Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios

Gert Doering <gert@space.net> Wed, 20 February 2019 14:42 UTC

Return-Path: <gert@space.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F678130E1C for <v6ops@ietfa.amsl.com>; Wed, 20 Feb 2019 06:42:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6VjnbsAmpEW for <v6ops@ietfa.amsl.com>; Wed, 20 Feb 2019 06:42:31 -0800 (PST)
Received: from mobil.space.net (mobil.space.net [IPv6:2001:608:2:81::67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09208127AC2 for <v6ops@ietf.org>; Wed, 20 Feb 2019 06:42:26 -0800 (PST)
X-Original-To: v6ops@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id 7602641C2A for <v6ops@ietf.org>; Wed, 20 Feb 2019 15:42:22 +0100 (CET)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 5FFE741B56; Wed, 20 Feb 2019 15:42:22 +0100 (CET)
Received: by moebius4.space.net (Postfix, from userid 1007) id 51C42B6297; Wed, 20 Feb 2019 15:42:22 +0100 (CET)
Date: Wed, 20 Feb 2019 15:42:22 +0100
From: Gert Doering <gert@space.net>
To: sthaug@nethelp.no
Cc: gert@space.net, jordi.palet@consulintel.es, fgont@si6networks.com, v6ops@ietf.org, 6man@ietf.org
Message-ID: <20190220144222.GL71606@Space.Net>
References: <6D78F4B2-A30D-4562-AC21-E4D3DE019D90@consulintel.es> <20190220113603.GK71606@Space.Net> <20190220.130245.526931615.sthaug@nethelp.no>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="iWgke0titJZxhgDH"
Content-Disposition: inline
In-Reply-To: <20190220.130245.526931615.sthaug@nethelp.no>
X-NCC-RegID: de.space
User-Agent: Mutt/1.11.2 (2019-01-07)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/uXqC-rOES7MfPPCsG8Fm--NGKJo>
Subject: Re: [v6ops] A common problem with SLAAC in "renumbering" scenarios
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 14:42:32 -0000

Hi,

On Wed, Feb 20, 2019 at 01:02:45PM +0100, sthaug@nethelp.no wrote:
> >> What a sacrilege!
> > 
> > There's so much wrong with current IPv6 standards and implementations
> > and processes that "just go with NPT" would save a lot of pain.
> 
> Would you be interesting in making a list of what you think is wrong?
> (I'm not disagreeing, I'm just curious...)

Oh, that list will be long, so doing it in a useful way will take some
time.  Just a quick list of things that come to my mind right away

There's "protocol inherent" issues that turn out to be amazingly stupid
in retrospective

 - using IPv6 for ND/NA
    - "you cannot attack something from remote which is not IP"
    - usiing a mix of local and global addresses for ND/NA source/dest
      (so filtering "only accept those ND/NA packets that can correctly
      happen on *this link* and drop all else" is fairly tedious)

 - using multicast for core functionality
    - little benefit compared to broadcast in today's networks
    - lots of extra complexity in network drivers, switch forwarding planes,
      Wifi, ...
      -> lots of bugs and problems

 - replicating the ARP model of "neighbor solicitation when a packet comes
   in" instead of trying something akin to LANE, where you just register
   with "someone" who knows all the L2/L3 mappings for a given LAN segment
   on connection, and nobody has to probe -> "scan /64, exhaust ND" attacks
   totally defused

 - unbound chain of extention headers 

 - carrying link-local next-hop addresses in IPv6 BGP sessions that are
   connecting peers on the same LAN using their GUAs (so at least one
   major vendor installs a next-hop in the FIB that is different from 
   the BGP peer it is talking to - combine that with ND bugs galore, and
   you get blackholing due to LLA next-hop unreachability, while BGP
   thinks "all is good")



Then, there's market and IETF process fails

 - homenet protocol suite - this is something that could have been 
   insanely great, with "just plug in a second ISP into your home
   network, all machines understand that they have two options for
   'connect to the Internet' now, and users have full control"

   IETF process fail: stall this by haggling two years over "what sort
   of routing protocols should we have in the homenet protocol suite?
   we must have negotiations! options! flexibility!"

   market fail: CPEs have their implementations done.  Nobody (but OpenWRT)
   seems to be working on homenet implementations.

   double market fail: ISPs have no interest in requesting this from 
   their vendors (so, IETF fail again, because that way it never made it
   into the CPE requirements list...) - because it would empower their
   customers to more easily switch ISPs, while they would have to pay
   the development costs.


