IETF Logo Mail Archive

Re: [v6ops] Implementation Status of PREF64

Chris Cummings <chris@cummings.tech> Thu, 30 September 2021 14:08 UTC

Return-Path: <chris@cummings.tech>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BE13A0C7D for <v6ops@ietfa.amsl.com>; Thu, 30 Sep 2021 07:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cummings-tech.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YeqLRVmOc6E5 for <v6ops@ietfa.amsl.com>; Thu, 30 Sep 2021 07:08:18 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20EF73A0C7E for <v6ops@ietf.org>; Thu, 30 Sep 2021 07:08:18 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id r43-20020a05683044ab00b0054716b40005so7404568otv.4 for <v6ops@ietf.org>; Thu, 30 Sep 2021 07:08:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cummings-tech.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QhgNiSUFp706Y0O5FgyGDtBEedlCi0zveCqvm4Ra3m0=; b=s1dkOoNMrKPF/0M3Js2p34yj/eOoLJ1UC1v+RgdEga8Znun0XhHmWKH6YcUHheKo5u YDqhJicERWRX1PMql4hT3tKxCJV5YgTAuLacnojt/p3vcYn/cNwXirQ+8UUSU3Q3Nnuz 2HM7Jd75uqlihWfthfkCiXC5ixJ7U2Ow23DrTf5PiUDbTJuvphQmQA6UGQeqZPaYnkCk AWuKgObF7q38Oq5KZfBjhjmwWyGrnltEQ/vtqWNP5k1jlWpwXTxwjfvX1gu7+MOtAZ5P UVjbDpj5X87OzznfzjfcGTKLTfcpn0y3TJV7GjOsEGwDCB7pX5sCheCQV9COJo7tSffS e/aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QhgNiSUFp706Y0O5FgyGDtBEedlCi0zveCqvm4Ra3m0=; b=QA9alOUTwQIzhbD9K2+nKfeb00qCiu8bgDscXVW7VfDPVjogTa/vRb3BE1TpE961Hz oropouJgkmaOE7ZvUUPN8R6BWtwlaId28rDrZp5dnwvuRGulkudxbC59qBZNC+32FZAp zCPUJO2bCAogzpri4EpspiLTN/CU+WrhxP+7MGddhyNqvbQcPn8+HPtcp61lv4GsXhQY DtfoqUlLHtwmKdUkOAPJhxKTwV5rJfbnI4mzssdJ2pB6LMMSn+bUe+LpT3kMpYAKvULZ 6AoutUP+vSS1a58UCZUges7l8/crB+VzDpEG8YcloswYuwmSnoNPkRAEaKmTz6Kv1eVI oO/g==
X-Gm-Message-State: AOAM530looNtG2m0xa+AWjPOWrc7FgeNfgceG/FkmMEQBol+pM1Kxz/d telM4WMocqkY37dSkCggbUh9E1P4de6SpFObfxStiw==
X-Google-Smtp-Source: ABdhPJwSaMuk1aAswqkMANX/+CiplyAWZ/Edf4zd5ESQ0m2eU4/5yRssq+XE5xVnHTPD0UAwLJJVxahtdF/R/6KGuvY=
X-Received: by 2002:a05:6830:4490:: with SMTP id r16mr3815651otv.251.1633010896926; Thu, 30 Sep 2021 07:08:16 -0700 (PDT)
MIME-Version: 1.0
References: <DDA36020-90CC-471B-83AD-3D98950F1164@delong.com> <CAO42Z2wdoSdJDOB2Zo0=ZK0ecOARRsdg2nbHZGSDOhryPbLfDw@mail.gmail.com> <F2BD0A42-E9AD-45DD-999A-638E73BE1177@delong.com> <CAKD1Yr2K3Gd3JD=NJFOoH6GYgs-8ACxRQB9-sKJ7cbF4_hxsow@mail.gmail.com> <0B533C71-5DB0-410D-A5A3-7E8FD559F214@delong.com> <CAKD1Yr3NoYfNT7+OVJoCCdgdif6AHHw29tNCPttS=-NuRZKv3w@mail.gmail.com> <5FAD5290-3616-4194-B783-D473DB38A89A@delong.com> <m1mVGC6-0000HSC@stereo.hq.phicoh.net> <D6620D7C-8FE8-4294-8014-AB18A230C9C7@delong.com> <m1mVItl-0000GuC@stereo.hq.phicoh.net> <YVN6/cA6Ob3vLJQH@Space.Net> <m1mVK32-0000HpC@stereo.hq.phicoh.net> <CAO42Z2zQys6o41+m1iX1Mm88M7CaUdQa1C+uuYqxz2STfcwt_Q@mail.gmail.com> <d2887464-19d7-da09-d6f6-51ddc0e9ca45@foobar.org> <CAO42Z2w=BVoy-EmkM+x=8bVJc8WAcwRyLrdpsOAxu-as3ed6ZQ@mail.gmail.com> <CAN-Dau0v5dS9esEfQk9w0deG-QLpQ6EH9JJBY4JVcUfstFENkQ@mail.gmail.com> <1e9444b30d964a5cb17ff419eca6cc35@huawei.com> <CAKD1Yr0T-7t-UHbsJBMLpTjKhPAV5uUQkux6oby89TVUue7PyA@mail.gmail.com> <CO1PR11MB4881D400EA4681F1505040D2D8AA9@CO1PR11MB4881.namprd11.prod.outlook.com> <CAKD1Yr3TmqFxjKuZ57wS7VuPOf6rJvOwnvnQdFrRLQ=DkZ+CCw@mail.gmail.com>
In-Reply-To: <CAKD1Yr3TmqFxjKuZ57wS7VuPOf6rJvOwnvnQdFrRLQ=DkZ+CCw@mail.gmail.com>
From: Chris Cummings <chris@cummings.tech>
Date: Thu, 30 Sep 2021 09:08:05 -0500
Message-ID: <CAAYPcbGMsuRh_96=hc2Xs8eKPJ_c=N2Dpdogz9ovf58kmkY9gQ@mail.gmail.com>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Cc: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d1a0e05cd36fadc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/hyPJi42YdrgvtSKB8U2hAaYhPyI>
Subject: Re: [v6ops] Implementation Status of PREF64
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 14:08:25 -0000

