IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

David Farmer <farmer@umn.edu> Tue, 26 April 2022 00:38 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B269C06D35F for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 17:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fblpEljJ-0fT for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 17:38:34 -0700 (PDT)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53374C1D5AD4 for <v6ops@ietf.org>; Mon, 25 Apr 2022 17:38:33 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4KnNKM71zQz9vCDp for <v6ops@ietf.org>; Tue, 26 Apr 2022 00:38:31 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uzPrlAp2QqJ for <v6ops@ietf.org>; Mon, 25 Apr 2022 19:38:31 -0500 (CDT)
Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 4KnNKL5cLHz9vCDn for <v6ops@ietf.org>; Mon, 25 Apr 2022 19:38:30 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4KnNKL5cLHz9vCDn
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4KnNKL5cLHz9vCDn
Received: by mail-ej1-f72.google.com with SMTP id mp18-20020a1709071b1200b006e7f314ecb3so8104316ejc.23 for <v6ops@ietf.org>; Mon, 25 Apr 2022 17:38:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wOpENTfJnQyGuuTCn2PsW3lF+cn+F0NRp1HbvL6+VMI=; b=g4z3NaGo4ZiWkKFhEin4XmY8qI1qC2ksQUfQ815vRiVPAav7hsaMeMf2GVm/tk6PwY vPyis762rC3yL5kK+gd/NkgeWYfg6oksCKHtT1CvWL8mnweJgFUhdtbVIR+EBVLGZRHA qyYy2dzzhNK1smpowgmJ/9wZ2TYjiIpleaVA0QLnq/43a1FYhdYQLMuPUoNNRbdSjneI Wg2e3iZb0unp20g+PvkQF0ItA4ZlaBNMhRrDIQRgAoGqoIyHx+EAYADiuO4F3cVr0o3x OA70NkS5pLcjb5TZhUTNqijDBrjzEKh4fSAQeEqP2hulGnbixgBFCaa2Y1FWpTknmZ0F UOuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wOpENTfJnQyGuuTCn2PsW3lF+cn+F0NRp1HbvL6+VMI=; b=WCWz8Lwe51TMpvKW5cye9oOBOQ4UUibe+PCj6AA10HBfPIrCoSGBsEeLdmBxWNRoLh MYh2GoEwZnWxlIC0vgalDbso+3GybDm69wFY6+OD+FPLI/0haYBOIrMW1bPg/oz3kNN3 lCMnGKAyPL+3mRBY3k8xrlYypYliyIDhrXaLNRWSmHbxb5CUXeYJkiAFfahRZGpwZ/gG ijF/ZXgJXtQL86YlPFWd/RK226GQkg6WX6eBDC6f+6K1FPyKspVSZwlgH6R/5p5D21vh vBuYKOe2zJ6Gzurp+fWkMOYi4OrmQPa8+n251veKvZA8yTqVVsdqjIZIRxxuM/Kq+cLH jLfg==
X-Gm-Message-State: AOAM533QG3J3TL7QtjVRH5MGjgY+ghOkyYh5YfId+Rl3eNh7tXptZ8K1 VY6xG1SyLfpyCrgYRpQSIcuBxMP707DDi/iQoxGw/K3wtITQqa9E18SCHzN6MTAW9/HIOLIMDRF bv730qnStbU10KFONX1dnkixC0Q==
X-Received: by 2002:a05:6402:254e:b0:424:244:faf with SMTP id l14-20020a056402254e00b0042402440fafmr21911149edb.260.1650933508795; Mon, 25 Apr 2022 17:38:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzqb43Y93Pq3ERUcFVPhdrxrxVAOTLybus0RsgNHdOioOIpPPBlRa5Bwi4Lkc0VDkYacwrcVx8JxjUJifPtw2g=
X-Received: by 2002:a05:6402:254e:b0:424:244:faf with SMTP id l14-20020a056402254e00b0042402440fafmr21911106edb.260.1650933508037; Mon, 25 Apr 2022 17:38:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com> <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com> <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com> <CANMZLAYbpZBDA8uFnJqfWfWTQ4S9RN4a-DqWe36qzfAfDtXiQA@mail.gmail.com>
In-Reply-To: <CANMZLAYbpZBDA8uFnJqfWfWTQ4S9RN4a-DqWe36qzfAfDtXiQA@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Mon, 25 Apr 2022 19:38:16 -0500
Message-ID: <CAN-Dau0BjRR2_7xz38DpJsz0Y=Z_8bV5n-=Eh1QUVEDzqVxmaA@mail.gmail.com>
To: Brian Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man list <ipv6@ietf.org>, Erik Auerswald <auerswald@fg-networking.de>, Kevin Myers <kevin.myers@iparchitechs.com>, Lorenzo Colitti <lorenzo@google.com>, Ted Lemon <elemon@apple.com>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/related; boundary="0000000000004b8bf805dd83e974"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/jiWcfeDxyUqEzXWQf_yD66SvIWQ>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 00:38:38 -0000

I’ve asked that too and have never received an answer, I always get pointed
requirement 1.3.7, that is it.

Sorry, I can’t be more helpful.

