt6q0It+sAA==
X-Received: by 2002:a17:907:980d:b0:6d6:f910:513a with SMTP id ji13-20020a170907980d00b006d6f910513amr17721302ejc.643.1650927964563; Mon, 25 Apr 2022 16:06:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyueBACa199JQ1vLRtq2lyym8wh7Zq++FKHf1P1HGlo5QhxR45QFQpmT+m6+mW4YQu+seaZwaQZDdZYq/myt0I=
X-Received: by 2002:a17:907:980d:b0:6d6:f910:513a with SMTP id ji13-20020a170907980d00b006d6f910513amr17721262ejc.643.1650927963824; Mon, 25 Apr 2022 16:06:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com> <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com>
In-Reply-To: <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Mon, 25 Apr 2022 18:05:47 -0500
Message-ID: <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Kevin Myers <kevin.myers@iparchitechs.com>, Lorenzo Colitti <lorenzo@google.com>, Erik Auerswald <auerswald@fg-networking.de>, Ted Lemon <elemon@apple.com>, v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>
Content-Type: multipart/related; boundary="000000000000d5b29a05dd829e4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/gYr1A2S4vhJ1h8z1NM5PC2HaXBU>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 23:06:15 -0000

You want to look at PCI DSS 3.2 requirement 1.3.7.
[image: image.png]

Compensating controls is an option, but auditors have to sign off on them,
and the whole process is about minimizing exceptions and getting a clean
audit. IT isn't in charge of this, finance people are, it's not technical,
it's all about the money, and numbers with 7 or 8 significant digits or
more.

I've been on that the merry-go-round several times, I believe in IPv6 E2E,
but if anyone asks me just do NPTv6 or NAT66, whatever the auditor wants
you to do.

Have fun on the merry-go-round, I'll pass.

