IETF Logo Mail Archive

Re: [v6ops] WG call for adoption: draft-collink-v6ops-ent64pd-03

Jen Linkova <furry13@gmail.com> Tue, 18 April 2023 06:17 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260C6C14CF1B for <v6ops@ietfa.amsl.com>; Mon, 17 Apr 2023 23:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.845
X-Spam-Level:
X-Spam-Status: No, score=-6.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nUPfO_DOYfU for <v6ops@ietfa.amsl.com>; Mon, 17 Apr 2023 23:17:17 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF9C3C14CE40 for <v6ops@ietf.org>; Mon, 17 Apr 2023 23:17:17 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-4ec817060cdso1983441e87.3 for <v6ops@ietf.org>; Mon, 17 Apr 2023 23:17:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681798635; x=1684390635; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=aD4RsecpjdXWI8+QMsN/he3pFJtjMBZ+jiYdzHY2qUA=; b=QJsHcIMlH386ZY7ANlAMRohSetGUZ3yHjO3vNAnqVxgJzqrMvzmwasvtB2voxY/7j5 7uDOUfMpmF2H/LL1kFT3AbMFbQK2DGSAzjralJDJRsldSYz1Di1PkSA8qUCauxGfgSwa qkqWjZIvnsH/HL4J5CUyAWwlbjJNggAc9pt8tX4hATAIC7hrjpl7FC3MsTxrlL0C8y8N CGjZp0EY/Fsw+CyzH1QppFj3VOhHrypWTSqfI1ayjAWBdkq1vrktIseBrDri1lRdEXq0 HK/a6usqnQwM6Hx6rTfe/RSpcpa/QW9veJ23QA7ESWpWu4n08W734EHUCSBLgyMrSFSk 4zFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681798635; x=1684390635; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aD4RsecpjdXWI8+QMsN/he3pFJtjMBZ+jiYdzHY2qUA=; b=Ct4AVBluZUnDYfB4dvCM53oBAbiYSVcC8D3q51QhNeR9fNcjmAgMIOVg6DkXpKZfeu 86RYfKu3AnT795mipcmnKyQiCixhjaWijbgz+OOmu6y/MUx9r1Ot+jAmA8uY6Z9Tgcek keGnxJPjM7EISwJrJY6MxjAvwWw0L+ahWwO+jZWqL94G+81HAw7EYlo9SfFSWKRPbAmP 3NSssAljPZwc2DZjknXbX6HreTDgeVpCPQlgVdNsI9YBx6mBkCZP9rs+ycnmLWqoK0+b QhY81Cc4uyY5OhBNNAaPEfEpYtSipOkBlcqv2PZcnoLVlz3JyZCWZuHWlgSTs/3VRM4R oSQA==
X-Gm-Message-State: AAQBX9eNoRCdtoSCCL5DdWvBXLWlKj9QsR+OynB6Rznd/MnZEfAExGAQ WifB7D+hbzXn54Lf/kVkprC28DCU5nxpyR8Kk+cLxji3ABr+vg==
X-Google-Smtp-Source: AKy350aD4wU9pbFbaGjChAx32R99j+odnpNXxmaEx7wC/lCNb6p7FcWUNtyMboMHZonzMfnGzDF+YmX54oE2PHcsHyU=
X-Received: by 2002:ac2:5223:0:b0:4ed:c8ba:dfa5 with SMTP id i3-20020ac25223000000b004edc8badfa5mr1153525lfl.1.1681798635268; Mon, 17 Apr 2023 23:17:15 -0700 (PDT)
MIME-Version: 1.0
References: <49729a842e3c4018903e7dab2e4318bd@huawei.com> <CAFU7BATOkQz4r4cg5m0Xv4UDykZ2TaYcE+=UnehZOVa0gasYSQ@mail.gmail.com> <2589160.7s5MMGUR32@asclepius.adm.tul.cz>
In-Reply-To: <2589160.7s5MMGUR32@asclepius.adm.tul.cz>
From: Jen Linkova <furry13@gmail.com>
Date: Tue, 18 Apr 2023 16:17:03 +1000
Message-ID: <CAFU7BAQO_z4GmBukFJyh7J8S3QRj-zPZ2PSkNkobunFdbNFFsA@mail.gmail.com>
To: Martin Huněk <martin.hunek@tul.cz>
Cc: v6ops@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/mx1xmY-krfFp-C3bjQfQ-ZUoqRw>
Subject: Re: [v6ops] WG call for adoption: draft-collink-v6ops-ent64pd-03
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 06:17:22 -0000

On Tue, Apr 11, 2023 at 1:36 AM Martin Huněk <martin.hunek@tul.cz> wrote:
> As I read the -03 version, it still requires /64 at minimum. It is just better hidden in the text.

