Re: [v6ops] I-D Action: draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt
Ray Hunter <v6ops@globis.net> Mon, 28 November 2011 11:14 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9685121F8D03 for <v6ops@ietfa.amsl.com>; Mon, 28 Nov 2011 03:14:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZNtltHpH77x for <v6ops@ietfa.amsl.com>; Mon, 28 Nov 2011 03:14:39 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id C7AEF21F8CC1 for <v6ops@ietf.org>; Mon, 28 Nov 2011 03:14:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 0870E8700EC; Mon, 28 Nov 2011 12:14:35 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QF5EZzKc-WEZ; Mon, 28 Nov 2011 12:14:27 +0100 (CET)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id BC8EC8700D6; Mon, 28 Nov 2011 12:14:27 +0100 (CET)
Message-ID: <4ED36D13.5030002@globis.net>
Date: Mon, 28 Nov 2011 12:14:27 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox Express 1.0.1 (Macintosh/20100705)
MIME-Version: 1.0
To: "v6ops@ietf.org WG" <v6ops@ietf.org>, "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
Content-Type: multipart/alternative; boundary="------------020709070506080209000403"
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 11:14:40 -0000
I've followed progress of this document over various versions and IMHO you're doing a great job. I have no major comments, but quite a lot of detailed editorial comments / nits, included below. Editorial Comments =============== re: Title. A slightly alternative way of looking at this operationally: is this not simply about Information Security and "Risk Mitigation Whilst Transitioning Content To IPv6"? Operations people should be well used to that via Prince 2, ITIL, and other methodologies. It's not "daunting": It's just another transformation project, where business risks need to be managed. My take on an alternative title: s/Transitioning Content to IPv6/Risk Mitigation Whilst Transitioning Content To IPv6/ Section 4.1: If we mention [W6D], should we not also mention [v6ops] ? Normally for risk mitigation, you'd introduce a table of potential risks cross-referenced to the potential/selected mitigation tactics. You've done this descriptively already within the subsections, but a summary table might prove enlightening/useful. Section 4.3.1-4.3.4: / When implemented on an automated basis in the future, DNS recursive resolvers listed in the whitelist could expand and contract dynamically/ Is this defined anywhere as a WG item? Otherwise would suggest s/When/If/ I have a concern with automation of whitelisting and potential DNS content instability as different providers implement uncoordinated changes on a "near-real-time basis", which could lead to some serious traffic flip-flopping at mega scale (IPv6 detected as stable -> IPv6 DNS record added -> IPv6 load increases -> link/device/network saturates -> IPv6 impairment (just 0.078% loss) -> IPv6 record deleted -> link/device/network stable -> IPv6 detected as stable) From the perspective of a remote (feeder) network this is NOT like global server load balancing of IPv4, where the traffic to other ISP peers may change, but the peering point will probably anyway be physically co-located at the same GIX, so traffic patterns _within_ the remote feeder network probably won't be greatly impacted any more than say a local BGP peering failure. DNS A->AAAA record changes could trigger use of a completely different network path, equipment, or peering, and so may even impact traffic flows within the feeder network. Section 4.3.4 "Split DNS" Add a reference to BIND "view" configuration command? / DNS Blacklisting is also likely less labor intensive for a domain than performing DNS Resolver Whitelisting on a manual basis./ Is there any basis or evidence for this statement? Otherwise s/is also likely less/may be less/ I see no reference to the risk of assuming a "do nothing" tactic and staying with IPv4 for as long as possible, or a mitigation tactic of relying on others to provide IPv6 to IPv4 translation somewhere else outside of your domain as its "not my problem." That's always option one and two on any risk management plan, and the preferred/default option of many managements. You could well argue it's out of scope, but a pointer to an existing document would be nice. nits ==== Section 2 s/Challenges When Transitioning Content to IPv6/Risks When Transitioning Content to IPv6/ Section 3 s/Challenges/Risks/ Section 4 s/Potential Migration Tactics/Potential Risk Mitigation Tactics/ ??? whole document s/migration tactics/risk mitigation tactics/ s/there is not one approach/there is no single prescriptive approach/ s/in Section 2.1 <http://tools.ietf.org/html/draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08#section-2.1>. One challenge/in Section 2.1 <http://tools.ietf.org/html/draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08#section-2.1>, one challenge/ s/ the potential solutions [I-D.ietf-v6ops-happy-eyeballs <http://tools.ietf.org/html/draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08#ref-I-D.ietf-v6ops-happy-eyeballs>]/the potential solutions e.g. [I-D.ietf-v6ops-happy-eyeballs <http://tools.ietf.org/html/draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08#ref-I-D.ietf-v6ops-happy-eyeballs>]/ s/turning on a significant amount of IPv6 traffic is quite daunting and would carry a relatively high risk of network/turning on a significant amount of IPv6 traffic may carry a relatively high risk of network/ s/used to facilitate the migration to IPv6/used to mitigate risks during migration to IPv6/ s/key tactics/key risk mitigation tactics/ s/Use IPv6-Specicic Names/Use IPv6-Specific Names/ s/recursive resolver is, etc./recursive resolver is, and any other operational impacts./ s/These authoritative DNS servers selectively return AAAA resource records using the IP address of the DNS recursive resolver that has sent it a query/These authoritative DNS servers selectively return AAAA resource records or not, dependent on the IP address of the DNS recursive resolver that has sent it a query/ s/and an A record would be sent/any A resource records associated with the name WILL be sent/ s/However, if a DNS recursive resolver is matched in the whitelist, then AAAA resource records WILL be sent/However, if a DNS recursive resolver is matched in the whitelist, then AAAA resource records WILL be sent (any A resource records associated with the name MAY still be sent)/ s/manually-based/manually-maintained/ /Similarities to Content Delivery Networks and Global Server Load Balancing/ something odd with the formatting here. /Balancing/ is outside the HTML <span> tag. s/cannot send email to a domain at all, with DNS Resolver Whitelisting/cannot send email to a domain at all, with DNS Resolver Blacklisting/ s/It is then up to end users with IPv6-related impairments to discover and fix any applicable impairments./The onus is then on end users with IPv6-related impairments to discover and fix any applicable impairments themselves. The advantage of this approach being that IPv6-related impairments should reduce over time, rather than being worked around ad infinitum./ s/Finally, the tactics listed in Section 4 are by no means exclusive./Finally, the tactics listed in Section 4 are by no means exclusive, nor exhaustive./ s/contact end userd directly concerning/contact end users directly concerning/ regards RayH
- Re: [v6ops] I-D Action: draft-ietf-v6ops-v6-aaaa-… Hugo Salgado
- [v6ops] I-D Action: draft-ietf-v6ops-v6-aaaa-whit… internet-drafts
- Re: [v6ops] I-D Action: draft-ietf-v6ops-v6-aaaa-… Ray Hunter