Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update might break current ULA+IPv4 hostnames
Ted Lemon <mellon@fugue.com> Sun, 12 November 2023 11:38 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02B98C1705FB for <v6ops@ietfa.amsl.com>; Sun, 12 Nov 2023 03:38:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0StcgG9l7il for <v6ops@ietfa.amsl.com>; Sun, 12 Nov 2023 03:38:46 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B09CDC1705F4 for <v6ops@ietf.org>; Sun, 12 Nov 2023 03:38:46 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id 46e09a7af769-6ce353df504so2073410a34.3 for <v6ops@ietf.org>; Sun, 12 Nov 2023 03:38:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1699789125; x=1700393925; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FXSAeqL2w4XrihVMxb44G3qXDMFm+C41H6Iotq4Ihp8=; b=L95R2+hSmgm7fZt4pv3Mx5NW74VKJbEPl/zdrzxdqLow9WUGUZDdAeu2zwqldL7BfT TIpmyRP6dMyesfMNzudxp57AxA4i89p5H1CHnIucAZabuMYdeeaWMmoiODb0iLD+lcTR BSR3nKR7/4TJvcr+1RMO+Sit91IjQH9KylgdRSYBzFvaRq1hkwOdMSrzgesOLM/ftR4C o7GFu8JBPU9OiAtSFBk1XOLeTmI3PU3KGB3QMZs2oECtOpDrd0GKZ+9Gu/xkjak44GpI 6VzMCy72Wa8gw8rlqaCEQTN9cEF2Cld1lj+Eqvrvr3qQcD5kKLHCjeBzEZTYlY9f0MGb iJyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699789125; x=1700393925; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FXSAeqL2w4XrihVMxb44G3qXDMFm+C41H6Iotq4Ihp8=; b=bilXEUYCM+bnbslZEEXxCmd6o/D/ZDO8v6gunWxdazw6vdatnPJNIMoL3RmBhHou9U 7NvAiKz3LbSoLoZHm4KakQ0NZyQVXgeJgkc/MEgEC5totMJIynjv+FAV8BXmSuztjupn acI8Q+XT7Qx2MpjUc2YVcjwG4pUFVHY5izVFa6tPEDqlWCLFQTiTbw5ENXK4gfjzQLST LMQ6+iWGDAp1CwYJackAQcDkoo6SjW4YcUoQuXXu+qErZvQDDzieAbzt2wGNsHTpOrqR zfwt7AOy70H3GLHkLaACvw8wkWZ/Dj4S5O18xoFdgi43pFF0ak1YaXB1F78X4hlwoT5d NqwQ==
X-Gm-Message-State: AOJu0YwLcYWlfQBSZ/sDhjBDGJuURMaBAXN+V9gM0Qc2kTw+ESnCdWBp quvEJuai9MZDhkBHE0/4DnwbHInZV4fzPtnViwrLqw==
X-Google-Smtp-Source: AGHT+IGzidfJKb1crwCVMSXNCnAjmLQ9RKNAsNW0BgdGCuturiG2R1fWvIJ/gmQ7KpERxp+tX90Dq/mE5qHxx72bxk0=
X-Received: by 2002:a9d:6258:0:b0:6cd:a7a:848f with SMTP id i24-20020a9d6258000000b006cd0a7a848fmr4260190otk.14.1699789125378; Sun, 12 Nov 2023 03:38:45 -0800 (PST)
MIME-Version: 1.0
References: <CAPt1N1mp+494DTc0hUG0ZwD34n1Kevwu3mwZKvgUq2qaTCZ6sg@mail.gmail.com> <69565BC4-B955-4840-B407-39707C47DE3E@employees.org> <CAPt1N1n_QBBdq_f0uN4=d0QKjdAoEGk4VCm-u6pMQUB0EfiCuw@mail.gmail.com> <CAO42Z2ypqtQT85iccM0N59885Zp+o+X-Lx34CjvaAf+JH9go3w@mail.gmail.com>
In-Reply-To: <CAO42Z2ypqtQT85iccM0N59885Zp+o+X-Lx34CjvaAf+JH9go3w@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Sun, 12 Nov 2023 11:38:33 +0000
Message-ID: <CAPt1N1kwJn2i6iU7shdcJBrdEn34P5aWy=k00Yf9AVKva_SbJw@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: IPv6 Ops WG <v6ops@ietf.org>, Ole Trøan <otroan@employees.org>
Content-Type: multipart/alternative; boundary="00000000000002f87d0609f2ff52"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vU_DXphQtRnSz6q59ktP9tziA2U>
Subject: Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update might break current ULA+IPv4 hostnames
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2023 11:38:51 -0000
I think the place to draw the line is where we make a misconfiguration scenario work at the expense of a scenario where there is no misconfiguration. Op zo 12 nov 2023 om 11:19 schreef Mark Smith <markzzzsmith@gmail.com> > Hi, > > On Sun, 12 Nov 2023 at 21:55, Ted Lemon <mellon@fugue.com> wrote: > > > > I agree that in this scenario, you have a problem, but I think the case > where GUA-> GUA doesn’t work is a misconfiguration. We shouldn’t try to > address every possible misconfiguration because that will lead to useless > complexity. Rather, misconfigurations should fail. > > I generally agree with this. It's also best if the party who > misconfigured something directly suffers the greatest consequences of > their