>
> I'm all for finding another solution to this problem, but given some of
> the messages on this thread it doesn't look like there's much room for
> compromise.
>

Lorenzo, the compromise is that you stop blocking the implementation of
something that many people are asking for so that they can run their
networks as they see fit, and leave the decision on how they want to run
things up to them instead of forcing the decision onto them based off of
your beliefs about how IPv6 should work. DHCPv6 doesn't need to be a
default, it just needs to be an option for people to use. Without it, I
know for a fact that v6 rollouts are slower than they need to be as I have
seen networks shrug off IPv6 because they can't use DHCP with all of their
devices (Android).

Chris Cummings


On Thu, Sep 30, 2021 at 4:17 AM Lorenzo Colitti <lorenzo=
40google.com@dmarc.ietf.org> wrote:

> Pascal,
>
> From what's been said so far on this thread, do you think that an
> implementation would achieve anything? Many of the posts here say things
> like, "my network, my rules", and "this network has a policy of requiring
> DHCPv6". Would be interested in seeing whether any of the folks on this
> thread who are saying that Android should implement DHCPv6 support your
> proposal, since it's obviously not DHCPv6. :-)
>
> I'm all for finding another solution to this problem, but given some of
> the messages on this thread it doesn't look like there's much room for
> compromise.
>
> Cheers,
> Lorenzo
>
> On Thu, Sep 30, 2021 at 5:43 PM Pascal Thubert (pthubert) <pthubert=
> 40cisco.com@dmarc.ietf.org> wrote:
>
>> There is, Lorenzo,
>>
>>
>>
>> and strangely enough to me you are still opposing the technical evolution
>> of SLAAC that would make them to be fully efficient – RFC 8505
>> <https://datatracker.ietf.org/doc/html/rfc8505>.
>>
>>
>>
>> I see that our support of First Hop Security (that includes snooping) is
>> explicitly cited in that article. RFC 8505 solves the corner case of
>> snooping, e.g., silent nodes which the article inelegantly ignores but are
>> a real issue when you do not have DHCP to provide a complete state.
>>
>>
>>
>> If needed the infra could easily republish an RFC 8505 registration to
>> that resurrected draft-ietf-dhc-addr-registration
>> <https://datatracker.ietf.org/doc/draft-ietf-dhc-addr-registration/>
>> that you suggest as we do for LISP today, but we foresee a more distributed
>> registrar, e.g., with eVPN (draft-thubert-bess-secure-evpn-mac-signaling)
>> <https://datatracker.ietf.org/doc/html/draft-thubert-bess-secure-evpn-mac-signaling-00>
>> .
>>
>>
>>
>> RFC 8505 allows the device to configure any address it likes as long as
>> it’s not duplicate. It is an alternative from DHCP where the host is still
>> in control of its addresses; it’s still autoconf, but made stateful. It is
>> less work on the host that already has SLAAC than implementing
>> draft-ietf-dhc-addr-registration
>> <https://datatracker.ietf.org/doc/draft-ietf-dhc-addr-registration/> as
>> you suggest in you other mail.
>>
>>
>>
>> I’m still baffled and sad that we are not working together on making this
>> happen in a demo.
>>
>>
>>
>> Keep safe;
>>
>>
>>
>> Pascal
>>
>>
>>
>>
>>
>> *From:* v6ops <v6ops-bounces@ietf.org> *On Behalf Of *Lorenzo Colitti
>> *Sent:* jeudi 30 septembre 2021 9:17
>> *To:* Vasilenko Eduard <vasilenko.eduard@huawei.com>
>> *Cc:* v6ops list <v6ops@ietf.org>; David Farmer <farmer=
>> 40umn.edu@dmarc.ietf.org>
>> *Subject:* Re: [v6ops] Implementation Status of PREF64
>>
>>
>>
>> There are already vendor solutions.
>>
>>
>>
>>
>> https://theinternetprotocolblog.wordpress.com/2020/03/14/does-one-need-dhcpv6/
>>
>>
>>
>> On Thu, Sep 30, 2021 at 4:12 PM Vasilenko Eduard <
>> vasilenko.eduard@huawei.com> wrote:
>>
>> +1.
>>
>> “Show me another solution” is a good message. Just idea or theory is not
>> enough.
>>
>> David has mentioned OpenSource. I would say that vendor product is needed
>> too.
>>
>> Ed/
>>
>> *From:* v6ops [mailto:v6ops-bounces@ietf.org] *On Behalf Of *David Farmer
>> *Sent:* Thursday, September 30, 2021 5:15 AM
>> *To:* Mark Smith <markzzzsmith@gmail.com>; Lorenzo Colitti <
