IETF Logo Mail Archive

Re: [v6ops] A good example of why we need to careful about ULAs

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 30 May 2013 21:45 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BD3221F9273 for <v6ops@ietfa.amsl.com>; Thu, 30 May 2013 14:45:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.21
X-Spam-Level:
X-Spam-Status: No, score=-102.21 tagged_above=-999 required=5 tests=[AWL=-0.211, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxXWaX-yJWCJ for <v6ops@ietfa.amsl.com>; Thu, 30 May 2013 14:45:12 -0700 (PDT)
Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com [209.85.192.174]) by ietfa.amsl.com (Postfix) with ESMTP id 6037D21F8B5F for <v6ops@ietf.org>; Thu, 30 May 2013 14:45:12 -0700 (PDT)
Received: by mail-pd0-f174.google.com with SMTP id 3so1075313pdj.33 for <v6ops@ietf.org>; Thu, 30 May 2013 14:45:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=y8pf5JOGLD4bJqptR85oECom7axMJNLHeOuVUJAOP5E=; b=tHeIXFztXbr/f1NKlxZyAZgasy0D0EytYXVCoJiXhqwHDRLuKCnGvcwnrsc88VAThe L7YoKKTOzCo39067Vc2wFhGDilqunw9hahLLpQ9RAItcU3yOhsupDnRWPiKpa3ZltNlk f/M/yNDvIVT1Z1OcYQTCen9HXcHdCva+wGJooINVzQI5+nGL/WRXkfpFnqvQS5TZmT4k SlPvtS89Zm0wYiiZ4etvZFek/iSBygIvawztZqgmBVVRFiDed+HHS9ieIm9BgzEpSAIQ AdZTddH/TAb8re/M15g4lx9dD/p6A7bvlEToXgOt5/EcYuWeErj0Hu3u0lrhzafffol/ cl5A==
X-Received: by 10.66.4.10 with SMTP id g10mr10536632pag.217.1369950312056; Thu, 30 May 2013 14:45:12 -0700 (PDT)
Received: from [192.168.1.2] (224.171.252.27.dyn.cust.vf.net.nz. [27.252.171.224]) by mx.google.com with ESMTPSA id uv1sm43539979pbc.16.2013.05.30.14.45.08 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 May 2013 14:45:10 -0700 (PDT)
Message-ID: <51A7C86B.3020808@gmail.com>
Date: Fri, 31 May 2013 09:45:15 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Smith <markzzzsmith@yahoo.com.au>
References: <CAKD1Yr29kf1Me=6JR66Gq0dFYgQx2wq=pjW8WZyHByPA0POsMQ@mail.gmail.com> <1369901467.70362.YahooMailNeo@web142506.mail.bf1.yahoo.com>
In-Reply-To: <1369901467.70362.YahooMailNeo@web142506.mail.bf1.yahoo.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>, "draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org" <draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org>
Subject: Re: [v6ops] A good example of why we need to careful about ULAs
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 21:45:17 -0000

On 30/05/2013 20:11, Mark Smith wrote:
>> ________________________________
>> From: Lorenzo Colitti <lorenzo@google.com>
>> To: "v6ops@ietf.org WG" <v6ops@ietf.org> 
>> Cc: "draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org" <draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org> 
>> Sent: Thursday, 30 May 2013 4:41 PM
>> Subject: [v6ops] A good example of why we need to careful about ULAs
>>
>>
>>
>> News at 11:
>>
>>
>> 1. ULAs leak.
>>
>> 2. People assign ULAs by hand.
>>
> 
> In the early news, not really a new problem.
> 
> RFC1918 and 100.64/10 leak too, 

In traceroutes, link-locals sometimes leak too.

All these are confusing and make the traceroute hard to interpret,
but they don't actually *matter*. What matters is if they leak in
actual traffic such as attempted TCP connections. Does that happen?

