IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

Mark Smith <markzzzsmith@gmail.com> Tue, 05 April 2022 21:53 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE88F3A1241 for <v6ops@ietfa.amsl.com>; Tue, 5 Apr 2022 14:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.632
X-Spam-Level: *
X-Spam-Status: No, score=1.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.998, HK_RANDOM_FROM=0.998, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d23rswTrNP86 for <v6ops@ietfa.amsl.com>; Tue, 5 Apr 2022 14:53:08 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553FF3A1239 for <v6ops@ietf.org>; Tue, 5 Apr 2022 14:53:08 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id s8so667267pfk.12 for <v6ops@ietf.org>; Tue, 05 Apr 2022 14:53:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zYteKOEZ/GI/LepdFjorPzpQs1wbxYj6ZNwpiqVvSf0=; b=PbYWGQjbDOSGA4cKyB4EDRlLJnND4DqfSnH0PJ7/fSqioxDV6Shl7mdVJpoRYYeKIC jHdWXFa3vD1t739qxPXZs4OozqNS5rtCOdN/KbcFaloVIiE2dQRNlk2cISbSCW8Oavbf F1C8NhAHhrSnv8PKQCM44WwZDy45CPqEBNdZpxTs4hlJl+Dk0NYa/Sw60yWfkm+xcyLe Tyz8HbUZW3GPaJbOmM6yTppHRV6m8uZzaVxFBJdQF5X02HD2nXf7VU5m/0CMICsjvft0 +Y5yGqbIKtnGWHciv0KpsiXSiwCXPwsxzKtoLVslj+CcXhOR9jod49tc5hVcLD2pPpIj ZKXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zYteKOEZ/GI/LepdFjorPzpQs1wbxYj6ZNwpiqVvSf0=; b=AaIZW28WuNhOieP8SpS/uUfu59ZabiC3qnfUKKid0FWaCC7tmfUD1bZnR5u13clS97 Rbsedy1GySsYn00S6ePGOsUeAKa+qRz3CfiieTLQiRWT3YUbBbXvzMaBDr1tJMgA4ctz MMfNI0nXRqsN2i+XKMsWPRKA/jPqYAILrVsEUSj4qhpyiXP5n1uWJustOvm0Ea6oFKb1 JBwydQ0yezU3ox/eGr6N3hjpMPolyeNRMK2MzaTt4rP0cwV99rlxtv62JY62hKQt8m60 DCVaIf/gVpEz8xhEpid4H5rUwpkp3au+e5EgPJrgJZ2vbexLXsUxF+8nAKzWlcDN6U63 j7ow==
X-Gm-Message-State: AOAM531iM1v0w2KOCCjpDS7rrgrXwfgA7uCsERFjQtioIEd1lEggLHN5 VyZ3oDQv3rG40orMoSiHgWLckHFZntDoPlPrGF9y5R26
X-Google-Smtp-Source: ABdhPJzsNewdvX5/2mlGa1Q7bDIYQ2iJQXoBjSwGQV8UIcsMLHLdmmCycJUv31ws/ZPMp59LvnTrnUjzXWjRryKKvC4=
X-Received: by 2002:a65:6e0e:0:b0:399:26d7:a224 with SMTP id bd14-20020a656e0e000000b0039926d7a224mr4469282pgb.437.1649195587137; Tue, 05 Apr 2022 14:53:07 -0700 (PDT)
MIME-Version: 1.0
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <B49417F7-3EFB-4A4D-9D1A-0D21574EA4F2@consulintel.es> <44B01ACA-3D5C-4618-B608-3B3479D29875@consulintel.es> <62447DCB.1010206@jmaimon.com> <7228D9A7-54A8-4BAE-9299-204C049F600B@consulintel.es> <6244BA91.3060306@jmaimon.com> <67762447-43D4-4393-851C-99370D3BF623@thehobsons.co.uk> <6246126C.1030609@jmaimon.com> <259B108A-C3DD-4460-B41A-A0028ACA9594@thehobsons.co.uk> <624759B1.8060700@jmaimon.com> <89D652EB-8920-4992-99EC-CC3C3A856D57@thehobsons.co.uk> <62477058.6020901@jmaimon.com> <4ADAA521-00A2-4FAF-9A1B-500C8598164F@thehobsons.co.uk> <D43294DA-E57A-44B4-AB1A-B0A766665FB0@virtualized.org> <7FEB6A6B-8DE6-42AE-B5FA-6E432B17CDD0@thehobsons.co.uk>
In-Reply-To: <7FEB6A6B-8DE6-42AE-B5FA-6E432B17CDD0@thehobsons.co.uk>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 06 Apr 2022 07:52:54 +1000
Message-ID: <CAO42Z2xLO2F76Tg3t7X0Zv6JBX-W9aM1QfkZti5MQVV1X7o0DA@mail.gmail.com>
To: Simon <linux@thehobsons.co.uk>
Cc: v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000022f20c05dbef4525"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/hRTIUJH_5zCQ78NqkLNHR-BJlUI>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2022 21:53:13 -0000

