IETF Logo Mail Archive

Re: [v6ops] ULA precedence [Thoughts about wider operational input]

Kevin Myers <kevin.myers@iparchitechs.com> Mon, 25 April 2022 03:42 UTC

Return-Path: <kevin.myers@iparchitechs.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E409D3A1CF2; Sun, 24 Apr 2022 20:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iparchitechs.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Zd0KAo8rVAn; Sun, 24 Apr 2022 20:42:09 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1anam02on20717.outbound.protection.outlook.com [IPv6:2a01:111:f400:7ea9::717]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D1A53A1CEA; Sun, 24 Apr 2022 20:42:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SfRqtJFwUocmC1Xb88VjT+899Zc9fkcpu64G848CQrONeYeLNNBLWU/hv9XP5Cz1CEpPVz5JeIihy/DjaSXymcld2BneRzHeRxs79NsAGn0IVo1F6yj4JwPmUHHsQAK/4YvSIityNA1NDvGVaYnQvPM+xla8RE00eqNrBRpKJ9/JqNtON14E3COnieWH2F69itvdDAouaS/kJplPE3sA1jbmweyZHssDsZfjCPRG6ha47C3JLLyNzJZJ8owDmAaVDpL0Kvm8uVrk84a4PeXaXkmHCHiollkxHzIQyRq3G2ZSjA146mST3xwacyWlgPEouLmjWvdQVx7Nqs3Tz8dWuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dI0Qya7N3WgDyYH7n2Efy/4V6UUCXXE9raorQ1ZHCfI=; b=X20QjgVSQQCfzCiiHM3TcZuIcnQSQQajDgOKQcUaH593DMl+fvu1yHenpyzr4nwoCovzEbrzrRaZrur86QbPsSYppjrjCPibTnWIhJt5rnokF6DMpmAyifr0VDJqu6EGt/zfs4PaxpZByqGnNz7e4p7/VNc1rbieiSnzDAsAHShxn5Vx2NeiAuJkyFRnLaf6VbFEF0at62G1kH+ENVzdNLrTjSRvWhdP8VSxX6SGhCCjp442xL9mO0Hlu9gCwBuzLR4lFB14JLy6ry1HgYlGBIrdesvrfbKeGWWlXgEw3eQVkfskC450Xp0b0+ZVTX+R+w3HrY5ilREYvWnf9f5VoQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iparchitechs.com; dmarc=pass action=none header.from=iparchitechs.com; dkim=pass header.d=iparchitechs.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iparchitechs.onmicrosoft.com; s=selector2-iparchitechs-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dI0Qya7N3WgDyYH7n2Efy/4V6UUCXXE9raorQ1ZHCfI=; b=ptezATYjCGooHmLCtde+OyMs3se9DiLuQLMYE62D5wF1jUgcRe0hmOqtLrwYY1QnzvLMPmRglXq23WijDK4iqcYCFidW4SWc+IUb5h5yTmWRnykiPfj/Wq3f167f7Qart+XWaLt/kSaeNA8AplKUVZWY3lRHrTMNZpcTphR1LU8=
Received: from BN8PR07MB7076.namprd07.prod.outlook.com (2603:10b6:408:79::19) by CY4PR07MB2919.namprd07.prod.outlook.com (2603:10b6:903:2a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Mon, 25 Apr 2022 03:42:05 +0000
Received: from BN8PR07MB7076.namprd07.prod.outlook.com ([fe80::a840:dbb:c6ac:27dd]) by BN8PR07MB7076.namprd07.prod.outlook.com ([fe80::a840:dbb:c6ac:27dd%4]) with mapi id 15.20.5186.021; Mon, 25 Apr 2022 03:42:05 +0000