>> lorenzo@google.com>
>> *Cc:* v6ops list <v6ops@ietf.org>
>> *Subject:* Re: [v6ops] Implementation Status of PREF64
>>
>>
>>
>>
>>
>> On Wed, Sep 29, 2021 at 5:16 PM Mark Smith <markzzzsmith@gmail.com>
>> wrote:
>>
>>
>>
>> On Thu, 30 Sep 2021, 03:41 Nick Hilliard, <nick@foobar.org> wrote:
>>
>>
>>
>> Even if you had, that would be fine and you're welcome to your opinions.
>>   Other people disagree because it doesn't make sense on their
>> deployments.
>>
>>
>>
>> If they want to hobble IPv6, such that it is nothing more than a copy of
>> IPv4 with bigger addresses, what is the point of going to the expense and
>> effort of deploying IPv6 when most enterprises have plenty of IPv4 address
>> space via RFC1918 and 100.64/10 if they were willing to abuse it a bit?
>>
>>
>>
>> A hobbled deployment of IPv6, hobbled such that it doesn't provide any
>> useful benefit over IPv4, is just pure business expense. Increased profit
>> is an exceptionally strong disincentive to incurring those.
>>
>>
>>
>> So, instead of just telling people they are doing IPv6 wrong (building a
>> hobbled network) and that DHCP doesn't provide them what they think it
>> does; How about making sure there are good open-source tools to build what
>> you think is a non-hobbled network that meets their needs? In other words,
>> how about providing some good open-source ARP and ND router scraping tools?
>>
>>
>>
>> Now you could point the finger back at me too, but then I'm not saying
>> that building networks with DHCPv6 is building a hobbled network, nor am I
>> refusing to provide a DHCPv6 client for a very popular mobile and IoT
>> platform. So, at least in my opinion, that puts more onus on you than me.
>>
>>
>>
>> So, I agree that DHCP logging (both IPv4 and IPv6) by itself isn't
>> enough, and yes you also need to scrape ARP and ND out of the routers.
>> However, ARP and ND scrapping by themselves aren't enough either, DHCP
>> logging provides much better granularity than is practical from ARP and ND
>> scrapping, at least using SNMP. Also, by having both you can make some
>> assumptions about suspicious access clients that are statically configuring
>> addresses instead of doing DHCP on the access network as they should be.
>>
>>
>>
>> I agree that limiting DHCPv6 clients to only IA-NA  and not providing
>> IA-TA is a bad implementation of DHCPv6. Further, I recommend SLAAC, and we
>> provide SLAAC, for general-purpose (AKA public) access networks with IPv6.
>> But, we also have many networks where that is not appropriate, where I have
>> regulatory and contractual compliance requirements, to protect non-public
>> information, things like FERPA, HIPPA, PCI, and CMMC(1-4). Long-term we
>> want these networks doing IPv6 too.
>>
>>
>>
>> Android smartphones, probably belong on a general-purpose access network
>> with SLAAC for IPv6 in most cases. However, Android is also on many IoT
>> devices, things like point-of-sale terminals, credit card terminals,
>> environmental monitoring sensors, etc... Many of those things I don't want
>> on general-purpose access networks and some of those will have compliance
>> requirements we have to meet. We think DHCPv6 is perfectly appropriate for
>> these networks, and probably for server networks too.
>>
>>
>>
>> In conclusion, while I agree with most of your arguments that DHCPv6
>> isn't necessarily the right way to do IPv6, especially for general-purpose
>> (public) access networks, that doesn’t mean I think DHCPv6 doesn’t have a
>> place in many other networks, and it would be very helpful if Android
>> provided a DHCPv6 client, even as a non-default option.
>>
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> --
>>
>> ===============================================
>> David Farmer               Email:farmer@umn.edu
>> Networking & Telecommunication Services
>> Office of Information Technology
>> University of Minnesota
>> 2218 University Ave SE        Phone: 612-626-0815
>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>> ===============================================
>>
>> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email