[v6ops] Re: IPv6-mostly deployment at RubyKaigi

Sorah Fukumori <her@sorah.jp> Sun, 09 November 2025 16:57 UTC

Return-Path: <her@sorah.jp>
X-Original-To: v6ops@mail2.ietf.org
Delivered-To: v6ops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EA0F186896B5 for <v6ops@mail2.ietf.org>; Sun, 9 Nov 2025 08:57:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sorah.jp
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5Wqts2I0Ji3 for <v6ops@mail2.ietf.org>; Sun, 9 Nov 2025 08:57:34 -0800 (PST)
Received: from mx.sorah.jp (aapne1a.mx.sorah.jp [3.112.186.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 69D2C86896A2 for <v6ops@ietf.org>; Sun, 9 Nov 2025 08:57:34 -0800 (PST)
Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com [209.85.160.180]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx.sorah.jp (Postfix) with ESMTPSA id 0290460559 for <v6ops@ietf.org>; Sun, 9 Nov 2025 16:57:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sorah.jp; s=nkmi1707srhjp; t=1762707447; bh=N7Okhd7/RiZ7psBnoTknTGsbj4huI9FN6aDskLrr1XE=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=an8Foepn+YRhWq10ZRQ5eZnq4V4vZ0YKg9ycU7zYr+XOrBh+ZK9E5QuxaBBp9kFSQ h9BHiugbIPweMifIJEuQFAxKmK61QDLjSankn77Xdj4tx/m4QQpt3YPKrebu/pCPEA KlHYqaSf6BIS73QrTJ8vNyiUK2lMPyOnoPC5+NvoEdW55grkUr2VlSRiDJifuAH3C0 i17OvHhj54oPDLGpjUJL/0LA+y2jhiXVP8ENwOaNi3X+a0eIhCYp6zvVnUBy3EiHq/ 9dSAHoUjjYQ4bI1EpjDfF9PvO8I7i79oi1n31KcLGmyUHhmQYgu9Ge7dDMjcOa9fnn KEY1nkkCVRSHg==
Received: by mail-qt1-f180.google.com with SMTP id d75a77b69052e-4edb029249aso5927851cf.2 for <v6ops@ietf.org>; Sun, 09 Nov 2025 08:57:26 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCVqjMeTcsLXnWGAUu5qZXgFl9D0jK/1GPoFOp52nBH3J6hHaxIqnecpPmsSipCkQPsKk66JzQ==@ietf.org
X-Gm-Message-State: AOJu0Yyz72tZv6l893zoYb3Sg3GroCPjfwu8uyPYguI5L3+zUUvQWz4b aBuZOVTRVc3OTP9xKLlvBFLcJhf1lAi7FTH5gLXmNnQRa65pR8OskG1aweMGuLfT6FtpwYlChp1 8wx7iNdWzzR8sG4BlILcHKFtXBAS9YF0=
X-Google-Smtp-Source: AGHT+IGZ4kVibaRyzykK0HGLYMUl/WL5amkaKF7lLhgG3/K0/sWOKW+tihNzNdCFaniU1Ijw3vYvMcXtInXP0FECQPo=
X-Received: by 2002:ac8:7fc2:0:b0:4ed:bbca:ad7b with SMTP id d75a77b69052e-4edbbcabc14mr10468491cf.59.1762707445300; Sun, 09 Nov 2025 08:57:25 -0800 (PST)
MIME-Version: 1.0
References: <CA+wiQwvs=CY3o04axwF7UD03iXwTCXtU85dPzv5krW5VQGQgjw@mail.gmail.com> <CAFU7BATLgMbhR-mLPhmY4fzAJrEtyMtNPvRuGa7zkFsXpL_tSg@mail.gmail.com> <CA+wiQws5VFNFCNkmRcM=xqBEd6qeUywsznMYaT=DiGt75hpfKw@mail.gmail.com>
In-Reply-To: <CA+wiQws5VFNFCNkmRcM=xqBEd6qeUywsznMYaT=DiGt75hpfKw@mail.gmail.com>
From: Sorah Fukumori <her@sorah.jp>
Date: Mon, 10 Nov 2025 01:57:09 +0900
X-Gmail-Original-Message-ID: <CA+wiQwuLgkvY56WNw+k1A9-huMKM_=qdC_tvLf1ZhbP7fBwAKQ@mail.gmail.com>
X-Gm-Features: AWmQ_bmIYWuXVHgyHe1nIkA4WHg3C1ElSOYIQ5rlRuegQIsj-WWx_kxieQVWil4
Message-ID: <CA+wiQwuLgkvY56WNw+k1A9-huMKM_=qdC_tvLf1ZhbP7fBwAKQ@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>, v6ops@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001ec67806432c4f5c"
Message-ID-Hash: 3AZ6L3UPZI3WVAVSNL2CKN5NMXCUEYLY
X-Message-ID-Hash: 3AZ6L3UPZI3WVAVSNL2CKN5NMXCUEYLY
X-MailFrom: her@sorah.jp
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Sorah Fukumori <her=40sorah.jp@dmarc.ietf.org>, noc@rubykaigi.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [v6ops] Re: IPv6-mostly deployment at RubyKaigi
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/kDc0UgqWJkxrBvl8aj6txdXhmj0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

Hi Jen,

We completed the re-verification of our investigation, and invalidated the
explanation regarding a source address in solicited NAs. I've updated our
blog post accordingly. Thanks again for the information.

