IETF Logo Mail Archive

Re: [v6ops] Please review the No IPv4 draft

Owen DeLong <owen@delong.com> Fri, 18 April 2014 20:58 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41DB01A01D3 for <v6ops@ietfa.amsl.com>; Fri, 18 Apr 2014 13:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.137
X-Spam-Level:
X-Spam-Status: No, score=0.137 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_ADSP_ALL=0.8, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47oOXRvqk2O5 for <v6ops@ietfa.amsl.com>; Fri, 18 Apr 2014 13:58:44 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id EBCBB1A02D8 for <v6ops@ietf.org>; Fri, 18 Apr 2014 13:58:43 -0700 (PDT)
Received: from [IPv6:2620::930:0:ca2a:14ff:fe3e:d024] ([IPv6:2620:0:930:0:ca2a:14ff:fe3e:d024]) (authenticated bits=0) by owen.delong.com (8.14.2/8.14.2) with ESMTP id s3IKuQsO003722 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 18 Apr 2014 13:56:26 -0700
X-DKIM: Sendmail DKIM Filter v2.8.3 owen.delong.com s3IKuQsO003722
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=delong.com; s=mail; t=1397854587; bh=29/QtnGkpipC4ZyCMCe1d157EEc=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=D3C6yWHSUPlDKqm6enK8UWbymkmk7BJNY/Fb8mf78tmZaMTk5Jb+Y0w2ALMGjRG43 4ZCwP6J7qbYBQ9r2ueTh7j/TwsR2oCRZHGa19ctZWtaGryE83E4hEyrThjLNLYDYfF DoMu9gAuPLpktTEviNOiI3F0sv7oUODA9PAEMPZs=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <1BE293BD-3191-4622-AACA-E9E3689400EB@nominum.com>
Date: Fri, 18 Apr 2014 13:56:28 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <65F84234-90E7-47E2-A67C-B3DD38681830@delong.com>
References: <534BF5A5.5010609@viagenie.ca> <20140415083615.GB43641@Space.Net> <534D3672.3060702@viagenie.ca> <3446106.k0lm12lQ8b@linne> <alpine.DEB.2.02.1404161034220.10236@uplift.swm.pp.se> <CAKD1Yr2D+ZMi-UctuvrMzyqoHqgBy5O26GODT=bRwq0PsvLgLw@mail.gmail.com> <alpine.DEB.2.02.1404161053110.10236@uplift.swm.pp.se> <m1WaMBx-0000BSC@stereo.hq.phicoh.net> <E772899C-8505-4436-8594-380799F91BA0@nominum.com> <CAKD1Yr2KFOi_hW3CCSbcT-uPQSwsUyE06cY3r8=CuunSbnz_xw@mail.gmail.com> <D701ADC0-EA9F-48DD-933F-9E02ACF3EBD4@nominum.com> <534EAB83.1070906@foobar.org> <70739713-281A-41E6-93ED-5EE1BC4B7FAB@nominum.com> <534EC1DB.4010902@foobar.org> <575F73AC-8DA5-4E04-B2CF-4875B729C7D3@nominum.com> <534FC59B.201@foobar.org> <1BE293BD-3191-4622-AACA-E9E3689400EB@nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1827)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0rc1 (owen.delong.com [IPv6:2620:0:930::200:2]); Fri, 18 Apr 2014 13:56:27 -0700 (PDT)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/qF8ST_TZrG2an6P5PCip2Iwx63k
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] Please review the No IPv4 draft
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 20:58:48 -0000

>  The authors of the draft thought about it, wrote drafts documenting various solutions, and came up with "no, it's better to do it over IPv6."

Which is strictly THEIR OPINION. An opinion which is apparently NOT shared by many people on this list.

> What I am characterizing as opinion is "this is hard to do on Linux, therefore we should do it this other way."   It's true that it's hard to do on Linux, for certain values of Linux, but the connection between that and "we should do it this other way" is opinion.   This is compounded by the fact that there are already other configuration interdependencies that are handled poorly by the same Linux configuration framework we are talking about, and consequently work is being done to come up with a more robust framework.   I've mentioned this, but the response was to ignore that point and continue to assert "this is hard on Linux."   Which is why I tend to see this as "opinion" rather than "technical objection."

I don't believe that is a valid characterization of what was said.

What was said was "This is a bad way to do it for a number of reasons..."

Beyond that, there was an "oh, by the way, it's also hard and brittle on Linux".

IMHO, this should be done in DHCPv4 or ICMPv4 (and the more I think about it, the more I think ICMPv4) and NOT IPv6 because:

	1.	Principle of least surprise. IPv4 developers do not expect to have to anticipate that things happening
		over IPv6 will affect the behavior of core IPv4 services, nor should they. Most systems and network
		administrator have the same expectation.

		Configuring an IPv4 address over an IPv6 tunnel might be an exception, but at least in that case, the
		operator is aware of the fact that they are trying to tunnel IPv4 through IPv6 and that is likely to modify
		their general expectation. Shutting down IPv4 on command issued over IPv6, OTOH, violates all kinds
		of expectations and is likely to result in significant surprise in the operator community.


	2.	This feature could be implemented in IPv4 with little or no IPv4 stack running on the implementing device
		in question (AP, Router, etc.), so the argument that it requires an IPv4 stack to be preserved is somewhat
		specious. All that is needed is enough to detect an IPv4 DHCPREQUEST (and/or BOOTPREQUEST) and
		respond with a preformed ICMP DHCP4UNAVAILABLE message.

	3.	A host could receive conflicting IPv6 and IPv4 messages about what it is supposed to do about IPv4
		configuration. You can argue that such behavior is a broken network configuration, but the reality is that
		failing to consider this in real world scenarios has undesirable operational effects and security implications.
		At the very least, behavior in the face of such an event on the client side should be specified and
		deterministic.

	4.	The number of clients likely to be affected by this change is much greater than the target space. Moving this
		to IPv4 would reduce the impact space to match the target space.

And Oh, by the way:

		While Linux is an example of a well modularized operating system where IPv4 configuration is handled
		by completely separate mechanisms than IPv6 configuration, it is likely not the only one. Implementation
		of this on any such modularized system is likely to result in brittleness and unexpected consequences.

> 
>>> I'd be just as happy if the conclusion of the process was "just
>>> filter IPv4 at the access points if you want it to go away," and I'd
>>> like to see more discussion on that topic.
>> 
>> this is also a valid concern.  I can see no reason why anyone would heed an
>> unauthenticated signal to entirely shut down all ipv4 services o/s wide on
>> their ipv4-enabled client (or even no-ipv4 options 1-2 for that matter),
>> when we already have the existing option for operators to fully satisfy all
>> aims of this draft by declining to forward ethertypes 0x0800 and 0x0806.
>> Simple and enforceable are both good engineering principals to aspire to.
>> Complex+advisory+piles of failure modes+controversial need a much greater
>> level of justification, which is notably absent from this draft.
> 
> Noted.   I think it would be good to have text in the document that explains why this isn't the proposed solution, so that it can be evaluated on the merits and we don't have to speculate.

I'd agree with that at the very least, though modifying the draft to propose an ICMP4 DHCPUNAVAILABLE message and client behavior in the face of receiving both that and a DHCPOFFER would be preferable IMHO.

Owen

v2.23.0 | Report a Bug | By Email