misconfiguration, which motivates them to fix it. > > I think there is however some value in tolerating to an extent > misconfiguration. This is Postel's "be liberal with what you accept". > However, liberally accepting everything is also not good. The thing to > think about and decide on is where to draw the line between a > tolerable misconfiguration and one that should fail hard. I'd say > tolerable means an acceptable end-user experience, however one that > would be improved fairly significantly if the misconfiguration is > fixed. > > (More text below, have kept it all to preserve Ole's summary of my > case rather than snipping it) > > > Jen’s experience with this that she shared with us last week suggests > that this is a better path to function than wallpapering over every > possible problem. > > > > Op zo 12 nov 2023 om 10:50 schreef Ole Trøan <otroan@employees.org> > >> > >> Hi Ted, > >> > >> Mark’s case: > >> Destination host B has ULA+GUA. > >> Source host A has ULA+GUA also. > >> > >> 6724 will give two SA, DA pairs. > >> > >> {ULA A, ULA B} > >> {GUA A, GUA B} > >> > >> Now, if the only path working is: > >> {ULA A, GUA B} > >> > >> Then that SA, DA combination will not be “found” by 6724. > >> > >> If I understood Mark’s case correctly. > >> Eg if ULA A and ULA B were in different domains. > > No, in my scenario both of the Host A and Host B's ULA addresses were > within the same network/same ULA/48 prefix. > > Normally, Host A's ULA address should have a path through the local > network to Host B's ULA address and vice versa, so Host A and B's ULA > addresses should be preferred over Host A and Host B's GUA addresses. > > However, there could be a routing fault such that H.A ULA to H.B ULA > temporarily isn't working. H.A GUA to H.B. GUA would then be he fall > back in that situation until the ULA routing problem is fixed. > > Regards, > Mark. > > > >> > >> I didn’t think HE would find other SA, DA pairs than what 6724 gives. > >> > >> I am definitely not asserting anything here. But asking if this is also > your understanding. :-) > >> > >> Cheers, > >> Ole > >> > >> On 12 Nov 2023, at 11:26, Ted Lemon <mellon@fugue.com> wrote: > >> > >> > >> > >> Sorry, you’ll have to walk me through how happy eyeballs fails here. > I’m not seeing it. > >> > >> Op zo 12 nov 2023 om 09:00 schreef Ole Trøan <otroan@employees.org> > >>> > >>> Since the RFC6724 algorithm picks a single SA for a DA, in Mark’s > example the algorithm will not find a working SA/DA at all. > >>> > >>> (A solution to that would be to return an ordered list of SAs for a > DA.) > >>> > >>> I am not sure HE would help either, as it’s using what it gets from > 6724. > >>> > >>> Did I understand that correctly? > >>> > >>> Cheers > >>> Ole > >>> > >>> > >>> > >>> On 12 Nov 2023, at 08:31, Ted Lemon <mellon@fugue.com> wrote: > >>> > >>> > >>> > >>> Optimizing for weird internal network outages seems rather > pessimistic. Do we really think this is a likely situation, such that we > need to make sure the user doesn’t experience any delay at all in this > case, at the risk of breaking all internal connections when we need to > renunber the GUA? > >>> > >>> Op zo 12 nov 2023 om 05:14 schreef Mark Smith <markzzzsmith@gmail.com> > >>>> > >>>> Hi David, > >>>> > >>>> On Sun, 12 Nov 2023, 13:59 David Farmer, <farmer@umn.edu> wrote: > >>>>> > >>>>> Lorenzo and Mark, > >>>>> > >>>>> The reality is that most systems today would use IPv4 instead of ULA > if they didn't have GUA unless they implemented the advice in Section 10.6 > of RFC 6724, which is rare and why we need this draft. > >>>> > >>>> > >>>> I understand completely why we need a draft to fix the problem with > ULAs being below IPv4. Since I think of ULAs as site-locals+a random > number, I assumed RFC 6724 just