No, it doesn't require /64. It requires whatever hosts need to support
SLAAC. If someone is willing to work on making SLAAC work with, let's
say, /80 - nothing would change for this document.

>
> Small thing first - section 6:
> > The server MUST provide a prefix short enough for the client to assign addresses to its interfaces and connected systems via SLAAC.
> The server doesn't know that.

Currently SLAAC only works with /64 (see rfc7421, for example). It's
basically a protocol constant.
It may change over time indeed - in that case it should be up to the
administrator to decide if their endpoints fleet supports the new
standard or not yet.

>It may guess that from the prefix-length hint, but it has no way of knowing it for sure. Also, it MAY be restricted by the network policy. It should say: "The server SHOULD honor prefix-length hint if able."

I believe https://www.rfc-editor.org/rfc/rfc8168.html already covers
what the server SHOULD do with the hint. Maybe we shall rephrase this
section, making it clear that it doesn't introduce any new
requirements to the server (as it would be in scope for the DHC group)
but provides some guidance for the administrators on what features
MUST/SHOULD be enabled and how the server shall be configured for the
proposed deployment to work.
Would it be better?

> In section 4 you wrote:
> > "Chosing longer prefixes would require the host and any connected system to use some other form of address assignment and therefore would drastically limit the applicability of the proposed solution."
>
> I would argue about that as it seems to me quite the opposite.
>
> If you force minimum /64, you would limit the applicability of the proposed solution address space-wise to:
> - Large companies that are also LIRs (having at least /32 PA spaces)
> - Small companies and persons with large enough allocations/assignments (/48 PA or PI)
>
> The medium to large companies that are not LIRs would be unable to get large enough assignments to facilitate the proposed solution. As I already wrote here, the RIPE allows at most /48 to a single subject. A larger assignment had to be authorized, and if you follow the RIPE AP-WG, then you could read the "horror story" about requesting /47 PI. In theory, it is possible. Practically, it is not (at least by the book).

What I mean by "limiting the applicability of the solution" is that
using any prefix which is longer that $PREFIX_REQUIRED_FOR_SLAAC means
that some if the devices would not be able to function/get IPv6
addresses if you deploy this. I see this scenario as a much more
serious limitation than "some networks which might not even want to
deploy this, would need to justify more address space".
It would change the situation from "I do not have resources required"
to "some of my hosts would not be able to connect to the network".

Please keep in mind that if you'd like to implement the solution
described in this document in a fully controlled environment and use
some other forms of address assignments, you can do this already. You
do not need this draft. Run DHCPv6-PD client on endhosts and DHCPv6-PD
servers/relays on the infrastructure. The purpose of this draft is not
to allow or deny this. The purpose is to document the deployment
scenario when  a random host can connect to the network, even if the
host and the network infrastructure are not under the same management.

I'd be extremely uncomfortable to publish an IETF document which
recommends a deployment model which randomly breaks hosts.
Recommendations in the section 6 of the draft are provided to ensure
that such deployments are not making the situation worse.


> There is no technical reason why this *new* method *MUST* use SLAAC code for the IID generating process on the host

You are assuming that the system requesting a prefix is always the
same system which is going to use all addresses.

>or why it cannot modify it in the end so the IID can be shorter than 64 bits. It had to be implemented anyway.

There is a difference between expecting a host OS to run a PD client
and send the received prefix downstream in RAs and implementing a new
way of assigning addresses in *all* downstream systems.

>If the host is a router with downstream interfaces, the situation is different, but most devices are not routers.

Interesting. Your experience may vary but what I've discovered by
deploying IPv6-only networks, is that *most* devices are actually
routers. We (administrators) just do not know/do not care about it in
the IPv4 world, because we have NAT and hence are not capable of
telling if this device is a router or not. That problem caused *most*
of support tickets we got during IPv6-only migration. At that point I
realized we need PD if we do not want to do NAT.
I did see a lot of cases like "oh, we thought it's just a host but
when you open it, it actually has an openwrt router and a few tables
inside".

> In my opinion, the current system of every address space-heavy companies forced to become an LIR is the v4 mess.

Sorry, could you please elaborate?  How does this proposal *force*
anyone to do anything?
Nobody *has to* deploy this. It's up to an administrator.

> The client MUST ask for the minimum prefix delegation size that would suffice its needs. For a single host, the RECOMMENDED size is /96. For a client with downstream interfaces, it SHOULD ask for a large enough prefix to address every downstream interface with /64. The DHCP-PD server SHOULD honor the length of the requested prefix if able.

