IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

Vasilenko Eduard <vasilenko.eduard@huawei.com> Fri, 29 April 2022 08:01 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87139C15EE20; Fri, 29 Apr 2022 01:01:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Agxl0vrXnu8k; Fri, 29 Apr 2022 01:01:43 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BACBAC15948B; Fri, 29 Apr 2022 01:01:42 -0700 (PDT)
Received: from fraeml715-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4KqPxy5gpMz67xZG; Fri, 29 Apr 2022 15:58:46 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by fraeml715-chm.china.huawei.com (10.206.15.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Fri, 29 Apr 2022 10:01:38 +0200
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml500001.china.huawei.com (7.188.26.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Fri, 29 Apr 2022 11:01:37 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2375.024; Fri, 29 Apr 2022 11:01:37 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Mark Smith <markzzzsmith@gmail.com>, Nicholas Buraglio <buraglio@es.net>
CC: Xipengxiao <xipengxiao=40huawei.com@dmarc.ietf.org>, 6man list <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Thread-Topic: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
Thread-Index: AQHYWPMa29ieH/YkeUSxTtcSlFLojK0BHpGAgAAOt4CAAAsgAIAAAkWAgAABEwCAArKmAIAAFUWAgAAFeoCAAAeegIAAI/YAgAArXQCAAAwtgIAAgQWAgAAbkYCAAMgQIP//8u6AgAAlRACAADrjAIAAZUOg
Date: Fri, 29 Apr 2022 08:01:37 +0000
Message-ID: <bc10230e8856490e84aa45c645bc98d1@huawei.com>
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com> <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com> <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com> <CANMZLAYbpZBDA8uFnJqfWfWTQ4S9RN4a-DqWe36qzfAfDtXiQA@mail.gmail.com> <CAN-Dau0BjRR2_7xz38DpJsz0Y=Z_8bV5n-=Eh1QUVEDzqVxmaA@mail.gmail.com> <CAPt1N1=H=eAyRu0JcHnLpZEUizDZ4Kj0VwPu=0nM=Wn+y3Ho1w@mail.gmail.com> <CAM5+tA_4rtSkgEuRUFZ2LYr6i8a7vWeKODYieVARF3RbRvgRww@mail.gmail.com> <BN8PR07MB7076DE3E745CB916FB81879595FA9@BN8PR07MB7076.namprd07.prod.outlook.com> <ADAE42CE-448F-42F5-89BE-692F493E2DC8@consulintel.es> <CAM5+tA_ksJ+agY1tze1-zPHLsgYFgjEYtnuPs+ffZbnRqiHytw@mail.gmail.com> <BAD082DA-0958-4926-B3E5-4E4599A75078@consulintel.es> <BN8PR07MB7076564E50C0DAFBFAB950FD95FA9@BN8PR07MB7076.namprd07.prod.outlook.com> <CAPt1N1ncVkekecS=dBHSR3WtaEMruy55Udxy0WSMGTgbN24pKw@mail.gmail.com> <CAM5+tA8-Zqka-vZ9jRL3wn0dtfuJj0ECx_k9prwyS2ypisaPtw@mail.gmail.com> <FB031B76-7E88-4824-876F-D1A05F8D2215@thehobsons.co.uk> <CAFU7BAST-oNGpy4JvODDsf=8eS69hV8XCi8OgEHBkkoujRN3Rw@mail.gmail.com> <699f556a3eac41179a80d2cc8749a191@huawei.com> <CAO42Z2wiebCOPmtcEOJ3rOaZEpHE7qFZZTf5KLWybSsL6rOd9Q@mail.gmail.com> <CAM5+tA-PS6m3iD62MtueRKvYTMNyUHj4-4o__MZws8dvQkpAYA@mail.gmail.com> <CAO42Z2y0vj8mfzJudeJZ5nyvHnU7S0Cpu-mQrbTFr_mDwX4BAQ@mail.gmail.com>
In-Reply-To: <CAO42Z2y0vj8mfzJudeJZ5nyvHnU7S0Cpu-mQrbTFr_mDwX4BAQ@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.190.13]
Content-Type: multipart/alternative; boundary="_000_bc10230e8856490e84aa45c645bc98d1huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/wYJbQiuaKVIAy53ycNx9Xywz9JM>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2022 08:01:47 -0000

Yes, GUA over ULA is the problem.
But IPv4 over ULA is the much bigger problem!
And when we would start to fix it we may come to the situation ULA to GUA that may be one-way connectivity.
I mean: it is not so simple RFC 6724 fix.
Looking to all these messaging (including a usual flame about NAT) – I am not sure that consensus is possible. Some prefer to keep ULA dead (prioritized below IPv4) just as one additional barrier on the way to NPT.
Probably, ULA would be down till NPT would be accepted.
Hence, I am doubt that it makes sense to develop a draft to fix ULA – it would undermine anti-NPT position. It would be blocked anyway.
Ed/
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Mark Smith
Sent: Friday, April 29, 2022 7:47 AM
To: Nicholas Buraglio <buraglio@es.net>
Cc: Xipengxiao <xipengxiao=40huawei.com@dmarc.ietf.org>; 6man list <ipv6@ietf.org>; v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]


On Fri, 29 Apr 2022, 11:15 Nick Buraglio, <buraglio@es.net<mailto:buraglio@es.net>> wrote:
Again, we're focusing on the wrong thing that is a tangent out of an example used to describe *why* we need the thing. We need something that is usable in a dual stacked environment that has similar attributes to ULA. If everyone here thinks ULA is fine (which I do not believe is the consensus), great. Let's say that.