effectively replaced site-locals with ULAs, > preferring them over GUAs, as site-locals had been. > >>>> > >>>>> > >>>>> > >>>>> We could make the advice in Section 10.6 mandatory, but RFC 4193 > also anticipates merging ULA networks. Therefore, the advice in Section > 10.6 needs to be mandatory and expanded to allow for an arbitrary number of > /48s, not just the /48 covering the PIO used for ULA. I suggested using > PIOs to add additional ULA prefixes to the policy table dynamically. > However, others felt such a dynamic table would be too complicated and > preferred the simplicity of raising the preference of the ULA label above > IPv4 yet remaining below GUA in a static table. > >>>> > >>>> > >>>> For an internal destination, that could be reached by either a ULA or > GUA address, ULA should be preferred over GUA. Otherwise, one of the key > benefits and uses of ULAs disappears: > >>>> > >>>> RFC 4193: > >>>> > >>>> "4.2. Renumbering and Site Merging > >>>> > >>>> The use of Local IPv6 addresses in a site results in making > >>>> communication that uses these addresses independent of renumbering > a > >>>> site's provider-based global addresses." > >>>> > >>>> > >>>> > >>>>> > >>>>> This is relatively safe as long as Happy Eyeballs is implemented, as > HE will try ULA against IPv4 if there is no GUA. Otherwise, if there is > GUA, HE will try it against IPv4 instead. > >>>>> > >>>>> As Mark points out, this still leaves GUA preferred over ULA. > However, raising all ULA above GUA in a static table is unsafe, as any > remote ULA would be preferred over GUA. > >>>> > >>>> > >>>> Yes. > >>>> > >>>> > >>>>> > >>>>> Then, Happy Eyeballs would try the remote ULA against IPv4 instead > of GUA, > >>>> > >>>> > >>>> Which is why HE should prefer ULA over GUA (and all IPv6 is preferred > over all IPv4). > >>>> > >>>> Note that it needs to be Happy Eyeballs version 2, which works > differently and better to HEv2 regarding IPv6 verses IPv4. > >>>> > >>>> > >>>> > >>>>> > >>>>> with the likelihood of using IPv4 instead of GUA as expected. A > dynamic table that prefers known local ULAs above GUA is the only safe way > to prefer ULA over GUA. > >>>> > >>>> > >>>> I disagree. > >>>> > >>>> Hosts have to be able to cope with DNS providing unreachable > destinations regardless of ULA/GUA/IPv4 etc. preference, because DNS isn't > normally tightly coupled to the state of reachability of the network. (DNS > caching would be hard if not impossible to do if DNS records were coupled > to the state of OSPF, BGP and ultimately ND/ARP reachability for DAs.) > >>>> > >>>> So imagine your "safe" scenario where a host has a dynamic table such > that the host knows of the local ULA /48. > >>>> > >>>> DNS returns the ULA and GUA DAs for an internal host. > >>>> > >>>> I think you're saying with your dynamic table that is a safe > scenario, which I think means you're assuming then ULA will always be 100% > available because now you're comfortable preferring ULA over GUA. (For > completeness, does "unsafe" mean encountering long TCP connection timeout > delays?) > >>>> > >>>> That may not be the case. Perhaps the ULA address of a host is on one > network card, and the GUA address of the host is on a different network > card (i.e. it's a multihomed host), and the link to the ULA network card is > down. The ULA address is now unreachable, whereas the GUA is reachable. I > think that would be an "unsafe" result in your "safe" scenario. > >>>> > >>>> DNS does not provide an assurance of current reachability. Hosts have > to test reachability by actively trying to reach the DNS supplied DAs, and > move on quickly to the next DA in the set somehow (e.g., via HEv2) when the > current DA is determined to be unreachable. > >>>> > >>>> Once you accept that DNS may return