Re: [v6ops] draft-moreiras-v6ops-rfc3849bis-00

Owen DeLong <owen@delong.com> Thu, 15 August 2013 18:55 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98AE211E8182 for <v6ops@ietfa.amsl.com>; Thu, 15 Aug 2013 11:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[AWL=0.333, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OK-1BF4i4OVn for <v6ops@ietfa.amsl.com>; Thu, 15 Aug 2013 11:55:47 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 23F7D11E8128 for <v6ops@ietf.org>; Thu, 15 Aug 2013 11:55:46 -0700 (PDT)
Received: from delong-dhcp227.delong.com (delong-dhcp27 [192.159.10.227]) (authenticated bits=0) by owen.delong.com (8.14.2/8.14.1) with ESMTP id r7FIrwYl019482 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 15 Aug 2013 11:53:58 -0700
X-DKIM: Sendmail DKIM Filter v2.8.3 owen.delong.com r7FIrwYl019482
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=delong.com; s=mail; t=1376592840; bh=/2AMz59BZBLRSvipdb21ZB/Jatk=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=wddgJlsEEo4ByIQjIrF4sUW7ZFtv7REvjex6jt0oX5DCORNii+NcLgN62RDO+wI4u Yqga848G4YlrSWpQMrCX0kFOOZShaoPOvXuzMXM7gGZohr6+/A5q2AXrpXG0OtBBuS mIaI5AMverlM7WKFRpDHn8uNgHV9DpNf02EuxV/o=
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <1376552030.18421.YahooMailNeo@web142501.mail.bf1.yahoo.com>
Date: Thu, 15 Aug 2013 11:53:58 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D8B12FB-E090-4910-87EE-8F11B11D6A1E@delong.com>
References: <5207D42F.2030302@nic.br> <5207E319.6070601@nic.br> <8C48B86A895913448548E6D15DA7553B97DA03@xmb-rcd-x09.cisco.com> <CA+z-_EWFAGFqyo3E3LzrEhpMRV6axdLJTC50BNwXMNGuJtZuTA@mail.gmail.com> <2671C6CDFBB59E47B64C10B3E0BD59230439ABEFA4@PRVPEXVS15.corp.twcable.com> <A84D9405-B3D2-4D55-BAEE-FE25ACE45EB6@delong.com> <2671C6CDFBB59E47B64C10B3E0BD59230439ABF00C@PRVPEXVS15.corp.twcable.com> <7E5164F5-CB38-49D1-94F5-5125FCD2416E@delong.com> <52095DAF.2050505@nic.br> <2671C6CDFBB59E47B64C10B3E0BD59230439ABF61A@PRVPEXVS15.corp.twcable.com> <4910BB30-FF77-4E69-8B60-E35E5847DB2F@delong.com> <2671C6CDFBB59E47B64C10B3E0BD59230439ABF936@PRVPEXVS15.corp.twcable.com> <165C9BFD-B154-4F5C-89C5-684B621D2696@delong.com> <1376435086.63006.YahooMailNeo@web142506.mail.bf1.yahoo.com> <E2F5B184-5386-48E7-B840-72753AC4E984@delong.com> <1376552030.18421.YahooMailNeo@web142501.mail.bf1.yahoo.com>
To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
X-Mailer: Apple Mail (2.1508)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0rc1 (owen.delong.com [192.159.10.2]); Thu, 15 Aug 2013 11:54:00 -0700 (PDT)
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-moreiras-v6ops-rfc3849bis-00
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 18:55:48 -0000

>> By definition, a documentation prefix is going to be an exception.
>>  
> 
> Yes, but there has to be code to except it when it is being generated, recorded, precluded from ACLs etc. If fc00:0db8::/32 was used, then a potential future registry would have to exclude that range of prefixes, and assuming the operational rules are applied, then there would be mixed cases where parts of fc00::/8 are permitted/accepted/forwarded and then fc00:0db8::/32 has to either explicitly or implicitly denied/filtered/blocked. I think it is better to make the network's handling of all prefixes within fc00::/8 consistent, with no exceptions.

I don't see that as a significant hurdle. If (and I think that's a big IF at this point) a registry is created, then you prime the registry with an entry for fc00:0db8::/32 as a Doc prefix and you're done.

By definition, any given network which uses space within fc00::/8 will not be able to handle it consistently with no exceptions. They will need to permit the ranges they are using and exclude the rest anyway.

OTOH, any network not using fc00::/8 space can reject all of fc00::/8 without exception.

As such, I think you're pushing a red herring.

>>> I think it would be better to specify a documentation ULA prefix that has 
>> the nearly the properties as conventional ULAs, but doesn't fall within 
>> fc00::/7 (perhaps fe::/7 or something within it?). The only differences would be 
>> statements about no forwarding, no accepting routes etc.
>> 
>> That's an awful lot of space to devote to documentation. Personally, I 
>> thought a /32 was excessive for ULA. A 7 is ridiculous, IMHO.
>>  
> 
> I agree the /7 is large and excessive, and I'm not really advocating for it. I suggested fe::/7 only to make a documentation ULA look similar to and adjacent to the existing non-documentation ULA space, rather than falling within the existing ULA space. Choosing to use a /7 for a documentation ULA would obviously need a lot of thought and justification, and I wouldn't think it'd be likely to be accepted. 

I don't see it as offering any advantages over fc00:0db8::/32, either.

> 
>>> Ultimately though, I think it is fundamentally impossible to prevent 
>> something silly like using documentation prefixes on a production network, 
>> unless you use actually invalid IPv6 prefixes. The only way I can think of to do 
>> that would be by doing things such as adding invalid hexadecimal 'g-z' 
>> numbers into the example prefixes. I'm not sure I like the idea, although it 
>> might cause people who get tripped up on it to go back and think some more about 
>> what they're doing and put more effort into getting it right.
>> 
>> It is impossible to prevent. This aims to:
>> 
>>     1.    Make it less likely.
>>     2.    Make it easier to identify
> 
> This is the key reason I think outside of fc00::/7 would be better.

Since 2001:0db8::/32 has proven to be perfectly viable for this purpose, I thing that argument falls flat.

> 
>>     3.    Cause earlier identification (and thus easier rectification) when it 
>> does occur.
>> 
>> The doc prefix, in order to achieve full value, needs to be implementable in 
>> some training lab scenarios.
> 
> If it is a documentation prefix then I think it should never be implemented in training labs, otherwise it is now more than just a documentation prefix. For a lab, standard ULA prefixes should do fine, and the exercise of students generating and deploying a conventional ULA prefix for their own network would be a good one to teach them how ULAs are to be properly generated and used.

We can agree to disagree on this. Admittedly, I prefer to do as you say above, but there are other instructors that want to allow students to do certain ab initio exercises using the exact book examples. I think both should be supported.

Owen