[v6ops] Re: 464XLAT in Multi-interface environments (was: I-D Action: draft-ietf-v6ops-claton-02.txt)

Jen Linkova <furry13@gmail.com> Mon, 04 November 2024 19:13 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC12FC1516F3 for <v6ops@ietfa.amsl.com>; Mon, 4 Nov 2024 11:13:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dE5LU9hYZ4dc for <v6ops@ietfa.amsl.com>; Mon, 4 Nov 2024 11:13:14 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C85BAC1D876C for <v6ops@ietf.org>; Mon, 4 Nov 2024 11:13:14 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2fb4ec17f5cso35323691fa.3 for <v6ops@ietf.org>; Mon, 04 Nov 2024 11:13:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1730747593; x=1731352393; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Ektx1Niunbd0/fCyybPNzPUS8GbSv3wIQ//LuVgDrZA=; b=jBKSXUXFXIscM3toYXdiKq2HHm8amOWMK1xF4ZYU6eh6Id9D7N8lYWpUf15lMsi+bi 0t/pIqwIlJwx9NXSL4Yc0ioZMMjgc24f0ATxbgy7jtHgVb/qsFY00yKNZ4oGcmc38OGD RsqoZylOhAmk5ix5PFdy7rH3pD9RMKvcCNFe/ab4LBaBm/hHOid/M/2ae+VXylFh8qId lm/7qw0eEetxoTR7l5Fc964yXGJ4GxyIpBOG/tFXuB5im9ETcXZMCLMlFqYyWXzrHolR SvrkXZYvearhHkuGT4TRykYfxsX29ODdASudasTz8FWaFecKLRj9r2rfsB0R8xcXJh/f pUGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730747593; x=1731352393; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ektx1Niunbd0/fCyybPNzPUS8GbSv3wIQ//LuVgDrZA=; b=dxVzPfVMjfogsA2GjHa20CgrzfQRGv4fedVcv9Qp3gbt2jZra4ouElcELOXCpmnwuE dc5qm+YaQZFsjFy/3a/NKOB9y4TQ7prYrGMBcwlBMAAmoyl4Q1xL+pKmOdwNr6X9ctR5 GwZ8Mxvtg8l5OMnA/3sk9CEpuElwqZCZwsT31gHl5zPAg4+MMW9VfiVs56vqZ9iTt+CA 9Z7N0uTHqsOXd2chJ9H8IcyLiJzP2WMg4KcTtAAn8Z8vNY1LXZHQuXh+ZaDf2mvA7Q6G wHDGTym3CUcaMBkmXWWncvpUC6fAcFAfCPGKVEHHmxaWrpucdrFp6qkjbU/tSec7p1By zNGA==
X-Gm-Message-State: AOJu0YwpOkGt8nkU7u8ZGHmUbHKIR3/HqlzDaCCmqKwt+wFGCK4CIpGm KD+QREoKda8iJlYyEDeFBUFRVV2VhgIjFdHjz7ZEVbozvyb+f0K0FT5aym8fsmAOZUYriZroqGb TzGHIc+uQ7SwHhCqoSCUxny1397prASJhBVA=
X-Google-Smtp-Source: AGHT+IGH/dx3kPWMywreGYn1EUYjs5yL+w0MDcmxND/Yb30OPwT20f3FIYBrblXiMtsWVpcVx/01lcIIXbol9Pc8eq8=
X-Received: by 2002:a2e:be23:0:b0:2fa:c0fc:e3d6 with SMTP id 38308e7fff4ca-2fd058fb75emr103452901fa.7.1730747592682; Mon, 04 Nov 2024 11:13:12 -0800 (PST)
MIME-Version: 1.0
References: <172954645439.2070596.1455805667911500824@dt-datatracker-78dc5ccf94-w8wgc> <5009F747-6459-4F9F-BF83-C1F3437B5CC4@tiesel.net> <CAFU7BATO7PB5igFi566k01puf0WmSFFvpajFhRi7x_eh6neFmA@mail.gmail.com> <50DAE53B-06D5-4331-9C86-2D1B4A80B9BF@tiesel.net>
In-Reply-To: <50DAE53B-06D5-4331-9C86-2D1B4A80B9BF@tiesel.net>
From: Jen Linkova <furry13@gmail.com>
Date: Mon, 04 Nov 2024 19:12:59 +0000
Message-ID: <CAFU7BAQesaEcH9wG3oggAgjTXJxs24MFA4b5EGKN-OvL3XRrTg@mail.gmail.com>
To: Philipp Tiesel <philipp@tiesel.net>
Content-Type: multipart/alternative; boundary="00000000000075376a06261b134e"
Message-ID-Hash: THCRHALOOWL23QUDG2YFEX6EYZKQTTUZ
X-Message-ID-Hash: THCRHALOOWL23QUDG2YFEX6EYZKQTTUZ
X-MailFrom: furry13@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: V6 Ops List <v6ops@ietf.org>, Tommy Jensen <tojens.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [v6ops] Re: 464XLAT in Multi-interface environments (was: I-D Action: draft-ietf-v6ops-claton-02.txt)
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/j3b0WXpR6i2JkX7Dj3F_LdNJUbs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