unreachable DAs, and hosts will > and have to deal with it in a user friendly manner (HEv2 or similar), you > then optimise for the common and likely cases (via preferences such as ULA > over GUA), not error and uncommon cases like remote and unreachable ULAs in > global DNS. > >>>> > >>>> > >>>> Regards, > >>>> Mark. > >>>> > >>>>> > >>>>> Therefore, the advice in Section 10.6 is still valid and should be > expanded to allow for an arbitrary number of /48s. With a static table, ULA > should have a lower preference than GUA to remain safe. > >>>>> > >>>>> Mark's agreement, based on site-local, is valid as far as it goes, > but since there is only one site-local prefix, there is no such thing as a > remote site-local, where there can be unreachable remote ULAs. > >>>>> > >>>>> Thanks. > >>>>> > >>>>> On Sat, Nov 11, 2023 at 3:57 AM Lorenzo Colitti <lorenzo= > 40google.com@dmarc.ietf.org> wrote: > >>>>>> > >>>>>> Why is is a misconfiguration to put a ULA AAAA record in the DNS? > Because it is never preferred over anything, adding it won't break > anything, and it will work on IPv6-only networks when global IPv6 > connectivity is down. I could totally see someone doing the following: > >>>>>> > >>>>>> server.smallcompany.com AAAA fd73:4899:2a7f:a93a::53 > >>>>>> server.smallcompany.com AAAA 2001:db8:4923::1 > >>>>>> server.smallcompany.com A 192.0.2.1 > >>>>>> > >>>>>> This would work well today. The server would be reached: > >>>>>> > >>>>>> - over global IPv6, if the client has it > >>>>>> - over ULA, if the client is v6-only and is within small company's > network but there is no global connectivity (e.g. ISP link down and > addresses deprecated) > >>>>>> - over IPv4, otherwise > >>>>>> > >>>>>> People might well have done this today because it works for them. > If we change the rules as proposed in this draft, it will stop working for > any home network that has a ULA and IPv4, but no IPv6 (and there are lots > of these). > >>>>>> > >>>>>> This is a fundamental property of ULA: it doesn't provide > reachability. If we give all of ULA the same label, and prefer it over > other addresses, we'll always end up with problems. > >>>>>> > >>>>>> What happened to the idea of treating "same /48" ULA differently > from "rest of ULA space"? > >>>>>> > >>>>>> On Fri, 10 Nov 2023, 15:57 David Farmer, <farmer= > 40umn.edu@dmarc.ietf.org> wrote: > >>>>>>> > >>>>>>> In this scenario, a ULA source with a non-local ULA destination > can only occur from a misconfiguration that includes both a ULA and Global > IPv4 addresses in the Global DNS, contradicting Section 4.4 of RFC4193. > >>>>>>> > >>>>>>> Nevertheless, even if this misconfiguration happens, Happy > Eyeballs, if implemented, will try the non-local ULA destination with the > ULA source and the IPv4 destination and source pairings. The likely result > is IPv4 being used in practice since the ULA source will typically fail to > communicate with the non-local ULA destination, and IPv4 will succeed if > IPv4 Internet connectivity is available. > >>>>>>> > >>>>>>> If Happy Eyeballs is not implemented, the non-local ULA > destination with the ULA source is preferred, and the ULA source will > typically fail to communicate with the non-local ULA destination; however, > if the operational guidelines in Section 4.3 of [RFC4193] are followed. In > that case, recognizing this failure can be accelerated, and transport layer > timeouts (e.g., TCP) can be avoided. These guidelines will cause a > Destination Unreachable ICMPv6 Error to be received by the source device, > signaling the next address in the list to be tried, as discussed in Section > 2 of RFC 6724; > >>>>>>> > >>>>>>> Well-behaved applications SHOULD NOT simply use the first address > returned from an API such as getaddrinfo() and then