[v6ops] Re: 464XLAT in Multi-interface environments (was: I-D Action: draft-ietf-v6ops-claton-02.txt)
Jen Linkova <furry13@gmail.com> Mon, 04 November 2024 19:13 UTC
Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC12FC1516F3 for <v6ops@ietfa.amsl.com>; Mon, 4 Nov 2024 11:13:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dE5LU9hYZ4dc for <v6ops@ietfa.amsl.com>; Mon, 4 Nov 2024 11:13:14 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C85BAC1D876C for <v6ops@ietf.org>; Mon, 4 Nov 2024 11:13:14 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2fb4ec17f5cso35323691fa.3 for <v6ops@ietf.org>; Mon, 04 Nov 2024 11:13:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1730747593; x=1731352393; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Ektx1Niunbd0/fCyybPNzPUS8GbSv3wIQ//LuVgDrZA=; b=jBKSXUXFXIscM3toYXdiKq2HHm8amOWMK1xF4ZYU6eh6Id9D7N8lYWpUf15lMsi+bi 0t/pIqwIlJwx9NXSL4Yc0ioZMMjgc24f0ATxbgy7jtHgVb/qsFY00yKNZ4oGcmc38OGD RsqoZylOhAmk5ix5PFdy7rH3pD9RMKvcCNFe/ab4LBaBm/hHOid/M/2ae+VXylFh8qId lm/7qw0eEetxoTR7l5Fc964yXGJ4GxyIpBOG/tFXuB5im9ETcXZMCLMlFqYyWXzrHolR SvrkXZYvearhHkuGT4TRykYfxsX29ODdASudasTz8FWaFecKLRj9r2rfsB0R8xcXJh/f pUGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730747593; x=1731352393; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ektx1Niunbd0/fCyybPNzPUS8GbSv3wIQ//LuVgDrZA=; b=dxVzPfVMjfogsA2GjHa20CgrzfQRGv4fedVcv9Qp3gbt2jZra4ouElcELOXCpmnwuE dc5qm+YaQZFsjFy/3a/NKOB9y4TQ7prYrGMBcwlBMAAmoyl4Q1xL+pKmOdwNr6X9ctR5 GwZ8Mxvtg8l5OMnA/3sk9CEpuElwqZCZwsT31gHl5zPAg4+MMW9VfiVs56vqZ9iTt+CA 9Z7N0uTHqsOXd2chJ9H8IcyLiJzP2WMg4KcTtAAn8Z8vNY1LXZHQuXh+ZaDf2mvA7Q6G wHDGTym3CUcaMBkmXWWncvpUC6fAcFAfCPGKVEHHmxaWrpucdrFp6qkjbU/tSec7p1By zNGA==
X-Gm-Message-State: AOJu0YwpOkGt8nkU7u8ZGHmUbHKIR3/HqlzDaCCmqKwt+wFGCK4CIpGm KD+QREoKda8iJlYyEDeFBUFRVV2VhgIjFdHjz7ZEVbozvyb+f0K0FT5aym8fsmAOZUYriZroqGb TzGHIc+uQ7SwHhCqoSCUxny1397prASJhBVA=
X-Google-Smtp-Source: AGHT+IGH/dx3kPWMywreGYn1EUYjs5yL+w0MDcmxND/Yb30OPwT20f3FIYBrblXiMtsWVpcVx/01lcIIXbol9Pc8eq8=
X-Received: by 2002:a2e:be23:0:b0:2fa:c0fc:e3d6 with SMTP id 38308e7fff4ca-2fd058fb75emr103452901fa.7.1730747592682; Mon, 04 Nov 2024 11:13:12 -0800 (PST)
MIME-Version: 1.0
References: <172954645439.2070596.1455805667911500824@dt-datatracker-78dc5ccf94-w8wgc> <5009F747-6459-4F9F-BF83-C1F3437B5CC4@tiesel.net> <CAFU7BATO7PB5igFi566k01puf0WmSFFvpajFhRi7x_eh6neFmA@mail.gmail.com> <50DAE53B-06D5-4331-9C86-2D1B4A80B9BF@tiesel.net>
In-Reply-To: <50DAE53B-06D5-4331-9C86-2D1B4A80B9BF@tiesel.net>
From: Jen Linkova <furry13@gmail.com>
Date: Mon, 04 Nov 2024 19:12:59 +0000
Message-ID: <CAFU7BAQesaEcH9wG3oggAgjTXJxs24MFA4b5EGKN-OvL3XRrTg@mail.gmail.com>
To: Philipp Tiesel <philipp@tiesel.net>
Content-Type: multipart/alternative; boundary="00000000000075376a06261b134e"
Message-ID-Hash: THCRHALOOWL23QUDG2YFEX6EYZKQTTUZ
X-Message-ID-Hash: THCRHALOOWL23QUDG2YFEX6EYZKQTTUZ
X-MailFrom: furry13@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: V6 Ops List <v6ops@ietf.org>, Tommy Jensen <tojens.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [v6ops] Re: 464XLAT in Multi-interface environments (was: I-D Action: draft-ietf-v6ops-claton-02.txt)
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/j3b0WXpR6i2JkX7Dj3F_LdNJUbs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>
On Tue, Nov 5, 2024 at 1:08 AM Philipp Tiesel <philipp@tiesel.net> wrote: > I found two other issue: > > > First, Section 7.1 states the following: > > If the node runs multiple CLAT instances (see Section 4), the node > > SHOULD use different local IPv4 addresses for each CLAT instance. > > MacOS is doing that differently and uses 192.0.0.2 on all interfaces, > which is fine unless the OS was unable to select an output interface without binding to the interface IP > or would not support the same IP on multiple interfaces. > > —> Can we replace that should with a MAY or better explain it? I'd love to hear what the implementers think. I assumed - apparently incorrect - that it's easier to use different addresses. But if it doesn't provide benefits, we can drop that