On Mon, Apr 25, 2022 at 18:58 Brian Carpenter <brian.e.carpenter@gmail.com>
wrote:

> No, I explicitly don't want to look at audit rules. I want someone who
> understands them to explain what the functional requirements are. NAT is
> not a functional requirement.
>
> Regards,
>     Brian Carpenter
>     (via tiny screen & keyboard)
>
> On Tue, 26 Apr 2022, 11:06 David Farmer, <farmer@umn.edu> wrote:
>
>> You want to look at PCI DSS 3.2 requirement 1.3.7.
>> [image: image.png]
>>
>> Compensating controls is an option, but auditors have to sign off on
>> them, and the whole process is about minimizing exceptions and getting a
>> clean audit. IT isn't in charge of this, finance people are, it's not
>> technical, it's all about the money, and numbers with 7 or 8 significant
>> digits or more.
>>
>> I've been on that the merry-go-round several times, I believe in IPv6
>> E2E, but if anyone asks me just do NPTv6 or NAT66, whatever the
>> auditor wants you to do.
>>
>> Have fun on the merry-go-round, I'll pass.
>>
>> Thanks
>>
>> On Mon, Apr 25, 2022 at 5:32 PM Brian E Carpenter <
>> brian.e.carpenter@gmail.com> wrote:
>>
>>> Kevin,
>>>
>>> > Auditing frameworks and auditors are just not ready for IPv6 and
>>> without migration strategies like NAT, they'll have no reason to be because
>>> IPv4 will continue to dominate.
>>>
>>> You're describing a vicious circle, and the question is how can we break
>>> it?
>>>
>>> Advocating NPTv6 might achieve that, but many of us dislike that
>>> strategy.
>>>
>>> Can you explain what are the technical requirements in PCI-DSS land that
>>> have been interpreted as requiring NAT44? Is it time for RFC4864bis,
>>> because this is exactly what we were aiming at with that RFC?
>>>
>>> Regards
>>>     Brian Carpenter
>>>
>>> On 25-Apr-22 17:34, Kevin Myers wrote:
>>> > This misses the problem entirely though.
>>> >
>>> > It's not a choice to reconsider, these are regulatory requirements.
>>> The
>>> fact that a handful of enterprises have deployed IPv6 doesn't move the
>>> needle on compliance for the vast majority of them.
>>> >
>>> > No retail enterprise is going to choose IPv6 without NAT internally if
>>> it means not being permitted to use credit cards because of a failed
>>> PCI-DSS audit.
>>> >
>>> > Auditing frameworks and auditors are just not ready for IPv6 and
>>> without migration strategies like NAT, they'll have no reason to be because
>>> IPv4 will continue to dominate.
>>> >
>>> >
>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>> > *From:* Lorenzo Colitti <lorenzo@google.com>
>>> > *Sent:* Sunday, April 24, 2022, 11:27 PM
>>> > *To:* Kevin Myers <kevin.myers@iparchitechs.com>
>>> > *Cc:* Brian E Carpenter <brian.e.carpenter@gmail.com>; Erik Auerswald
>>> <auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>; v6ops list <
>>> v6ops@ietf.org>; 6man list <ipv6@ietf.org>
>>> > *Subject:* Re: [v6ops] ULA precedence [Thoughts about wider
>>> operational
>>> input]
>>> >
>>> > There are several fortune 500 companies that have publicly stated that
>>> they have deployed IPv6 with global addressing, so that's definitely
>>> possible.
>>> >
>>> > As for "is it better to deploy IPv6 with NAT66 or not to deploy at
>>> all", I would guess it depends who you ask. My personal answer would be no.
>>> It's possible that when faced with app and OS incompatibilities, those
>>> enterprises might reconsider. Or they might pick the same technical
>>> solutions as the enterprises that have already deployed with global
>>> addresses.
>>> >
>>> > On Mon, Apr 25, 2022 at 12:42 PM Kevin Myers <
>>> kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com>>
>>> wrote:
>>> >
>>> >     IPv6 NAT is already being deployed in large enterprises for the
>>> few
>>> that want to tackle IPv6. Vendor implementations exist, so that ship has
>>> sailed regardless of where the IETF lands.
>>> >
>>> >     Most of the Fortune 500 fall under regulatory compliance of one
>>> body or another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well
>>> for an IPv6 no-NAT world. Most of the discussion I see around enterprise
>>> adoption on the IETF lists misses this point. It matters very little
>>> whether NAT is a "good" or "bad" practice when it comes to selecting an
>>> operational model. Enterprises choose operational models that will pass
>>> audits
>>> and the overwhelming majority rely heavily on NAT.  We can make the
>>> argument that compliance bodies and auditors should update their guidance
>>> and standards and they absolutely should, but it will probably take
>>> close
>>> to a decade to change the regulatory compliance auditing landscape to
>>> the
>>> point that IPv6 without NAT is commonplace.
>>> >
>>> >     If auditors won't sign off on end to end GUA addressing, then NAT
>>> is going to remain.
>>> >
>>> >     Enterprises are more than willing to punt IPv6 for another decade
>>> and will likely have no issues in doing so given how little IPv4 space most
>>> of them need compared to service providers. Even when IPv6 becomes the
>>> predominant transport type for an Internet handoff everywhere, it will
>>> still just live in the underlay while IPv4 remains the predominant choice
