IETF Logo Mail Archive

Re: [v6ops] IPv6-Only Preferred DHCPv4 option

Fred Baker <fredbaker.ietf@gmail.com> Mon, 09 December 2019 14:48 UTC

Return-Path: <fredbaker.ietf@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2F212004E; Mon, 9 Dec 2019 06:48:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTui589cyMbL; Mon, 9 Dec 2019 06:48:39 -0800 (PST)
Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9746612000F; Mon, 9 Dec 2019 06:48:39 -0800 (PST)
Received: by mail-pf1-x436.google.com with SMTP id s18so7350533pfd.8; Mon, 09 Dec 2019 06:48:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZzVqlG8ouo4GTuzIY/1A08hbBaBuhc19w6CwOY1i4cs=; b=r7MIPxqW58tqap5eNRHE3rjYEPsH6eg2mL+zHhsqdyckE1XXGj89ZVC1uXnTkntoOU p8laYsURXKWSQmCMW72y2AVguwy9UM6q+Dcv4kzHnbEYn1Vm8NKiFE8Sm4WCeh3kCOWc JRFJYoIroFsnDwSA5nMSizywlsayUj5bNHT5lU7+S/vXAjRyEoNcVXYCm+V78hm9/zLw 7oT2+9d1zcODfw61vrAXuG1qeabMGOtYJqOfO6yfBsRL63AlpSx5b7Nq8yvpK4XZkNBJ CS6b59RvR61ODqXjgpaHaoICygRIMICz4zl+BzMtMylXwSZTRs0+6TkFVbngbdRSeDcZ X7/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZzVqlG8ouo4GTuzIY/1A08hbBaBuhc19w6CwOY1i4cs=; b=ucW6ce5aqauODeY2j89zQYr0oEnTbvu45EswBndsUZJrCg9Rl4dj4EPk8WHRYR/A41 pEY72zIRFspyGVozbDK7XAXnBHeA8n5Y2Sbj7Wey+HfZbmsJOdjsmrjbzVaejUN5ZXXg OUqzh6IQfU3kMUewYRZbA08NWjjXXpf8OwfHJR0aBS5yqmEdszzkaTdW0z4XxNps3nty /b71ShEx/TFCI9DXeUUPxSO48XOMDp4zKxhNOwp2FNv91m+jrx7neFG+YKOWWG0BsXok GgjB+EU4B7sbp+gHAJosB3d+AnhTSS1F54ejMKdeIqbpLDOAcQUwlSJqZrLjOn3OoJF7 d0Qg==
X-Gm-Message-State: APjAAAVH4CZQ3+kJ9nRBE/aeJe510LhFTov2XnvDv4YF/5a9f+vuSFlZ icSgS0iVc9J98Jb7MsNhVWc=
X-Google-Smtp-Source: APXvYqwWxfinaU2rBB1iB4TDEuaH9KVpHJ0FPwFo5jPEhQEWmUJkuTyCN4arS4RM12fPsJXTw8KjCw==
X-Received: by 2002:a62:2f06:: with SMTP id v6mr30082558pfv.105.1575902918959; Mon, 09 Dec 2019 06:48:38 -0800 (PST)
Received: from ?IPv6:2600:8802:5900:13c4::1011? ([2600:8802:5900:13c4::1011]) by smtp.gmail.com with ESMTPSA id j1sm4675357pff.107.2019.12.09.06.48.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Dec 2019 06:48:38 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Fred Baker <fredbaker.ietf@gmail.com>
In-Reply-To: <CAFU7BASBFxAyttE-Eu0KmbqLw19i-k28xdL6CcAa466C5+WCTg@mail.gmail.com>
Date: Mon, 09 Dec 2019 06:48:37 -0800
Cc: dhcwg@ietf.org, draft-link-dhc-v6only@ietf.org, V6 Ops List <v6ops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <61298ABE-88BC-4E47-A807-38E134981E85@gmail.com>
References: <CAFU7BAR1JLUZps=CAqJfeQtUf-xQ88RYvgYrPCP+QP0Ter7YFg@mail.gmail.com> <B1A0DD99-B753-473A-B835-B8BEABE32D54@gmail.com> <CAFU7BASBFxAyttE-Eu0KmbqLw19i-k28xdL6CcAa466C5+WCTg@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/kyLqkTBcpl6mqu-NHER3FnWdKaY>
Subject: Re: [v6ops] IPv6-Only Preferred DHCPv4 option
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 14:48:41 -0000

Sorry for the delay in following up. This is an active thread.