 - source address *failover* in case a machine has multiple source 
   addresses and one of them is broken.  We have happy eyeballs for 
   "multiple destinations", but as far as I'm aware (maybe I have 
   missed something) still no "we might want to probe multiple sources
   if the preferred best source seems to be non-working".  

   Actually this thread is fixing one of scenarios when this can happen
   (because your router went belly-up), but there's "you have two /64
   from two ISPs on your LAN, with two routers happily announcing their
   RAs, but one of them just cannot reach your preferred destination due
   to external breakage" - in which case you want to try the other source.


 - the whole "multiple /48 multihoming" debacle - combined with homenet, 
   this is a really great idea for SoHo environments, especially if you
   combine it with application smartness, so you can tell your web
   browser "I want to surf via MyCableNet now!" while your torrent client
   is filling YourDSL.ISP link...

   Instead of having nice things, what we *do* get is RFCs that explain
   "if your primary ISP goes belly-up, withdraw primary RA, send RA for
   secondary ISP"...  (sorry, Jen, but I think this is a bandaid for a
   much more fundamental flaw).


 - Firewalls on home routers - so, what do I need global IPv6 addresses
   in my home network if IETF keeps telling people "you better should not
   have these addresses reachable from the world!! because, security!!!"?

   Combined with "CPE market fails" I can now have native IPv6 at home
   (great), combined with a CPE that has severe limitations on what can
   be permitted in its ACL handling.  Well, after some 5 years, AVM *did*
   manage to permit IPv6 traffic to DHCPv6-PD-delegated prefixes, but 
   this is still unsatisfactory.


 - did I mention CPEs?  Like, AVM, which claims that there is no way
   to transport IPv4 over an IPv6-transported VPN, so their CPEs will not
   implement VPN over IPv6.  Great combination if you're sitting behind
   a ds-lite ISP and have no public v4 address at all...

   (bashing AVM is actually somewhat unfair, since most other CPE vendors
   are 10 years behind)


 - did I mention VPNs?  Like, Fortinet, who do support VPN over IPv6, and
   IPv6 over VPN.  And VPN over IPv4, and IPv4 over VPN.  But they do not
   support "IPv4 payload over IPv6 VPN", because, "where is the business
   case for that?" - like "I'm sitting behind a carrier-grade NAT IPv4 
   at home, but I have proper IPv6, and I want to reach my IPv4-only
   backend servers in the datacenter over your VPN"...


 - I *did* mention the dual-stack IPv6 socket API, did I, with lots of
   extra code paths everywhere and the amount of bugs this introduces?
   (in retrospective I can only applaud OpenBSD for refusing to implement
   it - I did not understand it back then, "because it is so much more
   convenient!", but I was wrong)


 - another market fail: 3GPP mandates IPv6 for UMTS.  3 out of 4 mobile
   ISPs in DE do not offer IPv6 at all... (nowadays it's no longer "3"
   since Telefonica bought E-Plus, but when 3G was rolled out, none of
   the 3 had any interest in v6...)


 - and of course, having to deploy IPv4 in 2019, because "The Internet"
   took over 20 years to not-deploy IPv6 widely enough that we could 
   finally start shutting down IPv4...  instead we have haggling and
   arguments galore over the last scraps of IPv4...


So, that was the unsorted "things that came to my mind" list - it might
be factually not correct if I missed interesting new developments, and
it might be unfair to people that had the best of intentions, but this
is where we are: in an annoying mess of half-done half-working things.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279