IETF Logo Mail Archive

Re: [v6ops] A good example of why we need to careful about ULAs

joel jaeggli <joelja@bogus.com> Thu, 30 May 2013 22:08 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C37821F86CA for <v6ops@ietfa.amsl.com>; Thu, 30 May 2013 15:08:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.149
X-Spam-Level:
X-Spam-Status: No, score=-102.149 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6sTpdF5FN5R for <v6ops@ietfa.amsl.com>; Thu, 30 May 2013 15:08:43 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 9CE8021F92F4 for <v6ops@ietf.org>; Thu, 30 May 2013 15:08:42 -0700 (PDT)
Received: from joels-MacBook-Air.local (host-64-47-153-50.masergy.com [64.47.153.50]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id r4UM8dJG041477 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Thu, 30 May 2013 22:08:40 GMT (envelope-from joelja@bogus.com)
Message-ID: <51A7CDE2.7050306@bogus.com>
Date: Thu, 30 May 2013 15:08:34 -0700
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Thunderbird/21.0
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Mark Smith <markzzzsmith@yahoo.com.au>
References: <CAKD1Yr29kf1Me=6JR66Gq0dFYgQx2wq=pjW8WZyHByPA0POsMQ@mail.gmail.com> <1369901467.70362.YahooMailNeo@web142506.mail.bf1.yahoo.com> <51A7C86B.3020808@gmail.com>
In-Reply-To: <51A7C86B.3020808@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Thu, 30 May 2013 22:08:40 +0000 (UTC)
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>, "draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org" <draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org>
Subject: Re: [v6ops] A good example of why we need to careful about ULAs
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 22:08:44 -0000

On 5/30/13 2:45 PM, Brian E Carpenter wrote:
> On 30/05/2013 20:11, Mark Smith wrote:
>>> ________________________________
>>> From: Lorenzo Colitti <lorenzo@google.com>
>>> To: "v6ops@ietf.org WG" <v6ops@ietf.org>
>>> Cc: "draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org" <draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org>
>>> Sent: Thursday, 30 May 2013 4:41 PM
>>> Subject: [v6ops] A good example of why we need to careful about ULAs
>>>
>>>
>>>
>>> News at 11:
>>>
>>>
>>> 1. ULAs leak.
>>>
>>> 2. People assign ULAs by hand.
>>>
>> In the early news, not really a new problem.
>>
>> RFC1918 and 100.64/10 leak too,
> In traceroutes, link-locals sometimes leak too.
>
> All these are confusing and make the traceroute hard to interpret,
> but they don't actually *matter*. What matters is if they leak in
> actual traffic such as attempted TCP connections. Does that happen?
there's leaking and then there's leaking...

if nobody accepts the route bi-directional leakage is hard... and even 
loose rpf checks will discard traffic from sources like that

real providers on the internet are still accepting 100.100.0.0/24 
<http://bgp.he.net/net/100.100.0.0/24>from as4847  so that's an example 
of the other kind.
>     Brian
>
>>   and what is worse, I've seen people intentionally expose RFC1918s to other networks - the largest carrier here in .au uses RFC1918 addresses for their wholesale ADSL L2TP LACs (from memory, at least 20 to 30, spread across multiple /16s within 172.16/12) and then expect their many wholesale ADSL customers' to just accept those addresses and make them work within their own networks, despite their own, quite legitimate internal use of 172.16/12 (fortunately VRFs/VPNs can be used to isolate that address space from your own). So we can't pretend that RFC1918s have been perfectly used, and therefore ULAs being less private than intended is going to be new problem and experience. At least properly formed ULAs are unlikely to conflict with other network's ones, even if the other network has used fd00::/8, and if the two interconnecting parties have both been lazy and used fd00::/8, they'll both be victims of theirs and the other
>>   party's laziness (which they'll be used to, since they've probably experienced it with RFC1918). They'll probably resort to NPTv6 to fix it, because that is what they're used to, rather than using IPv6's address aging mechanisms to renumber to a properly formed ULA. Good luck to them, as long as it doesn't effect the rest of us.
>>
>>
>>
>>> Yes, both of these a violation of IETF guidance. I don't think that matters much, though - while we can always claim that the implementer/operator is "holding it wrong", we should be careful that what we design/standardize is hard to misconfigure and possibly robust in the face of misconfiguration. Subtle nuances like "these addresses are global scope, but not globally routable" tend to get lost very easily.
>>>
>> I think recommending against ULAs is just going to result in people stealing other address spaces for devices that don't need global reachability - like 2001:db8::/32, or unused global address space (as we saw with 1/8, 5/8 and other IPv4 prefixes).
>>
>> I think global address space comes with and implies a default assumption of global reachability, and you'll therefore have to actively take measures to ensure they don't provide global reachability if you don't want it. Link-locals don't cut it because they're not routable. The need ULAs fulfils is the gap in between global space and link-locals, and the one which RFC1918 generally fulfils in IPv4, except that the likelyhood of address space collision is reduced.
>>
>>> Of course, in the case of ULAs, there's not much that can be done about the design at this point, but we should make an effort to make it clear that the potential for misconfiguration exists and provide clear guidance on how not to misconfigure them.
>>>
>>>
>>> Personally, I think that providing said guidance is much more useful and important than enumerating scenarios that aren't widely, if at all, implemented, and I hope that the authors of draft-ietf-v6ops-ula-usage-recommendations will agree.
>>>
>> So is this draft aiming for BCP status and therefore should only reflect best common practice? If not, I think it is reasonable to present scenarios where ULAs could be useful. We've got a lot of experience with private address spaces from IPv4 (the Deprecating Site Local Addresses RFC3879 is also a pretty complete list of the problems with RFC1918 addresses), so the only real difference is scenarios where concurrent global and private address spaces could be useful. In some cases, they'll just be more capable versions of what we've already doing in IPv4 e.g. private addressed loopbacks on routers, global addresses on the links, in a ULA environment you would add ULAs to the links too, which could make troubleshooting and other OAM less dependent on the global address space.
>>
>> Regards,
>> Mark.
>>
>>> Cheers,
>>> Lorenzo
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Jeroen Massar <jeroen@massar.ch>
>>> Date: Thu, May 30, 2013 at 4:59 AM
>>> Subject: Usage of fd00::/8 on the Interwebz - something with filters and uRPF
>>> To: ipv6-ops@lists.cluenet.de
>>>
>>>
>>> ...
>>>   4  2001:7f8:1::a500:3303:1 (2001:7f8:1::a500:3303:1)  20.755 ms  20.763 ms  20.784 ms
>>>   5  fd00:3303::1 (fd00:3303::1)  22.010 ms  21.984 ms  21.986 ms
>>>   6  2a02:120c:1051:d010::1 (2a02:120c:1051:d010::1)  17.806 ms  17.889 ms  17.842 ms
>>>   7  2a02:120c:1051:d010::1 (2a02:120c:1051:d010::1)  18.720 ms  18.593 ms  18.617 ms
>>> ...
>>>
>>> Hmmmm fd00::/8, that really should never ever be visible on the Internet, being Unique *LOCAL* Addresses.
>>> And it does not look like they applied the randomness bit for picking a prefix either.
>>> You would also almost think that a /28 is more than enough address space to put a few router loopbacks in.
>>>
>>> It is apparently time for people to start checking their filters again because it seems that these packets leak into other ASNs too...
>>>
>>> More generally, do recheck your network for BCP38 compliance, please do apply it and require your peers to do the same!
>>>
>>> Greets,
>>>   Jeroen
>>>
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>>
>>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email