> On Dec 4, 2019, at 3:26 PM, Jen Linkova <furry13@gmail.com> wrote:
> 
> On Thu, Dec 5, 2019 at 7:49 AM Fred Baker <fredbaker.ietf@gmail.com> wrote:
>>> One of the biggest issue in deploying IPv6-only LANs is how to do it
>>> incrementally, when some hosts work just fine in NAT64 environment
>>> while some legacy devices still need IPv4.
>> 
>> A general comment - I don't think this is "devices" as much as it is "applications". I'm thinking here of issues raised in RFC 2993 among others.
> 
> You are right, it's applications getting broken w/o IPv4 indeed. The
> text is saying 'devices' just for the sake of brevity: as a network
> engineer I see *devices* connecting to the network, and IPv4 addresses
> being assigned to the devices. A device just a box with a number of
> applications (+ an OS) running inside.
> However there are cases when an application needs an IPv4 address to
> operate while the whole device does not. Think of a device with
> 464XLAT  enabled (e.g. an Android phone). The same application might
> work perfectly fine on a mobile phone connected to an IPV6-only WiFi
> but gets broken if I run it on my macbook connected to the same
> network.
> 
> Would it be better if the sentence you quoted would be saying 'while
> some legacy devices still need IPv4 addresses as their OSes and/or
> applications depend on IPv4'?

It might.

I spent some time looking for the definition of "dual stack" (for another reason), and found that while the term is used in some 94 IPv6-related RFCs, it is never really defined. To me, and I think the authors of those various RFCs, the implication is that one could turn either IPv4 or IPv6 off, and peers using the remaining protocol would still be able to use whatever service the device or application offers. At my former employer, the term was generally used to mean that a system was generally IPv4-capable but had some IPv6 capabilities as well. The nearest thing to a definition that I found was in RFC 3750, but even there one has to read it carefully.

RFC 3750 makes the point about the OS offering either or both, but some applications requiring IPv4, and of transitions being not only for the OS, but for applications.

>> I would argue that NAT64 is subject to the same issues as NAT44; there is a coupling between the network and application layers in that an IP address is used as an application layer identifier, and a coupling between addressing domains in the network in that hosted applications presume that an address they use is meaningful to and means the same to an application in another domain. RFC 3439 talk about coupling primarily in terms of time, but couplings such as I describe are also dangerous, and I would argue that the issues raised in RFC 2993 are direct results of coupling. So, whenever an address is embedded in application data and interpreted or used by the peer application, there will be a NAT issue.
>> 
>> What would I want to do about it? I would not want to see an ALG (to my mind, that works against higher layer security such as TLS or IPSec), but rather see the application use an application layer identifier such as a DNS name.
> 
> NAT64 is not perfect and is not a silver bullet but I do not think we
> have any better tool right now. At least NAT64 is used for iPv4-only
> destinations only so damage is contained (and the footprint will be
> reducing over time, I hope).

Speaking as a co-author of stateless IPv4/IPv6 NAT (which is about connecting from {IPv4|IPv6} to {IPv6|IPv4}, and is used by NAT64, which is about connecting statefully from an IPv6-only network to an IPv4-only network), I would agree that neither stateless nor stateful IPv4/IPv6 translation is a "silver bullet" - primarily due to issues raised in RFC 2993. My co-authors wanted to not have to move all of their IPv4-only servers to the IPv6-only network before being about to test it. They wanted the evolving IPv6-only network to be able to access IPv4-only servers on day 1, even though they had the full intention of making all servers IPv6-capable over time, or duplicating them with IPv6-only servers. Translation gave them the capability of getting there in a limited fashion while they pursued the remainder of the process.

The "better tool", if I understand RFC 2993 correctly, would be 
(1) to remove network layer addresses from application layer applications, so that there is no coupling between the application layer and the network layer, or
(2) make the application equally able to use IPv4 or IPv6 addresses, or
(3) deploy separate instances of the application for use in IPv4 and IPv6 networks. 

Each has issues...

v2.23.0 | Report a Bug | By Email