>>> in the overlay, in apps,  and internally in the DC for enterprises.
>>> >
>>> >     At what point does it become more important to have IPv6
>>> implemented, than to have it "perfectly" implemented?
>>> >
>>> >     Kevin Myers
>>> >     Sr. Network Architect
>>> >     IP ArchiTechs
>>> >
>>> >     -----Original Message-----
>>> >     From: v6ops <v6ops-bounces@ietf.org <mailto:v6ops-bounces@ietf.org>>
>>> On Behalf Of Brian E Carpenter
>>> >     Sent: Sunday, April 24, 2022 9:48 PM
>>> >     To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:
>>> 40google.com@dmarc.ietf.org>>; Erik Auerswald <
>>> auerswald@fg-networking.de
>>> <mailto:auerswald@fg-networking.de>>; Ted Lemon <elemon@apple.com
>>> <mailto:elemon@apple.com>>
>>> >     Cc: v6ops list <v6ops@ietf.org <mailto:v6ops@ietf.org>>; 6man
>>> list <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>>> >     Subject: Re: [v6ops] ULA precedence [Thoughts about wider
>>> operational input]
>>> >
>>> >     On 25-Apr-22 12:16, Lorenzo Colitti wrote:
>>> >      > On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <
>>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de> <mailto:
>>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>> wrote:
>>> >      >
>>> >      >       "Since ULAs are defined to have a /48 site prefix, an
>>> implementation
>>> >      >        might choose to add such a row automatically on a
>>> machine with
>>> >      >        a ULA."
>>> >      >
>>> >      >     The result is that only the local ULA prefix,
>>> i.e., exactly the
>>> >      >     local IPv6 addresses, are preferred over IPv4
>>> (and IPv6 GUA).
>>> >      >     This should be exactly what is needed to use ULA addresses
>>> inside
>>> >      >     an organization, or for a lab.
>>> >      >     [...]
>>> >      >     Implementing the non-normative suggestion from Section 10.6
>>> of RFC
>>> >      >     6724 would in all likelihood result in making
>>> ULA usable for local
>>> >      >     tests and even first steps in deploying IPv6.  ULA
>>> addresses would
>>> >      >     only be used locally.  Existing IPv4 based Internet access
>>> would not
>>> >      >     be impaired by adding IPv6 ULA.
>>> >      >
>>> >      >
>>> >      > That does seem like it might make ULA more useful, yes.
>>> >      >
>>> >      > Additionally, maybe we could clarify that the longest-prefix
>>> match rule
>>> >     does not apply to ULAs outside the same /48? I think that would
>>> fix
>>> the issue observed by +Ted Lemon <mailto:elemon@apple.com <mailto:
>>> elemon@apple.com>> in home networks:
>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>>> <
>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>
>>> <
>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>>> <
>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>>
>>> .
>>> >
>>> >     When two networks each with its own ULA prefix are intentionally
>>> merged, longest match would be the right thing, wouldn't it? (Assuming that
>>> the split DNSs are also merged, and of course internal routing.) In that
>>> case there is no "foreign" ULA prefix.
>>> >
>>> >      >     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT
>>> could be
>>> >      >     considered.  To make this work as intended, the address
>>> selection
>>> >      >     policy table could be adjusted to contain the
>>> local ULA prefix
>>> >      >     with precedence greater or equal to GUA and the same label
>>> as GUA.
>>> >      >
>>> >      >
>>> >      > This seems like it would encourage the use of IPv6 NAT. I think
>>> there is reasonably strong consensus within the IETF that that is not the
>>> right way to go, because it pushes problems on to application
>>> developers.
>>> This adds costs for NAT traversal software development and maintenance,
>>> and requires devices to implement NAT keepalives, increasing battery usage.
>>> >
>>> >     That may be the IETF's consensus, but there is a very large
>>> fraction of the enterprise network operations community that strongly
>>> disagrees,
>>> and in fact regards this as a red line issue. It isn't even clear that
>>> they'd accept NPTv6 as an alternative to NAPT66. If this is indeed the only
>>> way to get IPv6 inside enterprises, what is the right thing for the IETF
>>> to do?
>>> >
>>> >             Brian
>>> >
>>> >     _______________________________________________
>>> >     v6ops mailing list
>>> >     v6ops@ietf.org <mailto:v6ops@ietf.org>
>>> >     https://www.ietf.org/mailman/listinfo/v6ops <
>>> https://www.ietf.org/mailman/listinfo/v6ops>
>>> >
>>> >
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>
>>
>> --
>> ===============================================
>> David Farmer               Email:farmer@umn.edu
>> Networking & Telecommunication Services
>> Office of Information Technology
>> University of Minnesota
>> 2218 University Ave SE
>> <https://www.google.com/maps/search/2218+University+Ave+SE?entry=gmail&source=g>
>>       Phone: 612-626-0815
>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>> ===============================================
>>
> --
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email