IETF Logo Mail Archive

Re: [v6ops] WG call for adoption: draft-collink-v6ops-ent64pd-03

Vasilenko Eduard <vasilenko.eduard@huawei.com> Wed, 26 April 2023 05:19 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AA4C151545 for <v6ops@ietfa.amsl.com>; Tue, 25 Apr 2023 22:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0PpYSGu9AtTv for <v6ops@ietfa.amsl.com>; Tue, 25 Apr 2023 22:19:41 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F411C151532 for <v6ops@ietf.org>; Tue, 25 Apr 2023 22:19:41 -0700 (PDT)
Received: from mscpeml500001.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Q5nFn0pSLz6DBpP; Wed, 26 Apr 2023 13:18:21 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml500001.china.huawei.com (7.188.26.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Wed, 26 Apr 2023 08:19:38 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2507.023; Wed, 26 Apr 2023 08:19:38 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Jen Linkova <furry13@gmail.com>, Martin Hunek <martin.hunek@tul.cz>
CC: IPv6 Ops WG <v6ops@ietf.org>
Thread-Topic: [v6ops] WG call for adoption: draft-collink-v6ops-ent64pd-03
Thread-Index: AdlqZc5kI+DGe/f9RbuSNupzbjraMP//+QQAgAKNawCAC/ZygIAAeTUAgAC22wCAAhk4gIAAqJOKgAFy6QCABmUDAIAAEQYA//8mv/A=
Date: Wed, 26 Apr 2023 05:19:38 +0000
Message-ID: <7fe3af23138a4e50ba97e801576723d8@huawei.com>
References: <49729a842e3c4018903e7dab2e4318bd@huawei.com> <CAFU7BATOkQz4r4cg5m0Xv4UDykZ2TaYcE+=UnehZOVa0gasYSQ@mail.gmail.com> <2589160.7s5MMGUR32@asclepius.adm.tul.cz> <CAFU7BAQO_z4GmBukFJyh7J8S3QRj-zPZ2PSkNkobunFdbNFFsA@mail.gmail.com> <c92bd179-ad14-0c66-05f4-16a0f752b2db@tul.cz> <CAKD1Yr015UhAsFbXdi0vq-TOeL1UxSHPNdq5VfcB3dU2ZDrx+A@mail.gmail.com> <CO1PR11MB48815808F60B6374CC483633D8639@CO1PR11MB4881.namprd11.prod.outlook.com> <0e3677df-21c6-887b-05d3-da94d4ed6426@tul.cz> <CAFU7BAQgrgP03CB3dvS7icthjhrgQa8nBZMY4=6TAWHvu-58Wg@mail.gmail.com> <640f425a-faa9-f412-0475-71edd9c4e6ea@tul.cz> <CAFU7BASZpr1X43c=H8oX_SgO9Z_d6Yps2jdjpUFR_Y4+rUbG0g@mail.gmail.com>
In-Reply-To: <CAFU7BASZpr1X43c=H8oX_SgO9Z_d6Yps2jdjpUFR_Y4+rUbG0g@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.188.254]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/qdB5BejqMxm7fLxr_Sz8OMe-vko>
Subject: Re: [v6ops] WG call for adoption: draft-collink-v6ops-ent64pd-03
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2023 05:19:45 -0000

> *the system which requests the prefix is NOT necessary the system which assigns the addresses*
For this case, /64 would be indeed more valuable. It is true.
But router-to-router DHCP-PD lease does not need any additional draft, it works fine already.
Ed/
-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Jen Linkova
Sent: Tuesday, April 25, 2023 10:19 PM
To: Martin Huněk <martin.hunek@tul.cz>
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] WG call for adoption: draft-collink-v6ops-ent64pd-03

On Wed, Apr 26, 2023 at 4:18 AM Martin Huněk <martin.hunek@tul.cz> wrote:
> It depends on the use case. If I'm an ISP, I do expect that connected devices are (could be) routers. If I'm an enterprise network with a network policy banning routers connected by users without explicit approval, then I would not expect routers to be connected to the network - if so, I'll give /{48-64} to routers with approved routers (DUIDs).

My point is: in the IPv4 world, you do not and can not know if a device connected to your network is a host or a router.
The endpoint gets an IPv4 address and uses it for NAT and for extending the network behind it. The network administrator has absolutely no way to prevent it in case of a generic host.
The only way you can guarantee the device does not act as a router is to have *full* control over every single endpoint. In that case you do not need this draft - you can control hosts behavior, right?
So that draft would not pose any threads to you, as devices which shall not send PD requests if you don't want them.

Let's forget about this draft for a second. Tell me, what do you think we shall do with those devices (ones extending the network) in the
IPv6 world? Do we want to end up with NAT66?

> > Could you please clarify: are you suggesting that to make the model 
> > described in this draft deployable, we'd need to either make SLAAC 
> > to work with /80 or invent a new form of address assignment, which 
> > would use /80?
> > If it's the former, what would change in this particular draft?
>
> Do not depend on SLAAC. This is a new method for host addressing anyway. It had to be implemented anyway.

This is a very important point which I want to emphasise again: *the system which requests the prefix is NOT necessary the system which assigns the addresses*. ChromeOS is an example. Even if the host OS which requests the prefix can implement the new method, it would mean that *all* guest OSes (which are currently behind the ND proxy of the host OS) need to support that new method.

>So the host SHOULD generate random IID to fill the rest of 128b of IPv6 address. How it is done should be implementation specific, and as the host is managing its own prefix, it really doesn't matter how.