From: Kevin Myers <kevin.myers@iparchitechs.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, Erik Auerswald <auerswald@fg-networking.de>, Ted Lemon <elemon@apple.com>
CC: v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>
Thread-Topic: [v6ops] ULA precedence [Thoughts about wider operational input]
Thread-Index: AQHYP7pq6IHvHK8V1USTI3hSjMKzkKzQ0lQAgAC/NQCAKr0VgIADMyqAgAByHACAACp0gIAAAqeA
Date: Mon, 25 Apr 2022 03:42:05 +0000
Message-ID: <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com>
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com>
In-Reply-To: <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iparchitechs.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ef355a20-c449-43bb-fd73-08da266d90f6
x-ms-traffictypediagnostic: CY4PR07MB2919:EE_
x-microsoft-antispam-prvs: <CY4PR07MB29199B626C82F082DEE0404B95F89@CY4PR07MB2919.namprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: h53jye7hRikV/OZRswIqVNqpgTJoV40AKcJTSpfE06cqYCDrEHscDYOQrVNCskpbAVBHghYNMQBfZYV8R3yhCRvwSIqSEWDGAKxdu5o+OBGP8hSd0bSQHzMYmYdxDsahAbTTN/712AqWxgGPWmV129vvYeSZitWiWYnlWKIoKN/QJqcnGCcxAxpdfUJkL56U2Lfck7v7xpS/OeJdbNaVEZQ51SvXveC0t3tPX1ueUa8TdOtSLv4jRJ70ai4p45jU3LiSxWEQ0Cg9cprUavXunL6tF8Z3RAW13YjIYt0BIlONab7dsUebJMPOKzCPsizPTq59z4Wod8X8KhnfgTcqm3g/99laeE2uBL811ckZcXmQE8LQ/hYBFjRyZ6/u2D2pA693icCmcoCTRVIWRNx6CDIEEktC3LKO05y5OoHJZLFP+dspB214/9zDndV7TQMw3nxN30WLfC31hGQFzCZ4/81TC01GE6outC0MoXnzn0k2xPPP54oYmXPY4vlZzHYFpDJPOQTWvZVUfQZKYKH0FgHvlGGSDtOWARJt5wK+9KWEWhwPYrwz1zTg/NDZI0xtKlkguh3SFHzUM4Aw/6/wXqrAGXATKY/q56hPLdl/SerLAByAieOpC6Ei2Bd+nTUbNtt1GQDOR/fH6l19pkvdPzjcj00aoN2t2SOYlWHn3VunXFFT9+al3WnGBYee9QfBKnhkC0M+/VY07l1PlvoBzAOqe69uJ6W4b1N8cUX4g330L1VFKmkUb6r6jxQyT0/7UQXXS4AZzm1TJueXcNjxR/ESKUoknnol48S0gEOf1nQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR07MB7076.namprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(396003)(366004)(39830400003)(346002)(136003)(376002)(52536014)(8936002)(186003)(86362001)(71200400001)(508600001)(44832011)(122000001)(53546011)(33656002)(9686003)(26005)(2906002)(7696005)(6506007)(55016003)(38100700002)(38070700005)(66574015)(83380400001)(66446008)(5660300002)(316002)(4326008)(8676002)(110136005)(66476007)(76116006)(64756008)(54906003)(966005)(66556008)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nZhYnzAS/So4OkheIGxXrSeCK+hhHCtM5/X/bNmNKLxDd+uqRQkfsPRcHaY44+o+l2b+QQIFJLs0hJvEV1MEwCDSdOEFCypuK1ITM1Cj919I4oPSw6D9vOIZByaNRGpu5DyzgF0FjK3X3LkMrrCana2EqyLew9NNkuXyTcRdRXXZxffDeRscV5O8GulEZ4SZ62CB2WSmtXf4Wv3jAbxR6rW1NI8LGp3G1XjUG27XER3/Kow/q9AHQI5v0m4otDYcjMvlp5dmoB21xisF+59ucqUzQ5pSIeVSLZlNt7SMd+1385bSsLahDPfsmzQPBjkMv5ibMIhU1sOFYvRvZmIO4brOafAlt4UCQh5AoNsz+tH4xl/7nb0k++EJuWjSzGggGLUPK2EMmd4F4ty3n9Gr9iGWuWu48Ii0sDX+cEvPYvq4ul8/j6NoexKvKKMSSRqpnHrg2vubgD9jH48vg76FODqioJwTDSQaHEQeh8pKOeag0dkavVrtF9NcLygZBf6NfyqCQbx6i89JNJDHferDBeKB685PnnEyA3/DrVSbjcqiPXnmmqsaGC++3riJSJK6tVQingi8frEs7nZGCEfVI+eBOlP2zIek1C0gxYSFt/MOL3zVaYdy8g0+VH0FQGYtDweHse1B/7sFZx0q+m2M4Mqbz0XqhnVvERmbcAuh/Yds8hsOVzlsciODHyruaN+rWJwcyAbBhWxvyeLFJ6Msw/3M9ikTlRpv8JRPwr+SJK44Q8kx7k8E/ByW8L/BsfXWRF819Vk9ngXX6nSVIChAxNBCEkNcG5uhcWiVzRjXZsBfy7IJN4UFerEVeA1y1jdE3yAn45OckZrdaJfKSQRRMpQYAEJjd54yTPw2hB+4prpjRd2UFuo3h1kiZvZh304u4LNx0sB//FaVP4BYJyuVOizoe4u4j7hxLaVl8dT+l0+mpflZJQzrElwK4kZ8EY/ydMxVzqhFHUteP6ZbulmEzDTiTmOG40J0zZVxw2GCdmeKkRjCGcMAsui9jMo8uC5Xecfu7CrBnjlFnV7Qxd/Lskmc5mfzjtgwInU46hwNZpnqiWEriyfhPwyHOOqdtTahVIlrNUQUIxK8y+kR0xyoX+WUecUoyeyzMaP6Q7xzH7BErPFR1A3Ool9KegA8pbdptJVAbQ4I+Cn4JdhrEVVbYxlfFZXxRT4GesppK+W1fN6+oBVLf0SSvKK1DPb94oyz9/+7d256jxDAG1x1O55EZ2TZEAdZRIE84f79Z5MK+krBaL9j0wOkaR8wH4Jf3cMgOkbR4LlRJ/Z1MWMWxIz3RyIKVA4bMYmE57lGOGYJtZ1QVTJJ7C6d+XFzL6g01rJ/j3ILlGtCNLhS7Rca5mwOWLG4qo1/QXUAm1zxgrHlqa8WrbmffBVgOkGTpQ3x9GhpWH8ZenQ1tf/8ocmAxgbU0iTIYNdKAR89VSFn8D2eLwEDj5tbqoXGREz9pOxijSSbyCjN4wYLtkapEklxeJziJgVSzdWGE/oEAGGmJLSW+yiifzVeL1g7jnNIM2wAHGwyX8GdjhMhfzrjzAzgpaog69kTZwcYiZ3t9BJ/BQgUTWY0PLpef/yri+lt9YNuMGSLZ9uDAUyEg0HpbVRImWinwpZwv8x+T+RQmiRu4Fe3+rh0/RPU9NkRU/lxHEHkFbR1FdB5OR3X6XhHSYoNuBUgmRSlLEh5+8IN6QRfNmC6gxY82J9HiRhvcWulv7JjtiX3V9cewlius8tIuL0eHiPZXhUf775x6LUfKO/llIeh69k=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iparchitechs.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR07MB7076.namprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ef355a20-c449-43bb-fd73-08da266d90f6
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2022 03:42:05.1430 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 394cfad8-1b06-48c6-b381-e12377a8fdde
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NrkHqW+12orCff/RGZZIAcEfo9eqMai78a/qfatp6S2/3tGpwsdFNrbJ7qcl+z32TCBf9PgI89ZrZBw4dc2ol/ZhFiRldkTV5zhRqS2EWA8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR07MB2919
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/mY8kVpoK9OT-VlVE19aiadcOFo8>
Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 03:42:14 -0000

