IETF Logo Mail Archive

Re: [v6ops] AWS ipv6-only features

Nick Buraglio <buraglio@es.net> Mon, 29 November 2021 21:45 UTC

Return-Path: <buraglio@es.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B46EA3A0ADF for <v6ops@ietfa.amsl.com>; Mon, 29 Nov 2021 13:45:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MH2oMa32gtoI for <v6ops@ietfa.amsl.com>; Mon, 29 Nov 2021 13:45:00 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BD233A0AC1 for <v6ops@ietf.org>; Mon, 29 Nov 2021 13:45:00 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id k37so48342075lfv.3 for <v6ops@ietf.org>; Mon, 29 Nov 2021 13:45:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=dC5H0yUBFoDO0Iy/XCgzZV5ue1nsHr0Lf0X69uzpTsE=; b=fO8kPunbil7Bi3acuYQOy7o4TxHB0WIgX//v52wXgXJ+OVRvmpzSN8Xg0KQFOu5olW r0McK8ijFOn/j48YQDDbG12ndlzcuuA78Wr2PswkeiECykuEbvHbc5D2srD9q/BtsXRv TEXw6fIC4KzC29CesLUj3PzKlzpnL3Dkga7oHr+8pXgo3PVEwiLCwAx4RUXrEfF0P61M 3vTzE7t1TYYpqJ8LH4uRF2Hdsvc1+Q4eAozuj0ZVE2+EkfenldPbrCKOm6JM1NLJWHNu wJKEpUcmb8cIcXwut9yRZaFSCDO7v+OUKsASAcfuq9lbfaxFpzyfRy7F9A5aDJhNahhG TnqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=dC5H0yUBFoDO0Iy/XCgzZV5ue1nsHr0Lf0X69uzpTsE=; b=HQ4x1iQjrOPeVSNAVFDvV3kHRhWiIa/jAPn9cyAORnN+rR4XxCKb8BFT5eh6R0WrC1 i/FrkVvwaUijPQFnMS32RdMfsl6hKizmN2LZfIZum1IUm2j/aMuz1ihyo1vLHQDpO2bP 7mrk6sF52gLxCWfIt4+BKxCh45RJ/8Xh0lr4j3GUyweAtrBu3FrDU1QRYsR8C3My4Cny DVw77AQ7QQTxkorTSG0LF5q69xnM/63GEMH0agxU80QauPFdhdVkOFC7d4sXFqzn5qLW M3yQ1nbEMShnaeS94U/l/wU8ETp7F0svHeEU02+ceP//EF5lvKDfT+jOyARlOj+nplk+ lStg==
X-Gm-Message-State: AOAM5302g44ImHIQF+vXjkA+LfZ50Gfll8U5CWVUxV/xvLNizn/GgCG2 hOmvvnCC2gUrqlIeR5mC/1IVDjOWFWbiWNS2X3gkZXjZdDroPGmi8KKJM40JXP9TvfziBzWHsQ0 wmBqiShvCE2i5MSbEC/CCClwij2JyISXwAI3wJMCG/iudg7K0JJEvbuWv224JSl/SpubvSeRvFy o=
X-Google-Smtp-Source: ABdhPJzcgXUwdZ6kJ8I03o+GYkcugB6dl+7/w+BLCybHTljgoNXjh3EcqbrdUs9k6J4923apMHD5CzWwGFdYziDUZ3w=
X-Received: by 2002:a05:6512:2804:: with SMTP id cf4mr49672961lfb.644.1638222295681; Mon, 29 Nov 2021 13:44:55 -0800 (PST)
MIME-Version: 1.0
References: <CAD6AjGRAkpMDaAh31mVL=+Gcz5PHejUxxLazr4Xb=vVRHfaSpw@mail.gmail.com> <CAO42Z2z8u_DQMd9eNSQp_RhBinXk2KyH4pdbVLMEqOta-hoG1w@mail.gmail.com> <CADzU5g5odQ82FJ0TsdNxFB42OkgLZ+PWanLLrK1roLojAUS54A@mail.gmail.com> <CAO42Z2z+ZJ_pLwZmBjZ_HFsNXQ6jok-PMRTP23ZD2UMch61wtw@mail.gmail.com> <CAM5+tA9JhRWfZ2VLLQnT8Mg+Xng-+Rc-oQnX8Ma5DguL2uDO8w@mail.gmail.com> <771a145e-8483-63e5-5200-a1ff32a0e781@gmail.com>
In-Reply-To: <771a145e-8483-63e5-5200-a1ff32a0e781@gmail.com>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Mon, 29 Nov 2021 15:44:44 -0600
Message-ID: <CAM5+tA_AAfLaH-bP_1q3FR7ssJFgUAJuqN401aJJVcWWDnBL1g@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, IPv6 Ops WG <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffdd6a05d1f4591f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/hneAmY5QIpy5gqUnV0naFtqkp-g>
Subject: Re: [v6ops] AWS ipv6-only features
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 21:45:08 -0000