We decided that when RFC4193 was published, also after site-locals were deprecated in RFC3879, in 2004/2005. Many networking and telephony protocols have provided link and/or network local private address spaces that don't require getting address space from an central authority. In CLNS it is 49.

ULAs were further endorsed in RFC6204, Basic Requirements for IPv6 Customer Edge Routers. I've seen a number of CPE implement the ULA requirements in that RFC (including in recent firmware for Google's Nest Wifi CPE.)

The only current issue is preference of GUAs over ULAs in RFC6724 default address selection. That seems to have been made without reading of RFC4193, because RFC4193 says:

"4.2.  Renumbering and Site Merging

   The use of Local IPv6 addresses in a site results in making
   communication that uses these addresses independent of renumbering a
   site's provider-based global addresses."

which is implicitly saying that ULAs need to be preferred over GUAs for DAs and then SAs, when there is a choice between ULA and GUA DA, and then a subsequent choice between a ULA and GUA SA,

and

" At the present time, AAAA and PTR records for locally assigned local
   IPv6 addresses are not recommended to be installed in the global DNS."

which is implicitly saying that hosts should be provided with ULA AAAAs only when the ULA DA is likely reachable because the host is part of the same ULA address domain i.e. split DNS.

RFC6724 seems to have assumed that ULA AAAAs are always in global DNS, so ULAs are going to be far more unreliable most of the time than GUAs, so GUAs should be preferred. ULA AAAAs appearing in global DNS is a fault, and RFC6724 looks to then have been optimised for a fault situation.

Regards,
Mark.





If not, let's think about how to fix it - or at the very least update the draft to reflect its limitations. Ideological soapboxing about the merits or detriment of NAT isn't really gaining any ground either way. It is a tool in the toolbox. Some folks use it. Vilifying it is like hating an earthmover because it's not a Ferrari.

nb



ᐧ

On Thu, Apr 28, 2022 at 6:03 PM Mark Smith <markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com>> wrote:
On Fri, 29 Apr 2022 at 07:37, Xipengxiao
<xipengxiao=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> wrote:
>
> Hi Jen,
>
> Thank you for bringing this useful piece of information to light.  I hope more people see it:
>
> > PCR DSS 4.0 (published in March 2022) does not mandate NAT for IPv6. The text has been updated.
>
> That said, I very much agree with Kevin Meyer: "If you want more Enterprises participating in the IETF discussions and improving IPv6 uptake, start thinking about meeting them where they are. And to be crystal clear - NAT is where they are and where they will be for quite a while".
>
> My point is, given PCI DSS 4.0 (what Jen wrote as PCR DSS 4.0), we should tell enterprises they no longer need NAT. But if some enterprises still insist, respect their decision.

Ignore them. IPv6 doesn't solve any problem they have, and adding NAT
to IPv6 still won't solve any problem they have, because IPv6 still
won't solve a problem they have.


Earth moving equipment manufacturer: "We think you should buy an earth
moving front end loader from us. They're great!"

An Enterprise: "We don't need an earth moving front end loader, we're
an accountancy firm. It doesn't solve any problems we have."

Earth moving equipment manufacturer: "What if we add a backhoe to it?"

An Enterprise: "We're still an accountancy firm, we still won't need
it. We don't need to move dirt or dig holes. It still doesn't solve
any problem we have."

Earth moving equipment manufacturer: "Oh, come on! You really should
buy one! We love our front end loaders. Everybody needs one. What if
we paint it green too?"

An Enterprise: "Nope. Even though our corporate colours are green,
we're still an accountancy firm and we still won't need it. We've got
better things to spend $100K on."


Even government mandates to get enterprises to adopt a networking
protocol don't work - the Internet is supposed to be running CLNS by
now as mandated by governments around the world. (I expect Vint Cerf
was being nice while working on this rather than truly believing OSI
would take over.)

Explaining the Role of GOSIP
https://www.rfc-editor.org/rfc/rfc1169.html


 It's more important to get enterprises to use IPv6 ASAP, than to
insist that they use the "right" IPv6 solution.
>

Why is it important to get enterprises to use IPv6 ASAP?


Regards,
Mark.


> XiPeng
>
> -----Original Message-----
> From: v6ops <v6ops-bounces@ietf.org<mailto:v6ops-bounces@ietf.org>> On Behalf Of Jen Linkova
> Sent: Thursday, April 28, 2022 12:53 PM
> To: Simon <linux@thehobsons.co.uk<mailto:linux@thehobsons.co.uk>>
> Cc: 6man list <ipv6@ietf.org<mailto:ipv6@ietf.org>>; v6ops list <v6ops@ietf.org<mailto:v6ops@ietf.org>>
> Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
>
> On Thu, Apr 28, 2022 at 11:15 AM Simon <linux@thehobsons.co.uk<mailto:linux@thehobsons.co.uk>> wrote:
> > The IPv6 community needs to engage with this other regulatory community to get them to bring their standard into the 21st century.
> >
> > As long as the PCI standard effectively mandates IPv4 & NAPT then it’s going to be an uphill struggle.
>
> See my email I sent yesterday. PCR DSS 4.0 (published in March 2022) does not mandate NAT for IPv6. The text has been updated.
>
> --
> SY, Jen Linkova aka Furry
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org<mailto:v6ops@ietf.org>
> https://www.ietf.org/mailman/listinfo/v6ops
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org<mailto:ipv6@ietf.org>
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email