On Wed, 6 Apr 2022, 06:00 Simon, <linux@thehobsons.co.uk> wrote:

> David Conrad <drc@virtualized.org> wrote:
>
> > On Apr 2, 2022, at 10:37 AM, Simon <linux@thehobsons.co.uk> wrote:
> >>> What you dont know is what IP address YOU have from the point of view
> of the other endpoint.
> >> Indeed, and that’s why Nat == broken. Pretty well the entire foundation
> of networking falls over if you have no idea who *you* are.
> >
> > No. An IP address identifies and locates a connection point for IP
> service.  What is behind that service, including identity, is determined by
> higher layers. The service connection point could be a single process, or
> multiple processes, or, in the case of NAT, an entire network. You cannot
> rely on an IP address alone as any indication of “who *you* are”.
>
> Again, that’s starting from what we have now (NAT) and working backwards.
> It’s not working from how IP was designed and working forwards. The IP
> address is an identifier for routing network traffic to that endpoint - and
> it should be globally unique and globally routable.
>

Agree.

For those who disagree, can you give up your globally unique E.164 phone
number on your mobile phone to see how that goes?

Will you be happy to only be able to make phone calls only to those that
still have globally unique phone numbers?

Will you be happy to never receive calls, or only receive them from other
people inside your current carrier's network (where your number is probably
unique ... although perhaps not, since you were happy to give up a unique
global number) but from no other carrier?

The nature of IPv4 (without NAT), IPv6, and the phone network is
peer-to-peer. Any node can directly communicate with any other on the
network, because they have unique addresses.

There's concern these days about how dominant major cloud providers are on
the Internet. NAT and non-globally unique addresses encourages and endorses
that, because it makes receiving inbound application connections ("calls")
either impossible or harder than it should be.

The real question is how have the phone networks scaled globally unique
E.164 number portability, and can we use that technique somehow in IPv6?
I've expected E.164 number portability to fail to scale at some point in
the last 20 years or so, yet it hasn't.

Regards,
Mark.