On Mon, Nov 29, 2021 at 3:06 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> Nick,
>
> On 30-Nov-21 07:33, Nick Buraglio wrote:
> > Thank you for writing some information on ULA, it's an important part of
> IPv6 and not really discussed enough. Perhaps we should start another
> thread, but I'd like to hear more about when you see this behavior:
> >
> > /"ULAs are preferred over GUAs, so when a host is presented with both a
> ULA and GUA as possible ways to reach a destination, the host will select
> the ULA. Once the ULA destination address is chosen, the host will then
> choose its ULA as a source address to reach the ULA destination. This
> preference of ULA addressing over GUA addressing is the mechanism that
> provides internal network connectivity independence from concurrent
> external Internet connectivity."/
> >
> > In testing and in practice I have experienced that exactly the opposite
> of this is true in both day-to-day use and every single explicit test I
> have done where ULA and GUA are present on both sides with a variety of
> hardware platforms and operating systems. GUA is used in every scenario I
> test when the AAAA records are all matching (i.e. appropriately correct
> DNS).
>
> Please be more precise about the scenario. Do you mean that both hosts
> have AAAA records for their GUAs *and* ULAs, and that the app uses DNS
> names, or what?
>

In the testing I was performing to double check my notes I had this
scenario:

host 1 (linux, A for IPv4, AAAA for IPv6 GUA, AAAA for IPv6 ULA)
host 1 (linux, A for IPv4, AAAA for IPv6 GUA, AAAA for IPv6 ULA)
host 1 (MacOS 12.0.1, A for IPv4, AAAA for IPv6 GUA, AAAA for IPv6 ULA)
RouterOS based router 1 (RouterOS, A for IPv4, AAAA for IPv6 GUA, AAAA for
IPv6 ULA) - RouterOS seems to default to IPv4 for some dumb reason, even
when the source address is set to v6
All A and AAAA records match their respective hosts (i.e. host1.lab.int,
host2.lab.int, etc.)

In each case when I attempt to reach the devices I use the DNS record the
default is to the GUA, from the GUA, with the exception of Mikrotik which
by default uses IPv4 if it exists as an A record, even if specifying an
IPv6 src address.



>
> Nevertheless, default address selection in RFC6724 is that GUAs win over
> ULAs, so what you report is correct out-of-the-box behaviour. The
> description in Mark's blog is not the default scenario, but you could make
> it true by changing the RFC6724 policy table in all your hosts.
>
> If an individual app *wants* to prefer ULAs, it's not hard, but it does
> have to be an explicit choice. (My implementation of GRASP, for example,
> explicitly picks ULA over GUA if both are available, and reverts to
> link-local if neither is available.)
>

Understood.