Such a method doesn't exist today. The only method we have today which is guaranteed to work, is SLAAC.

> >> For me personally, I can accommodate both /80 and /96 per host in my addressing plans, but I cannot and will not be able to do so with /64 - this is unrealistic for me as well as for any "big" non-LIR organization in the RIPE region.
> >
> > Am I right that you'd like to deploy a prefix per host and you think 
> > your network would benefit from it, but you wouldn't be able to 
> > because you do not have enough address space?
>
> I may choose this way in the future, yes. In both ISPs, I do use PD for routers to distribute /56s to clients (routers). But I don't want to be pushed by clients that they won't fit in /56 and that they need /48 for residential. I did my addressing plan in one situation, and hosts needing /64 is an entirely different one.

But why do you think *residential* clients would even want to do this?? The whole idea of introducing a P-flag is to ensure that PD-capable devices do not request the prefix in residential networks.
If your customers realize they need /64 per device (because their devices are actually routers), they would ask for more addresses and that would be a legitimate case with or without this draft.

> Network SHOULD honor the hint, not MUST. Or better, the network MAY provide a prefix of the requested size (or not at all). In my opinion, it is OK for the network not to provide prefixes. In my case: connecting hosts is OK, so the /{80-127} is OK too. But as we do not generally allow routers/houters, we would not provide /{48-64} or even /{48-79} for unknown DUID (if /80 is the $MAX_PREF_FOR_HOST). So yes, the client should know how big a prefix it needs, but no is the legitimate answer from the network operator.

If the host needs X bits to do what it needs to do (provide connectivity to physical or virtual systems or form addresses) and the network says 'no',  the device doesn't have network connectivity.
Hence I still believe we need to agree on some recommendations on what the device shall expect and what the network MUST provide, if the P flag is set (if P flag is not set, it's OK, no PD then).
Otherwise this is not deployable: I can't guarantee that 3rd party devices connected to my network would work.

The point is: we can not recommend an approach which, if deployed, works for *some* devices only.
If I deploy this, I need this to work.
it's OK if some networks do not want/can not deploy this.

> > The draft is not just about host behaviour, it provides guidance for 
> > the network operator as well. As it's been mentioned in this thread 
> > already, most large BYOD networks would inevitably contain endpoints 
> > which are actually routers. Therefore I think it would be reasonable 
> > to include them.
>
> But then the scope would be too large. Routers and hosts require a different approach (even when both are using PD).

I think we shall stop differentiating between hosts and routers.
If we say in the draft "this deployment scenario is ONLY suitable for networks which meet the following criteria:
1) have enough address space
2) do not differentiate between hosts and routers." - would it address your concerns?

> >
> >> On 20. 04. 23 10:28, Pascal Thubert (pthubert) wrote:
> >>> Trouble is, a host needs /64 or longer. A router needs /64 or 
> >>> shorter. If we do not differentiate the scenarios, the only 
> >>> intersection is /64. Sadly it is a really bad trade-off in both 
> >>> cases…
> >>>
> >>> Now if you wish to discuss routing within the subnet (defined as the /64), I’m all for it. This is where things are going anyway, even if we hide it in underlays for the time being. But for that, we need to start with a solid architecture, and that is what 6MAN is doing with https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6-over-wireless/.
> >>>
> >>> These are a total of 3 very different scenarios.  And a lot of confusion in the debates when all this gets mixed up in arguments.
> >>>
> >>> For this adoption, I suggest we us divide and conquer. The draft must discuss at least the host case. I’m good to discuss the router case if folks want that too in the traditional router operation (a /64 on each interface). For the MLTG piece, I suggest we conclude the architecture work at 6MAN first, and keep it out of scope in this  document.
> >>>
> >>> All the best
> >>>
> >>> Pascal
> >>>
> >>>
> >>>
> >>> From: v6ops <v6ops-bounces@ietf.org> On Behalf Of Lorenzo Colitti
> >>> Sent: mercredi 19 avril 2023 2:25
> >>> To: Martin Huněk <martin.hunek@tul.cz>
> >>> Cc: IPv6 Ops WG <v6ops@ietf.org>
> >>> Subject: Re: [v6ops] WG call for adoption: 
> >>> draft-collink-v6ops-ent64pd-03
> >>>
> >>> On Tue, Apr 18, 2023 at 10:31 PM Martin Huněk <martin.hunek@tul.cz<mailto:martin.hunek@tul.cz>> wrote:
> >>> So what is the scope of this draft? If it is for hosts, then the host doesn't need /64 and SLAAC. If it is for routers, then why are we trying to solve something that already works quite well? The document abstract suggests the first case - the host.
> >>>
> >>> You're correct that DHCPv6 PD works reasonably well. This draft describes an operational model and guidelines to make DHCPv6 PD work well on certain types of networks, like some enterprise networks. No protocol changes are needed, but there is still useful information in the draft. For example, it explains why bulk leasequery is needed when there are multiple default routers, it describes how the model impacts ACLs/filtering, etc.
> >>>
> >>> I don't think it's necessarily useful to try to distinguish between hosts and routers, because the distinction is very blurry. There are routers, then there are devices that users and operators think of as "hosts" which are actually routers in the sense that they forward packets not addressed to themselves, and then there are hosts that need multiple IPv6 addresses (see RFC 7934 for examples of why). This proposal supports all of them.
> >> _______________________________________________
> >> v6ops mailing list
> >> v6ops@ietf.org
> >> https://www.ietf.org/mailman/listinfo/v6ops
> >
> >
> >



--
SY, Jen Linkova aka Furry

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email