Interestingly enough it means that practically you'd need to provide
/64 per host.

This deployment model doesn't need to suit *everyone's* needs. But
what we must ensure is that if someone decides to deploy it, devices
should be able to work.

> There is just one reason against that: the reuse of SLAAC code at hosts. It doesn't actually matter so much. This proposal is a new method of address assignment anyway, so one way or the other, there is still a need for a new code.

Again, you seem to assume that the system requesting a prefix is the
same one assigning all those addresses. As a network administrator
who'd like to deploy this, I just can not make this assumption, as I
know that even now it's not the case for my network.

> There is also one more use case when the proposed solution would perform worse than having a shared/on-link network segment. This would be a large data transfer. Switched, the directly reachable network would not be so heavy on the computation power of the router as in the case of a routed network (with hosts using delegated prefixes).

Maybe this solution is not suitable for this setup then?
I'd be perfectly happy to have a text saying "this solution is not
recommended if peer2peer communication is allowed between onlink
hosts".

>
> Section 8 says:
> > "... it's highly desirable for the host NOT to use the PIO prefix tto form global addresses and only use the prefix delegated via DHCPv6-PD."
> With this, it would not allow using the on-link feature (L flag) - the higher amount of traffic would need to go through the router.
>
> The last issue I've already mentioned in this list is an inability to place any host using this method to the DNS by static entry. The same disadvantage is present in the SLAAC (after the EUI-64 has been left). However, this is possible by DHCPv6 with static reservation. Due to that, the DHCPv6-PD for clients does not supersede the DHCPv6 itself in its applicability.


Actually, you might find
https://datatracker.ietf.org/doc/draft-wkumari-dhc-addr-notification/
useful.

> I would advise against adoption in this state because:
> - With minimum /64, it is way too address space heavy, so it cannot fit in current address space plans,
> - The per host /64 is not feasible for larger non-LIR organizations due to the current RIR rules - it needs consensus on the RIR level first,
> - Computation power-wise more resource heavy on routers (between host traffic and assignment/renew process),

Those seem to be cases when an administrator might decide not to
deploy this solution.
As long as solution limitations are documented and the administrator
can make a decision based on data, what's harm in having options?
It's like...I don't know...RFC7404 - I really like it and had been
operating a network like that for years. But my other backbone can't
use it, so it wasn't deployed there.

> - Doesn't help with static DNS records for services running on PD hosts,

But it doesn't make it worse. Again, happy to add it as a solution
limitation (never considered creating DNS entries for mobile phones..)

> - Solves the symptoms, not the cause: clients are using too many addresses - instead, we should ask for old privacy extensions to be disabled by default and/or generally limit the maximum number of addresses a client can have from a single prefix,


Let's discuss this. So I'm connecting a kitchen smart scale (or
ChromeOS) laptop to the network. It needs Z addresses but can only get
X (X < Z).
Whatever you do it would mean a failure for the system. Why would we
recommend anything which breaks hosts?

> - It concentrates on SLAAC reuse instead of describing a more proper (less address space-heavy) method of IID generation that would not need 64b IID.

This is v6ops draft, it documents a deployment scenario using existing
technologies.

> If it has allowed (and recommended) smaller prefixes (/64+), I would not see it as such a big problem.

It would mean publishing the recommendations which are not guaranteed
to work. I can not deploy it because an unknown number of devices in
the network would fail.

>
> Dne neděle 9. dubna 2023 2:37:28 CEST, Jen Linkova napsal(a):
> > Dear v6ops WG,
> > Even if you read -02, please take a look at -03 (or at the diff, available
> > at  https://author-tools.ietf.org/iddiff?url2=draft-collink-v6ops-ent64pd-03
> > )
> > The new version addresses comments received during the IETF116, including
> > the prefix length.
> >
> > On Sun, Apr 9, 2023 at 8:02 AM Xipengxiao <xipengxiao=
> > 40huawei.com@dmarc.ietf.org> wrote:
> >
> > > Folks,
> > >
> > >
> > >
> > > In order to facilitate quick development of a solution, this message
> > > initiates a WG call for adoption for draft-collink-v6ops-ent64pd-03. The
> > > call for adoption will end on Aug. 23, 2023.
> > >
> > >
> > >
> > > Ron & XiPeng
> > >
> > >
> > > _______________________________________________
> > > v6ops mailing list
> > > v6ops@ietf.org
> > > https://www.ietf.org/mailman/listinfo/v6ops
> > >
> >
> >
> >
>


-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email