>
> > I'm happy to learn that I am incorrect, as it would make certain things
> easier, but nothing so far in my experience has shown the described
> behavior.
> >
> > Seemingly relevant to the discussion at hand, and definitely relevant to
> enterprises and providers actively using or considering ULA.
>
> The default in RFC6724 was chosen precisely to avoid surprises for
> enterprises and providers. If you want ULAs as the default preference, you
> have
> to change something.
>

Right, which is functionally impossible for most commercial platforms
meaning it generally doesn't happen so get consistent behavior of ULA being
deprioritized.


>
>      Brian
>
> >
> > nb
> >
> > On Thu, Nov 25, 2021 at 2:49 PM Mark Smith <markzzzsmith@gmail.com
> <mailto:markzzzsmith@gmail.com>> wrote:
> >
> >
> >
> >     On Fri, 26 Nov 2021, 07:41 Clark Gaylord, <cgaylord@vt.edu <mailto:
> cgaylord@vt.edu>> wrote:
> >
> >         Yeah AWS hold their cards close and don't seem to engage the
> community, but they do have decent IPv6 coverage across the services.
> Notwithstanding that the whole VPC concept has the whiff of ancient days
> about
> it; tonight we're gonna network like it's 1999!
> >
> >         EC2 as part of the address is a great idea. I am so stealing
> that (can't believe I haven't thought of it.)
> >
> >
> >     It's a terrible idea. The "Unique" in ULA is on purpose.
> >
> >
> >       Getting IPv6 private addressing right
> >
> >
> https://blog.apnic.net/2020/05/20/getting-ipv6-private-addressing-right/ <
> https://blog.apnic.net/2020/05/20/getting-ipv6-private-addressing-right/>
> >
> >
> >
> >         On Thu, Nov 25, 2021, 15:09 Mark Smith <markzzzsmith@gmail.com
> <mailto:markzzzsmith@gmail.com>> wrote:
> >
> >
> >
> >             On Thu, 25 Nov 2021, 23:51 Ca By, <cb.list6@gmail.com
> <mailto:cb.list6@gmail.com>> wrote:
> >
> >                 Fyi, aws has gone beyond perfunctory ipv6 support and
> has released a series of enhancements, with a focus on ipv6-only scenarios,
> including nat64 / dns64
> >
> >
> https://aws.amazon.com/about-aws/whats-new/2021/11/aws-nat64-dns64-communication-ipv6-ipv4-services/
> <
> https://aws.amazon.com/about-aws/whats-new/2021/11/aws-nat64-dns64-communication-ipv6-ipv4-services/
> >
> >
> >                 AWS has lapped Google and Azure in advanced network
> features, which is really surprising given the early muscle Google
> developed
> at IPv6 launch and a stronger need to differentiate …
> >
> >
> >             AWS failed to do ULAs properly. 'ec2' could be a random
> global ID, but unlikely when their service is "EC2".
> >
> >             Matters more here because they're exposing that to all of
> their tenants. I think GUAs would have been better for these internal all
> tenant services.
> >
> >             I've never seen AWS participate here in 20 years, unlike G
> and M.
> >
> >
> >                 _______________________________________________
> >                 v6ops mailing list
> >                 v6ops@ietf.org <mailto:v6ops@ietf.org>
> >                 https://www.ietf.org/mailman/listinfo/v6ops <
> https://www.ietf.org/mailman/listinfo/v6ops>
> >
> >             _______________________________________________
> >             v6ops mailing list
> >             v6ops@ietf.org <mailto:v6ops@ietf.org>
> >             https://www.ietf.org/mailman/listinfo/v6ops <
> https://www.ietf.org/mailman/listinfo/v6ops>
> >
> >     _______________________________________________
> >     v6ops mailing list
> >     v6ops@ietf.org <mailto:v6ops@ietf.org>
> >     https://www.ietf.org/mailman/listinfo/v6ops <
> https://www.ietf.org/mailman/listinfo/v6ops>
> >
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> >
>
>

v2.23.0 | Report a Bug | By Email