Thanks

On Mon, Apr 25, 2022 at 5:32 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> Kevin,
>
> > Auditing frameworks and auditors are just not ready for IPv6 and without
> migration strategies like NAT, they'll have no reason to be because IPv4
> will continue to dominate.
>
> You're describing a vicious circle, and the question is how can we break
> it?
>
> Advocating NPTv6 might achieve that, but many of us dislike that strategy.
>
> Can you explain what are the technical requirements in PCI-DSS land that
> have been interpreted as requiring NAT44? Is it time for RFC4864bis,
> because this is exactly what we were aiming at with that RFC?
>
> Regards
>     Brian Carpenter
>
> On 25-Apr-22 17:34, Kevin Myers wrote:
> > This misses the problem entirely though.
> >
> > It's not a choice to reconsider, these are regulatory requirements. The
> fact that a handful of enterprises have deployed IPv6 doesn't move the
> needle on compliance for the vast majority of them.
> >
> > No retail enterprise is going to choose IPv6 without NAT internally if
> it means not being permitted to use credit cards because of a failed
> PCI-DSS audit.
> >
> > Auditing frameworks and auditors are just not ready for IPv6 and without
> migration strategies like NAT, they'll have no reason to be because IPv4
> will continue to dominate.
> >
> >
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > *From:* Lorenzo Colitti <lorenzo@google.com>
> > *Sent:* Sunday, April 24, 2022, 11:27 PM
> > *To:* Kevin Myers <kevin.myers@iparchitechs.com>
> > *Cc:* Brian E Carpenter <brian.e.carpenter@gmail.com>; Erik Auerswald <
> auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>; v6ops list <
> v6ops@ietf.org>; 6man list <ipv6@ietf.org>
> > *Subject:* Re: [v6ops] ULA precedence [Thoughts about wider operational
> input]
> >
> > There are several fortune 500 companies that have publicly stated that
> they have deployed IPv6 with global addressing, so that's definitely
> possible.
> >
> > As for "is it better to deploy IPv6 with NAT66 or not to deploy at all",
> I would guess it depends who you ask. My personal answer would be no. It's
> possible that when faced with app and OS incompatibilities, those
> enterprises might reconsider. Or they might pick the same technical
> solutions as the enterprises that have already deployed with global
> addresses.
> >
> > On Mon, Apr 25, 2022 at 12:42 PM Kevin Myers <
> kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com>> wrote:
> >
> >     IPv6 NAT is already being deployed in large enterprises for the few
> that want to tackle IPv6. Vendor implementations exist, so that ship has
> sailed regardless of where the IETF lands.
> >
> >     Most of the Fortune 500 fall under regulatory compliance of one body
> or another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well for
> an IPv6 no-NAT world. Most of the discussion I see around enterprise
> adoption on the IETF lists misses this point. It matters very little
> whether NAT is a "good" or "bad" practice when it comes to selecting an
> operational model. Enterprises choose operational models that will pass
> audits
> and the overwhelming majority rely heavily on NAT.  We can make the
> argument that compliance bodies and auditors should update their guidance
> and standards and they absolutely should, but it will probably take close
> to a decade to change the regulatory compliance auditing landscape to the
> point that IPv6 without NAT is commonplace.
> >
> >     If auditors won't sign off on end to end GUA addressing, then NAT is
> going to remain.
> >
> >     Enterprises are more than willing to punt IPv6 for another decade
> and will likely have no issues in doing so given how little IPv4 space most
> of them need compared to service providers. Even when IPv6 becomes the
> predominant transport type for an Internet handoff everywhere, it will
> still just live in the underlay while IPv4 remains the predominant choice
> in the overlay, in apps,  and internally in the DC for enterprises.
> >
> >     At what point does it become more important to have IPv6
> implemented, than to have it "perfectly" implemented?
> >
> >     Kevin Myers
> >     Sr. Network Architect
> >     IP ArchiTechs
> >
> >     -----Original Message-----
> >     From: v6ops <v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org>>
> On Behalf Of Brian E Carpenter
> >     Sent: Sunday, April 24, 2022 9:48 PM
> >     To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:
> 40google.com@dmarc.ietf.org>>; Erik Auerswald <auerswald@fg-networking.de
> <mailto:auerswald@fg-networking.de>>; Ted Lemon <elemon@apple.com <mailto:
> elemon@apple.com>>
> >     Cc: v6ops list <v6ops@ietf.org <mailto:v6ops@ietf.org>>; 6man list <
> ipv6@ietf.org <mailto:ipv6@ietf.org>>
> >     Subject: Re: [v6ops] ULA precedence [Thoughts about wider
> operational input]
> >
> >     On 25-Apr-22 12:16, Lorenzo Colitti wrote:
> >      > On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <
> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de> <mailto:
> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>> wrote:
> >      >
> >      >       "Since ULAs are defined to have a /48 site prefix, an
> implementation
> >      >        might choose to add such a row automatically on a machine
> with
> >      >        a ULA."
> >      >
> >      >     The result is that only the local ULA prefix,
> i.e., exactly the
> >      >     local IPv6 addresses, are preferred over IPv4
> (and IPv6 GUA).
> >      >     This should be exactly what is needed to use ULA addresses
> inside
> >      >     an organization, or for a lab.
> >      >     [...]
> >      >     Implementing the non-normative suggestion from Section 10.6
> of RFC
> >      >     6724 would in all likelihood result in making
> ULA usable for local
> >      >     tests and even first steps in deploying IPv6.  ULA addresses
> would
> >      >     only be used locally.  Existing IPv4 based Internet access
> would not
> >      >     be impaired by adding IPv6 ULA.
> >      >
> >      >
> >      > That does seem like it might make ULA more useful, yes.
> >      >
> >      > Additionally, maybe we could clarify that the longest-prefix
> match rule
> >     does not apply to ULAs outside the same /48? I think that would fix
> the issue observed by +Ted Lemon <mailto:elemon@apple.com <mailto:
> elemon@apple.com>> in home networks:
> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
> <
> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>
> <
> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
> <
> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>>
> .
> >
> >     When two networks each with its own ULA prefix are intentionally
> merged, longest match would be the right thing, wouldn't it? (Assuming that
> the split DNSs are also merged, and of course internal routing.) In that
> case there is no "foreign" ULA prefix.
> >
> >      >     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT
> could be
> >      >     considered.  To make this work as intended, the address
> selection
> >      >     policy table could be adjusted to contain the
> local ULA prefix
> >      >     with precedence greater or equal to GUA and the same label as
> GUA.
> >      >
> >      >
> >      > This seems like it would encourage the use of IPv6 NAT. I think
> there is reasonably strong consensus within the IETF that that is not the
> right way to go, because it pushes problems on to application developers.
> This adds costs for NAT traversal software development and maintenance,
> and requires devices to implement NAT keepalives, increasing battery usage.
> >
> >     That may be the IETF's consensus, but there is a very large fraction
> of the enterprise network operations community that strongly disagrees,
> and in fact regards this as a red line issue. It isn't even clear that
> they'd accept NPTv6 as an alternative to NAPT66. If this is indeed the only
> way to get IPv6 inside enterprises, what is the right thing for the IETF
> to do?
> >
> >             Brian
> >
> >     _______________________________________________
> >     v6ops mailing list
> >     v6ops@ietf.org <mailto:v6ops@ietf.org>
> >     https://www.ietf.org/mailman/listinfo/v6ops <
> https://www.ietf.org/mailman/listinfo/v6ops>
> >
> >
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email