give up if it fails. > For many applications, it is appropriate to iterate through the list of > addresses returned from getaddrinfo() until a working address is found. For > other applications, it might be appropriate to try multiple addresses in > parallel (e.g., with some small delay in between) and use the first one to > succeed. > >>>>>>> > >>>>>>> > >>>>>>> Should this also be discussed in the draft? > >>>>>>> > >>>>>>> Thanks > >>>>>>> > >>>>>>> On Fri, Nov 10, 2023 at 3:35 AM Lorenzo Colitti <lorenzo= > 40google.com@dmarc.ietf.org> wrote: > >>>>>>>> > >>>>>>>> I don't know how common this is, but it's probably worth thinking > about. > >>>>>>>> > >>>>>>>> Many home routers assign ULAs, even if they don't have native > IPv6. On such networks, a hostname that has ULA and IPv4 (or ULA and global > and IPv4) will currently work using IPv4. > >>>>>>>> > >>>>>>>> If hosts update to follow the new rules in > draft-ietf-6man-rfc6724-update, that will break because new hosts will > prefer ULA over IPv4. This won't work, because the ULA is actually a > different ULA and the home router will drop the packets. > >>>>>>>> > -------------------------------------------------------------------- > >>>>>>>> IETF IPv6 working group mailing list > >>>>>>>> ipv6@ietf.org > >>>>>>>> Administrative Requests: > https://www.ietf.org/mailman/listinfo/ipv6 > >>>>>>>> > -------------------------------------------------------------------- > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> =============================================== > >>>>>>> David Farmer Email:farmer@umn.edu > >>>>>>> Networking & Telecommunication Services > >>>>>>> Office of Information Technology > >>>>>>> University of Minnesota > >>>>>>> 2218 University Ave SE Phone: 612-626-0815 > >>>>>>> Minneapolis, MN 55414-3029 Cell: 612-812-9952 > >>>>>>> =============================================== > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> =============================================== > >>>>> David Farmer Email:farmer@umn.edu > >>>>> Networking & Telecommunication Services > >>>>> Office of Information Technology > >>>>> University of Minnesota > >>>>> 2218 University Ave SE Phone: 612-626-0815 > >>>>> Minneapolis, MN 55414-3029 Cell: 612-812-9952 > >>>>> =============================================== > >>>> > >>>> -------------------------------------------------------------------- > >>>> IETF IPv6 working group mailing list > >>>> ipv6@ietf.org > >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >>>> -------------------------------------------------------------------- > >>> > >>> -------------------------------------------------------------------- > >>> IETF IPv6 working group mailing list > >>> ipv6@ietf.org > >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >>> -------------------------------------------------------------------- > > > > _______________________________________________ > > v6ops mailing list > > v6ops@ietf.org > > https://www.ietf.org/mailman/listinfo/v6ops >
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Ted Lemon
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Mark Smith
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Ted Lemon
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Ted Lemon
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… David Farmer
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Brian E Carpenter
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Brian E Carpenter
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Nick Buraglio
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Ole Trøan
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Vasilenko Eduard
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Ole Trøan
- Re: [v6ops] [IPv6] draft-ietf-6man-rfc6724-update… Ole Troan