IPv6 NAT is already being deployed in large enterprises for the few that want to tackle IPv6. Vendor implementations exist, so that ship has sailed regardless of where the IETF lands. 

Most of the Fortune 500 fall under regulatory compliance of one body or another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well for an IPv6 no-NAT world. Most of the discussion I see around enterprise adoption on the IETF lists misses this point. It matters very little whether NAT is a "good" or "bad" practice when it comes to selecting an operational model. Enterprises choose operational models that will pass audits and the overwhelming majority rely heavily on NAT.  We can make the argument that compliance bodies and auditors should update their guidance and standards and they absolutely should, but it will probably take close to a decade to change the regulatory compliance auditing landscape to the point that IPv6 without NAT is commonplace.

If auditors won't sign off on end to end GUA addressing, then NAT is going to remain.

Enterprises are more than willing to punt IPv6 for another decade and will likely have no issues in doing so given how little IPv4 space most of them need compared to service providers. Even when IPv6 becomes the predominant transport type for an Internet handoff everywhere, it will still just live in the underlay while IPv4 remains the predominant choice in the overlay, in apps,  and internally in the DC for enterprises. 

At what point does it become more important to have IPv6 implemented, than to have it "perfectly" implemented?

Kevin Myers
Sr. Network Architect 
IP ArchiTechs

-----Original Message-----
From: v6ops <v6ops-bounces@ietf.org> On Behalf Of Brian E Carpenter
Sent: Sunday, April 24, 2022 9:48 PM
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>; Erik Auerswald <auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>
Cc: v6ops list <v6ops@ietf.org>; 6man list <ipv6@ietf.org>
Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]

On 25-Apr-22 12:16, Lorenzo Colitti wrote:
> On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>> wrote:
> 
>       "Since ULAs are defined to have a /48 site prefix, an implementation
>        might choose to add such a row automatically on a machine with
>        a ULA."
> 
>     The result is that only the local ULA prefix, i.e., exactly the
>     local IPv6 addresses, are preferred over IPv4 (and IPv6 GUA).
>     This should be exactly what is needed to use ULA addresses inside
>     an organization, or for a lab.
>     [...]
>     Implementing the non-normative suggestion from Section 10.6 of RFC
>     6724 would in all likelihood result in making ULA usable for local
>     tests and even first steps in deploying IPv6.  ULA addresses would
>     only be used locally.  Existing IPv4 based Internet access would not
>     be impaired by adding IPv6 ULA.
> 
> 
> That does seem like it might make ULA more useful, yes.
> 
> Additionally, maybe we could clarify that the longest-prefix match rule 
does not apply to ULAs outside the same /48? I think that would fix the issue observed by +Ted Lemon <mailto:elemon@apple.com> in home networks: https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00 <https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00> .

When two networks each with its own ULA prefix are intentionally merged, longest match would be the right thing, wouldn't it? (Assuming that the split DNSs are also merged, and of course internal routing.) In that case there is no "foreign" ULA prefix.

>     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT could be
>     considered.  To make this work as intended, the address selection
>     policy table could be adjusted to contain the local ULA prefix
>     with precedence greater or equal to GUA and the same label as GUA.
> 
> 
> This seems like it would encourage the use of IPv6 NAT. I think there is reasonably strong consensus within the IETF that that is not the right way to go, because it pushes problems on to application developers. This adds costs for NAT traversal software development and maintenance, and requires devices to implement NAT keepalives, increasing battery usage.

That may be the IETF's consensus, but there is a very large fraction of the enterprise network operations community that strongly disagrees, and in fact regards this as a red line issue. It isn't even clear that they'd accept NPTv6 as an alternative to NAPT66. If this is indeed the only way to get IPv6 inside enterprises, what is the right thing for the IETF to do?

       Brian

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email