> >> That is the foundation of IP - globally unique addresses, so that an
> address can only refer to one end node;
> >
> > Even ignoring NAT, no.  See, for example,
> https://datatracker.ietf.org/doc/html/rfc4786.
>
> A classic diversion tactic - when it looks like the argument is being
> lost, bring in something that’s irrelevant but which looks like it supports
> your case. Anycast cannot be considered equivalent to NAT - to start with,
> it does NOT mangle packets.
> True, it is a case of non-unique addresses - but it is also a special case
> where all endpoints sharing that address have been explicitly configured to
> share serving a service on it - it works well for session-less services
> like DNS; not well for session orientated services. Because of the known
> limitations, you wouldn’t (for example) serve up a SIP registrar behind
> Anycast without putting in a lot of careful engineering to work around
> those limitations (e.g.) by having state synchronisation between the
> different servers.
> Unlike NAT, each endpoint knows the globally reachable address; unlike
> NAT, each endpoint with that address is serving the same thing; unlike NAT,
> it is merely a case of routing packets slightly differently without
> mangling the content of those packets.
>
> >
> >> and end-end communication, so any end node can communicate with any
> other end node. NAT plus private addressing breaks this - I can tell
> someone that I’m at 192.168.1.1 and that doesn’t differentiate me from the
> thousands or millions of other 192.168.1.1 nodes in other 192.168.0.0/16
> (or 192.168.1.0/24) address spaces; nor does it enable them to send a
> packet to me. I.e. the network is broken.
> >
> >
> > Given the vast majority of Internet users (including myself, don’t know
> about you) are behind NAT boxes and we’re having this conversation, I
> gather you’re using the term “the network is broken” in a non-traditional
> way.
>
> Again, it’s easy to declare something as “not broken” when you redefine
> broken to not include the inconvenient cases. It reminds me of the old joke
> about “How many Microsoft engineers does it take to change a lightbulb ?
> None, they simply redefine the industry standard to dark !” You are
> re-defining “works” to have a different meaning - for your argument, works
> must be “works for simple things **I** care about”; for others, works means
> “works for all types of traffic including protocols/services not yet dreamt
> up”.
> As I have pointed out, NAT doesn’t (mostly) break simple client to server
> arrangements such as mail client to mail server and web browser to web
> server (the centralised model of the network). It does break a multitude of
> other cases. And as already highlighted in a previously referenced RFC - it
> does act as an obstacle to the introduction of some types of new service.
>
> > All communication over IP must be demultiplexed by higher-layer
> processes via protocol and/or port. NAT adds an additional form of
> demultiplexing, mapping a single address plus port into multiple
> addresses.  NAT breaks things because higher-layer protocol designers
> violated layer boundaries, granting those higher-layer protocols knowledge
> of lower-layer identifiers, which should have been opaque.
>
> No, you are moving the goalposts again. That basic demuxing by protocol
> and port happens WITHIN the endpoint - where there are well defined methods
> for any application to understand the little bit of the network it needs
> to, such as IP addresses it may bind to, and ports which it may use. That
> is not a violation of network layers.
> NAT happens OUTSIDE of the endpoint, in the network, where applications
> are unable to query for the basics and thus have to build in various
> methods to try and second guess how their packets are being mangled by what
> should be a transparent packet transport. Arguably, this is a violation of
> protocol layers - each application needs to have an intimate knowledge of
> how networks might behave, so not simply a case of asking the OS what
> addresses are available to use and needing no knowledge of routers and
> gateways, but needing to understand how packet handling operates after the
> packet has left the end-point.
>
> I’ll go even further. If an application querying the local OS (or more
> technically, the network stack) for available addresses and ports is a
> layer violation, then presumably you would argue that having (e.g.) a web
> server bind to a specific port is also a layer violation - after all, it’s
> job is to merely server pages, not to have any knowledge (by your
> suggestion, any knowledge AT ALL) about the underlying network.
> If you don’t argue that, then you are arguing that knowledge of addresses
> and ports IS a layer violation; and also arguing that it ISN’T a layer
> violation at the same time.
>
> > Given the actual endpoint of communication (i.e., the application)
> cannot rely on the IP address
>
> Only because you’ve redefined networking to suit that argument. I doubt
> many people would agree.
>
> > , swapping out one IP address for another should have no impact on the
> integrity of the communication.
>
> It doesn’t as long as the application is able to determine that. But other
> than for stateless (or short lived session) protocols, changing out the IP
> address is going to break stuff NAT or not. If your upstream renumbers you,
> then session break. If NAT is there, stuff breaks until the applications
> work out what’s happened (potentially long recovery time); without NAT, the
> OS (or network stack) can tell them when it happens.
>
>
> > The fact that current applications have intimate knowledge of the
> underlying identifiers means e.g., changing an endpoint’s connection to the
> IP network topology fatally breaks communication. This is not a feature.
>
> Indeed, and NAT does that - it changes an endpoint’s identifier
>
> > However, bringing this back to the original question: if you want to
> bring more enterprises into the IPv6 fold, arguments about how NAT is evil
> are worse than a complete waste of time, they’ll probably result in your
> input being ignored.
>
> No, but an argument that NAT does break things in ways that cause costs to
> the business is a way forward. And NAT does have costs to most businesses -
> even though most don’t realise it.
> I’ve done support, I’ve done the “trying to figure out what’s wrong in the
> network” stuff, I’ve done the grepping through NAT tables to figure out
> which stream at one end belongs to the particular client behind the NAT to
> isolate only that client’s traffic, ... NAT hardware costs money, support
> calls for when it goes wrong cost money, ... But those costs rarely appear
> anywhere but as part of a bigger “support costs” line in the accounts.
>
> > For good or ill, NAT is embedded into the architecture of the Internet
> for the foreseeable future (IPv4-only devices are not going to magically
> vanish)
>
> I don’t suggest they are - and we already know that the problems with NAT
> are already getting worse with a layer of CGNAT followed by a layer of end
> user NAT.
>
> > the benefit of deploying IPv6 is overwhelmed by the risk and cost.
>
> Again, you are conflating two different arguments.
> I, along with many, are on the side that we know NAT has a lot of issues
> and breaks stuff - even you acknowledge that it breaks stuff, you just
> argue that the stuff it breaks shouldn’t be there anyway. But given the
> change to do things over (which is what IPv6 offers), surely we should
> learn from past “mistakes” and not build in the same problems ?
>
> Other than “it’s all I understand” (and I’ve met a few so called network
> engineers who literally could not understand a network without NAT), I have
> seen only ONE (yes, just ONE) valid use case for prefix translation (not
> address and port translation) in IPv6. I’m a bit on the fence as to whether
> the problems allowing NPT would cause outweighs the problem it would (sort
> of) solve.
>
>
> Simon
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email