IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt

"Liubing (Leo)" <leo.liubing@huawei.com> Fri, 21 February 2014 08:38 UTC

Return-Path: <leo.liubing@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6EA31A04ED for <v6ops@ietfa.amsl.com>; Fri, 21 Feb 2014 00:38:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.749
X-Spam-Level:
X-Spam-Status: No, score=-6.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WTI4Zct1mXbK for <v6ops@ietfa.amsl.com>; Fri, 21 Feb 2014 00:38:24 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 770F71A04E9 for <v6ops@ietf.org>; Fri, 21 Feb 2014 00:38:24 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BDU82179; Fri, 21 Feb 2014 08:38:20 +0000 (GMT)
Received: from LHREML402-HUB.china.huawei.com (10.201.5.241) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 21 Feb 2014 08:38:01 +0000
Received: from NKGEML402-HUB.china.huawei.com (10.98.56.33) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 21 Feb 2014 08:38:19 +0000
Received: from NKGEML506-MBX.china.huawei.com ([169.254.3.72]) by nkgeml402-hub.china.huawei.com ([10.98.56.33]) with mapi id 14.03.0158.001; Fri, 21 Feb 2014 16:38:15 +0800
From: "Liubing (Leo)" <leo.liubing@huawei.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Thread-Topic: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt
Thread-Index: AQHPKWgMo43RzbooVkmZSkAdeWvl75qz/igAgAD96wCAAR80gIABVkQAgAA9hYCAAAN1gIAAC5wAgAEHz4CABQWcgIABnniA
Date: Fri, 21 Feb 2014 08:38:14 +0000
Message-ID: <8AE0F17B87264D4CAC7DE0AA6C406F453D836393@nkgeml506-mbx.china.huawei.com>
References: <20140214091302.13219.20624.idtracker@ietfa.amsl.com> <m21tz6javn.wl%randy@psg.com> <1442fd6c81e.5859224653900445752.5189762259388794287@internetdraft.org> <52FEBE28.1010006@gmail.com> <8E2A8B56-6F05-4F09-BE7E-651B9CA42458@delong.com> <5300CE32.1050808@gmail.com> <BD473E46-E382-44E6-B474-A56D074318FA@delong.com> <530104B3.3070205@gmail.com> <53010E70.5000401@gmail.com> <20140217110013.GA31822@mushkin> <CF2BDFBA.DAF1%evyncke@cisco.com>
In-Reply-To: <CF2BDFBA.DAF1%evyncke@cisco.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.132]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/o-AGqzc7VL6vKoiGR15RWzTPkc0
Cc: V6 Ops List <v6ops@ietf.org>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 08:38:27 -0000

Hi Eric,

Thanks for your comments to draft itself. Please see replies below.

> -----Original Message-----
> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Eric Vyncke
> (evyncke)
> Sent: Thursday, February 20, 2014 11:42 PM
> To: Jan-Frode Myklebust; Brian E Carpenter
> Cc: V6 Ops List
> Subject: Re: [v6ops] I-D Action:
> draft-ietf-v6ops-ula-usage-recommendations-02.txt
> 
> To come back to the draft itself...
> 
> Section 2.2 'globally unique', should stress that the randomization process
> MUST be followed to the letter. Also, as discussed in the list, the 40 bits of
> entropy are for a single /48, if hundreds of /48 need to be generated, this
> will reduce the entropy to 30 bits or so... (which is still 8 billions though).

[Bing] Yes, this is a good argument. Will do in the next version. Thanks.


> Section 4.2 'limited scope', as a security person, I would really love to read it
> clearly articulated that ULA does not provide isolation per se...
> Bi-directional ACL are required + route map to avoid polluting your BGP
> neighbors. 

[Bing] This could be a good point to add in the security considerations. Thanks.

Best regards,
Bing

> Jan-Frode, I am sure that you know that strict policy routing
> (without anti-spoofing or ACL) will not prevent packets from you DC to leak
> to the Internet (to the NSA or any other 'interested' party ;-))

> -éric
> 
> On 17/02/14 12:00, "Jan-Frode Myklebust" <janfrode@tanso.net> wrote:
> 
> >On Mon, Feb 17, 2014 at 08:16:00AM +1300, Brian E Carpenter wrote:
> >> >>> Le 15/02/2014 19:16, Owen DeLong a écrit :
> >> >>>> Indeed, the situations where ULA usage is detrimental vastly
> >> >>>> outnumbers those where it is actually beneficial.
> >>
> >> That's an opinion, but it isn't an argument for abolishing ULAs. It's
> >> actually an argument for improving this draft so that it describes
> >> the cases in which ULAs are beneficial.
> >
> >> Could we have a detailed conversation about whether those cases are
> >> correctly described in the draft?
> >
> >Yes please.
> >
> >My use case is that we have a set of datacenter internal
> >services/servers that should *never* be routed out. When not using ULA
> >we've had a couple of incidents where the routes did leak out and
> >servers that shouldn't have been available on the Internet was. So
> >we've decided to use ULA for the same set of servers as we previously
> >used rfc1918-adresses for. No NAT involved. No servers should reach
> >Internet directly. Yes we could achieve the same by putting proper ACLs
> >in place on the borders, but since we've failed to do that in the past,
> >the belt and suspenders approach is attractive.
> >
> >Is this a "valid" ULA usage?
> >
> >
> >  -jf
> >
> >_______________________________________________
> >v6ops mailing list
> >v6ops@ietf.org
> >https://www.ietf.org/mailman/listinfo/v6ops
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email