Re: [v6ops] [GROW] Deaggregation by large organizations

Matthew Petach <mpetach@netflight.com> Fri, 17 October 2014 00:59 UTC

Return-Path: <mpetach@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D31B1A907B; Thu, 16 Oct 2014 17:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ZPc8-i3EsDv; Thu, 16 Oct 2014 17:59:08 -0700 (PDT)
Received: from mail-yh0-x230.google.com (mail-yh0-x230.google.com [IPv6:2607:f8b0:4002:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A78271A907A; Thu, 16 Oct 2014 17:59:08 -0700 (PDT)
Received: by mail-yh0-f48.google.com with SMTP id v1so2498145yhn.7 for <multiple recipients>; Thu, 16 Oct 2014 17:59:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=6m1IiPjY0EAbxmlkV6Y+wJnYo3ZQbWYNlm/TxEoKzXI=; b=tRQqqauG0XRuKVHSpRttzPq3VFH91sKrHxMkqJHSYqqbNknJfAkWAA0eT4hlYPIuNF 0Im7z9dqjhYdOXgJdAkq2gYJiBHr5kCjS+7bfjMC18gFXuiotUH9z+MceQVSKxVMYXgs BMVGcwYj+aQ7vUTtFTzC0r/vH4igdF96QVsJxZtSHWhJ1VNYT/TUxk1/3ADs3Y8XvwUW Qes/TQdvjBGf7er+CKVQJsNmM7shWa7iN2CvM5tFSpkXK8Z84fbq9D6mNngNhaQ4P+oA koP0TqyXVG60haOUzvadvgwcNGIHhEfd++QdteqXaiAdpndeUoCSKc+C7xwx9pfHzg8q lPTw==
MIME-Version: 1.0
X-Received: by 10.236.66.103 with SMTP id g67mr6394596yhd.61.1413507547980; Thu, 16 Oct 2014 17:59:07 -0700 (PDT)
Sender: mpetach@gmail.com
Received: by 10.170.168.87 with HTTP; Thu, 16 Oct 2014 17:59:07 -0700 (PDT)
In-Reply-To: <20141016233533.1B73521A106C@rock.dv.isc.org>
References: <F5C06CAF-0AD2-4225-8EE7-FC72CE9913F0@muada.com> <755DE4C3-CDDF-41AF-BA9C-E8EC5B4DFC4C@muada.com> <A7F6BEA0-BCDD-4197-B6CB-7EB8797ACA9C@delong.com> <20141016233533.1B73521A106C@rock.dv.isc.org>
Date: Thu, 16 Oct 2014 17:59:07 -0700
X-Google-Sender-Auth: Fjn6Ha-7ywoAp9waPiFjLrf7w0I
Message-ID: <CAEmG1=r7UdeStcqFjiQRO_Vt1hfR_T4oyTW5FD-eD1ATEXpc6A@mail.gmail.com>
From: Matthew Petach <mpetach@netflight.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary="089e013a14fa48fd43050593df5a"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/kDZ0JiDEnp4vPG83z4fGHUrnyU0
Cc: v6ops@ietf.org, grow@ietf.org
Subject: Re: [v6ops] [GROW] Deaggregation by large organizations
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 00:59:10 -0000

On Thu, Oct 16, 2014 at 4:35 PM, Mark Andrews <marka@isc.org> wrote:

>
> In message <A7F6BEA0-BCDD-4197-B6CB-7EB8797ACA9C@delong.com>, Owen DeLong
> writes:
> >
> > On Oct 16, 2014, at 02:43 , Iljitsch van Beijnum <iljitsch@muada.com>
> wrote:
> >
> > > Let me address a few points that were brought up by different people.
> > >
> > > Renumbering:
> > >
> > > We had great plans for making renumbering easy in the early days of
> IPv6. Remember A6 records and bit
> > labels in the DNS? But none of that went anywhere. The problem isn't so
> much that we can't push a prefi
> > x down the network or update the DNS (although both of these still have
> challenges associated with them
> > ), but that addresses tend to get hardcoded all over the place, starting
> with firewalls all the way up
> > to homegrown applications. I don't think renumbering addresses this
> issue, although it could help steer
> >  some smaller organizations away from PI.
> >
> > They never went anywhere because they focused on solving the easy part
> of the renumbering problem while
> >  utterly and completely ignoring the hard part.
> >
> > Easy part: Changing your stuff.
> > Hard part: Updating all of the prefix lists, filters, firewall rules,
> VPN configurations, and other con
> > figuration elements in systems not under your control that contain your
> prefixes (partner VPNs, peer ro
> > uters, etc.).
>
> Owen this a collective response to the list.
>
> Not all that hard at all.  Just send signed update requests.  I did
> that with email over a decade ago.  You just have to have something
> listening for them that verifies the signature and updates the
> system.
>
> Write a draft "Remote Firewall Update Request Protocol" and submit
> it.
>
> The alternative is stop worrying about the remote address and use
> security at the application layer.
>
> Or complain to your vendor that you can't use a hostname in the
> configuration file element.  In many cases it doesn't require
> anything more than looking up a address in the DNS before the
> operation.  Yes, I need to fix the masters clause in named to support
> this.  We already do something similar for NOTIFY messages so it
> is possible to do this.
>
> For masters clauses there is a bootstrap problem to deal with but
> it is not impossible.  Just sending periodic NOTIFY messages will
> work.  Named has had support to do this for 1 1/2 decades now to
> allow for a a stealth master behind a dial on demand link.  It would
> send a notify periodically.  That would bring up the line.  The
> slave would refresh and transfer if required.  When that was complete
> the idle timer on link would drop it.
>
> This just used standard signalling designed by the IETF in a different
> way.
>
> Stop expecting someone else to *find* and fix these issues for you.
> You know what the issues are.  Ask your vendors to fix them.  If
> they need to co-ordinate they should know where to go to do it.
>

Or, y'know, we could just get PI space,
multihome via BGP, and save ourselves
all that headache...

...just sayin'...

Matt