IETF Logo Mail Archive

Re: [v6ops] draIn ft-ietf-v6ops-design-choices WGLC

"Ackermann, Michael" <MAckermann@bcbsm.com> Thu, 09 April 2015 15:58 UTC

Return-Path: <mackermann@bcbsm.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBACD1B2DAC for <v6ops@ietfa.amsl.com>; Thu, 9 Apr 2015 08:58:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tVEg-AbcfIpq for <v6ops@ietfa.amsl.com>; Thu, 9 Apr 2015 08:58:47 -0700 (PDT)
Received: from mx.z120.zixworks.com (mx.z120.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F22971B2DA1 for <v6ops@ietf.org>; Thu, 9 Apr 2015 08:58:46 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id C5650282095 for <v6ops@ietf.org>; Thu, 9 Apr 2015 10:58:45 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [12.107.172.81]) by mx.z120.zixworks.com (Proprietary) with SMTP id 3154328200D; Thu, 9 Apr 2015 10:58:45 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA80 (Postfix) with ESMTP id ADDEB2F51AA; Thu, 9 Apr 2015 11:55:51 -0400 (EDT)
Received: from pwn401ea105.ent.corp.bcbsm.com (unknown [10.64.102.241]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by imsva2.bcbsm.com (Postfix) with ESMTP id A03CE2F51A2; Thu, 9 Apr 2015 11:55:51 -0400 (EDT)
Received: from PWN401EA160.ent.corp.bcbsm.com ([fe80::fdcb:603d:469e:b1db]) by PWN401EA105.ent.corp.bcbsm.com ([fe80::f13e:83e4:1dae:5345%10]) with mapi id 14.01.0438.000; Thu, 9 Apr 2015 11:58:44 -0400
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Nick Hilliard <nick@foobar.org>, Mark ZZZ Smith <markzzzsmith@yahoo.com.au>, Philip Matthews <philip_matthews@magma.ca>, "Fred Baker (fred)" <fred@cisco.com>
Thread-Topic: [v6ops] draIn ft-ietf-v6ops-design-choices WGLC
Thread-Index: AdBwejVZflkIuUqSRyO7yHiQggoOUQBQBUQAADGQMIAAFEHyUAAKlbwAAAe2V4A=
Date: Thu, 09 Apr 2015 15:58:36 +0000
Message-ID: <4FC37E442D05A748896589E468752CAA0CDB016B@PWN401EA160.ent.corp.bcbsm.com>
References: <7DF32A06-80FA-461A-A387-DE55F1DB79DB@magma.ca> <2004183372.2937208.1428540561672.JavaMail.yahoo@mail.yahoo.com> <4FC37E442D05A748896589E468752CAA0CDAFE85@PWN401EA160.ent.corp.bcbsm.com> <55269B8C.7060703@foobar.org>
In-Reply-To: <55269B8C.7060703@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.10.35]
x-tm-as-product-ver: SMEX-10.2.0.3262-7.500.1018-21460.005
x-tm-as-result: No--51.690000-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-VPM-HOST: vmvpm02.z120.zixworks.com
X-VPM-GROUP-ID: 419f5088-7f8e-4a35-9abc-cb7a9f6bd502
X-VPM-MSG-ID: 92e91de6-89e3-440b-939d-a516d3cafad4
X-VPM-ENC-REGIME: Plaintext
X-VPM-CERT-FLAG: 0
X-VPM-IS-HYBRID: 0
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/iFHE2DX3G_1u47GhGUNL0VcZBQ0>
Cc: v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] draIn ft-ietf-v6ops-design-choices WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 15:58:51 -0000

Makes sense.   I can see where your BGP set up would be compelling.  

One of my questions was if the Link Local Pros and Cons would be different for End Hosts vs Middle Boxes.  
Your comments make me think that it may be good for End Hosts, but not so much Middle Boxes,  in particular large scale provider networks.  

You mention that you remove Link Locals wherever possible.    On what platforms is this possible without removing most of IPv6?    Does this cause issues with intrinsic functions such as NDP, etc.?  

Thanks. 

Mike   

-----Original Message-----
From: Nick Hilliard [mailto:nick@foobar.org] 
Sent: Thursday, April 09, 2015 11:32 AM
To: Ackermann, Michael; Mark ZZZ Smith; Philip Matthews; Fred Baker (fred)
Cc: v6ops list
Subject: Re: [v6ops] draIn ft-ietf-v6ops-design-choices WGLC

On 09/04/2015 15:41, Ackermann, Michael wrote:
> Documenting the pros and cons of using link locals as next hops, so 
> that informed decisions can be made (especially by those perhaps less
> knowledgeable on IPv6),  would be a great benefit.       My organization is
>  just starting to test this, so I would appreciate input on this from 
> those with more actual, practical experiences,  but  from what I have 
> seen so far,  the link local benies would include:
> 
> 1.       Omnipresence.
> 2.       Stability and unaffected by external events.   
> 3.       More Secure
>
> So pretty consistent with what you said.
> 
> What I do not know is what the drawbacks to using Link Locals for next hop
> might be?      

Large-scale provider networks would normally use a GUA as a next-hop for the bgp prefix and set it to be the address of the PE device which originated the prefix.  This allows prefix information to be carried in BGP with NH reachability handled by the IGP.  I.e. IGP is used purely for loopbacks and iBGP is used for everything else.  This avoids a large number of troublesome design and scaling problems on many networks.

As a service provider network operator, I would go some lengths to avoid using link-locals as NH addresses.  They provide no particular advantage that I'm interested in and have a bunch of serious disadvantages, of which the above is the main one.  The other main one is that they cause massive fail when it comes to debugging problems.

With regard to the features that you listed:

- link-local addresses are not omnipresent, even if they are a mandatory part of the protocol.  Personally, I prefer to disable them if there is an option to do so.  Obviously this does not work if you're running protocols which require them (e.g. ospf).

- "Stability and unaffected by external events".  The only stable address on a router is a loopback.  MAC addresses can change due to e.g. software upgrades.

- "more secure" is a statement of opinion which lacks context.  They're unreachable if you're off-link, and if there is a requirement to consider this as a security feature, infrastructure ACLs could equally be implemented to give GUA addressing an equivalent level of security.

Nick



The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association.

v2.46.0 | Report a Bug | By Email | System Status