On Tue, Nov 5, 2024 at 1:08 AM Philipp Tiesel <philipp@tiesel.net> wrote:
> I found two other issue:
>
>
> First, Section 7.1 states the following:
> > If the node runs multiple CLAT instances (see Section 4), the node
> > SHOULD use different local IPv4 addresses for each CLAT instance.
>
> MacOS is doing that differently and uses 192.0.0.2 on all interfaces,
> which is fine unless the OS was unable to select an output interface
without binding to the interface IP
> or would not support the same IP on multiple interfaces.
>
> —> Can we replace that should with a MAY or better explain it?

I'd love to hear what the implementers think. I assumed - apparently
incorrect - that it's easier to use different addresses. But if it doesn't
provide benefits, we can drop that requirement.

> Second, draft-ietf-v6ops-claton does not talk about source address
selection for CLAT.

I believe it does:
https://www.ietf.org/archive/id/draft-ietf-v6ops-claton-02.html#name-clat-and-multiple-prefixes-

> I only stumbled over this issue as macOS, if there a multiple prefixes in
the same RA as the PREF64 option, prefers ULA over GUA as CLAT IP address,
which broke some things at home for me.
>
> If we follow the source address selection in rfc6724 or
draft-ietf-6man-rfc6724-update, the well-know prefix or any non-ULA custom
prefix would match ::/0 , the same-label rule would require the source for
the packages leaving the v6 side of the CLAT should be a GUA.
> On the other hand, the CLAT address is not chosen per flow, but on
creation of the CLAT, so what does not apply directly.
>
> A way around this issue is following the model in draft-link-v6ops-gulla,
so by putting the PREF64 only on the GUA or ULA RA would allow the operator
to choose.
>
> I suspect we should talk about how we expect this to behave…

I believe there are multiple problems here:
1. What to do if the network provides the host with multiple PIOs with A=1.
Our experience confirms that  MacOS only picks up one prefix to form the
CLAT address. This is clearly an issue, as it means that CLAt might not
work very well in a multihoming scenarios or if the network was
flash-renumbered. This is explicitly described in the draft: all PIOs with
A=1 shall be used for PREF64.

2. What to do if there are multiple routers, and only some of them includes
a PREF64 option. So you are suggesting that PIOs SHOULD only be used to
form a CLAT address, if the same RA contained PREF64? That's an interesting
suggestion.
Especially if we imagine for a second that the host might get multiple
PREF64.
As per Section 3 of RFC7050:
"The node MUST use all learned Pref64::/n
   when performing local IPv6 address synthesis and use the prefixes in
   the order received from the DNS64 server.  That is, when the node is
   providing a list of locally synthesized IPv6 addresses to upper
   layers, IPv6 addresses MUST be synthesized by using all discovered
   Pref64::/n prefixes in the received order."

So we might have the following cases:
2.1 all routers provide the same PREF64. Easy: as per the current version,
CLAT addresses are formed from all PIOs. and rule 5.5 is used to select an
address.
2.2 all routers provide PREF64 but those prefixes are different. The only
way to make it work is to track {PIO, PREF64, router} mapping, form
addresses from all PIOs, use Rule 5.5 and use the correct PREF64 for
translation. Complicated but, I guess, doable.

2.3 only *some* routers provide PREF64, some don't. As I do not think we
can - for any foreseeable future - expect IPv6-only networks w/o NAT64, I
guess we can assume that even if a router doesn't send PREF64 on an
IPv6-only segment, that network must still provide NAT64. However, things
could get badly broken if the prefix is different to one provided in
PREF64. So there is no guarantee that the same prefix can be used for
routers which do not advertize pref64. So yes, maybe only addresses from
PIOs received together with PREF64 shall be used...

2.4 No routers advertizes PREF64. Then, as per the draft, the node MAY use
other mechanisms. If it's the same prefix, then Rule 5.5 ensures that the
correct source is used. However if there are multiple prefixes, it's going
to be a disaster - another argument in favour of not using 7050 (This might
need to be mentioned in
https://datatracker.ietf.org/doc/draft-buraglio-deprecate7050/ and
https://datatracker.ietf.org/doc/draft-ietf-v6ops-6mops/)