   Brian

>  and what is worse, I've seen people intentionally expose RFC1918s to other networks - the largest carrier here in .au uses RFC1918 addresses for their wholesale ADSL L2TP LACs (from memory, at least 20 to 30, spread across multiple /16s within 172.16/12) and then expect their many wholesale ADSL customers' to just accept those addresses and make them work within their own networks, despite their own, quite legitimate internal use of 172.16/12 (fortunately VRFs/VPNs can be used to isolate that address space from your own). So we can't pretend that RFC1918s have been perfectly used, and therefore ULAs being less private than intended is going to be new problem and experience. At least properly formed ULAs are unlikely to conflict with other network's ones, even if the other network has used fd00::/8, and if the two interconnecting parties have both been lazy and used fd00::/8, they'll both be victims of theirs and the other
>  party's laziness (which they'll be used to, since they've probably experienced it with RFC1918). They'll probably resort to NPTv6 to fix it, because that is what they're used to, rather than using IPv6's address aging mechanisms to renumber to a properly formed ULA. Good luck to them, as long as it doesn't effect the rest of us.
> 
> 
> 
>> Yes, both of these a violation of IETF guidance. I don't think that matters much, though - while we can always claim that the implementer/operator is "holding it wrong", we should be careful that what we design/standardize is hard to misconfigure and possibly robust in the face of misconfiguration. Subtle nuances like "these addresses are global scope, but not globally routable" tend to get lost very easily.
>>
> 
> I think recommending against ULAs is just going to result in people stealing other address spaces for devices that don't need global reachability - like 2001:db8::/32, or unused global address space (as we saw with 1/8, 5/8 and other IPv4 prefixes).
> 
> I think global address space comes with and implies a default assumption of global reachability, and you'll therefore have to actively take measures to ensure they don't provide global reachability if you don't want it. Link-locals don't cut it because they're not routable. The need ULAs fulfils is the gap in between global space and link-locals, and the one which RFC1918 generally fulfils in IPv4, except that the likelyhood of address space collision is reduced.
> 
>> Of course, in the case of ULAs, there's not much that can be done about the design at this point, but we should make an effort to make it clear that the potential for misconfiguration exists and provide clear guidance on how not to misconfigure them.
>>
>>
> 
>> Personally, I think that providing said guidance is much more useful and important than enumerating scenarios that aren't widely, if at all, implemented, and I hope that the authors of draft-ietf-v6ops-ula-usage-recommendations will agree.
>>
> 
> So is this draft aiming for BCP status and therefore should only reflect best common practice? If not, I think it is reasonable to present scenarios where ULAs could be useful. We've got a lot of experience with private address spaces from IPv4 (the Deprecating Site Local Addresses RFC3879 is also a pretty complete list of the problems with RFC1918 addresses), so the only real difference is scenarios where concurrent global and private address spaces could be useful. In some cases, they'll just be more capable versions of what we've already doing in IPv4 e.g. private addressed loopbacks on routers, global addresses on the links, in a ULA environment you would add ULAs to the links too, which could make troubleshooting and other OAM less dependent on the global address space.
> 
> Regards,
> Mark.
> 
>> Cheers,
>> Lorenzo
>>
>>
>> ---------- Forwarded message ----------
>> From: Jeroen Massar <jeroen@massar.ch>
>> Date: Thu, May 30, 2013 at 4:59 AM
>> Subject: Usage of fd00::/8 on the Interwebz - something with filters and uRPF
>> To: ipv6-ops@lists.cluenet.de
>>
>>
>> ...
>>  4  2001:7f8:1::a500:3303:1 (2001:7f8:1::a500:3303:1)  20.755 ms  20.763 ms  20.784 ms
>>  5  fd00:3303::1 (fd00:3303::1)  22.010 ms  21.984 ms  21.986 ms
>>  6  2a02:120c:1051:d010::1 (2a02:120c:1051:d010::1)  17.806 ms  17.889 ms  17.842 ms
>>  7  2a02:120c:1051:d010::1 (2a02:120c:1051:d010::1)  18.720 ms  18.593 ms  18.617 ms
>> ...
>>
>> Hmmmm fd00::/8, that really should never ever be visible on the Internet, being Unique *LOCAL* Addresses.
>> And it does not look like they applied the randomness bit for picking a prefix either.
>> You would also almost think that a /28 is more than enough address space to put a few router loopbacks in.
>>
>> It is apparently time for people to start checking their filters again because it seems that these packets leak into other ASNs too...
>>
>> More generally, do recheck your network for BCP38 compliance, please do apply it and require your peers to do the same!
>>
>> Greets,
>>  Jeroen
>>
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>>
>>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email