-

Regarding draft-ietf-v6ops-6mops-04:

I appreciate the opportunity to review this I-D. I'm not a frequent
participant in the standardization process though, but I'd like to leave
comments as follows:

1. Section 7.4. Paragraph 2.1.1.

   > If NAT44 is employed, then NAT64 and NAT44 must share the same pool of
IPv4 addresses.

   Is this going to be marked as MUST?

   Our deployment used a separate NAT device for NAT64 flow to isolate with
the existing setup, to allow safe and easy fallback to our battle-tested
NAT44 infrastructure; also because our existing NAT44 devices don't support
NAT64.  Therefore we had separate NAT IPv4 address pools; We offer
stickiness, but it is scoped and bound to each pool. We considered this
limitation negligible, because our network is temporary where it only lasts
3-days.

   Plus, a rotation of random IPv6 addresses also could invalidate NAT
address stickiness; in mid-term, randomised MAC addresses could also
change; IIRC Apple devices rotate every 2 weeks by default, which
effectively prevents from tracking required for stickiness.

   I agree that switching between dualstack and IPv6-only mid-connection
can cause such problems if a NAT pool isn't shared, I don't think it's
worth enough that requiring sharing NAT pools as MUST, while I agree it is
valuable mentioning to network operators who are going to migrate their
networks incrementarily.

2. Section 7.5.3. Paragraph 7.

   > However, the deployment model described in [RFC9663] might not yet be
supported by all endpoints

   This might be "by all devices?" AFAIK wireless controllers still track
IPv6 addresses of clients via its presence in packets or DHCP snooping. RFC
9663 must be recognised in all intermediate boxes such as WLCs in order to
eliminate such scalability issues.

Best,
Sorah


On Wed, 5 Nov 2025 at 06:16, Sorah Fukumori <her@sorah.jp> wrote:

> Hi Jen, thank you for the response.
>
> On Tue, 4 Nov 2025 at 23:49, Jen Linkova <furry13@gmail.com> wrote:
> > https://www.rfc-editor.org/rfc/rfc4861.html#section-7.2.5 doesn't
> > require the source address to be the target address either.
> >
> > So, to be honest, it looks more like a bug in the WLC code.
>
> On Wed, 5 Nov 2025 at 02:28, Jen Linkova <furry13@gmail.com> wrote:
> > Another datapoint: my Macbook which still sends NAs for the CLAT
> > address from the link-local source, has no issues staying on various
> > IPv6-mostly networks (incl. my corporate network, RIPE conference
> > network and the IETF network.
> > So it does look like your controller might make unnecessary strict
> > assumptions, seems to be worth reporting to the vendor.
>
> Oh - I started to double check my investigation log, and the source
> address thingy in my report might be inaccurate - I'll update the blog
> post and this email thread later.
>
> # Perhaps one of our packet captures was mistakenly recognised as a
> wired connection, and our controller converted or generated solicited
> NAs that sent using GUA (non-lladdr).
> # And I regret that I didn't include 15.4 on the onsite test :/
>
> Meanwhile please disregard the source address thingy in my report,
> sorry for making confusion.
>
> > Oh that discussion is related to yet *another* bug in MacOS which was
> > fixed earlier: until 15.5, MacOS didn't respond to the unicast NSes
> > for the CLAT address at all.
> > It was reported and very promptly fixed (thank you, Apple people!).
>
> Appreciated on the info that the change made in macOS 15.5.
> # And I regret that I didn't include 15.4 on the follow-up test. I
> misrecognised 15.5 was released before the first conference, so it was
> out of scope due to the time limit on follow-up test; that was
> performed on the conference setup day
>
> > Have you reported it to Cisco?
>
> Not yet, but honestly we currently don't have active support contract
> with them (as we're a community, voluntary based conference)
>
> > > 4. By enabling RFC 8925, approx 80% of IPv4 traffic automatically went
> to NAT64 boxes. This is wonderful, kudos to RFC authors and implementers!
> >
> > Wow, cool, thank you for sharing your experience!
> >
> > May I ask you to review
> > https://datatracker.ietf.org/doc/draft-ietf-v6ops-6mops/ to see if
> > there is anything you'd like to add/share?
>
> Thanks, we'll check later.
> --
> Sorah Fukumori https://sorah.jp/
>


-- 
Sorah Fukumori https://sorah.jp/