requirement. > Second, draft-ietf-v6ops-claton does not talk about source address selection for CLAT. I believe it does: https://www.ietf.org/archive/id/draft-ietf-v6ops-claton-02.html#name-clat-and-multiple-prefixes- > I only stumbled over this issue as macOS, if there a multiple prefixes in the same RA as the PREF64 option, prefers ULA over GUA as CLAT IP address, which broke some things at home for me. > > If we follow the source address selection in rfc6724 or draft-ietf-6man-rfc6724-update, the well-know prefix or any non-ULA custom prefix would match ::/0 , the same-label rule would require the source for the packages leaving the v6 side of the CLAT should be a GUA. > On the other hand, the CLAT address is not chosen per flow, but on creation of the CLAT, so what does not apply directly. > > A way around this issue is following the model in draft-link-v6ops-gulla, so by putting the PREF64 only on the GUA or ULA RA would allow the operator to choose. > > I suspect we should talk about how we expect this to behave… I believe there are multiple problems here: 1. What to do if the network provides the host with multiple PIOs with A=1. Our experience confirms that MacOS only picks up one prefix to form the CLAT address. This is clearly an issue, as it means that CLAt might not work very well in a multihoming scenarios or if the network was flash-renumbered. This is explicitly described in the draft: all PIOs with A=1 shall be used for PREF64. 2. What to do if there are multiple routers, and only some of them includes a PREF64 option. So you are suggesting that PIOs SHOULD only be used to form a CLAT address, if the same RA contained PREF64? That's an interesting suggestion. Especially if we imagine for a second that the host might get multiple PREF64. As per Section 3 of RFC7050: "The node MUST use all learned Pref64::/n when performing local IPv6 address synthesis and use the prefixes in the order received from the DNS64 server. That is, when the node is providing a list of locally synthesized IPv6 addresses to upper layers, IPv6 addresses MUST be synthesized by using all discovered Pref64::/n prefixes in the received order." So we might have the following cases: 2.1 all routers provide the same PREF64. Easy: as per the current version, CLAT addresses are formed from all PIOs. and rule 5.5 is used to select an address. 2.2 all routers provide PREF64 but those prefixes are different. The only way to make it work is to track {PIO, PREF64, router} mapping, form addresses from all PIOs, use Rule 5.5 and use the correct PREF64 for translation. Complicated but, I guess, doable. 2.3 only *some* routers provide PREF64, some don't. As I do not think we can - for any foreseeable future - expect IPv6-only networks w/o NAT64, I guess we can assume that even if a router doesn't send PREF64 on an IPv6-only segment, that network must still provide NAT64. However, things could get badly broken if the prefix is different to one provided in PREF64. So there is no guarantee that the same prefix can be used for routers which do not advertize pref64. So yes, maybe only addresses from PIOs received together with PREF64 shall be used... 2.4 No routers advertizes PREF64. Then, as per the draft, the node MAY use other mechanisms. If it's the same prefix, then Rule 5.5 ensures that the correct source is used. However if there are multiple prefixes, it's going to be a disaster - another argument in favour of not using 7050 (This might need to be mentioned in https://datatracker.ietf.org/doc/draft-buraglio-deprecate7050/ and https://datatracker.ietf.org/doc/draft-ietf-v6ops-6mops/)
- [v6ops] I-D Action: draft-ietf-v6ops-claton-02.txt internet-drafts
- [v6ops] 464XLAT in Multi-interface environments (… Philipp Tiesel
- [v6ops] Re: 464XLAT in Multi-interface environmen… Jen Linkova
- [v6ops] Re: 464XLAT in Multi-interface environmen… Philipp Tiesel
- [v6ops] Re: 464XLAT in Multi-interface environmen… Jen Linkova
- [v6ops] Re: 464XLAT in Multi-interface environmen… tojens.ietf
- [v6ops] Re: 464XLAT in Multi-interface environmen… Philipp Tiesel