IETF Logo Mail Archive

Re: [v6ops] ULA precedence [Thoughts about wider operational input]

Mark Andrews <marka@isc.org> Fri, 06 May 2022 03:00 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC74C15952A; Thu, 5 May 2022 20:00:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=IiejYYnQ; dkim=pass (1024-bit key) header.d=isc.org header.b=RJUW7GiO
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVVGpM_fCRHq; Thu, 5 May 2022 19:59:59 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 388B7C157B4D; Thu, 5 May 2022 19:59:58 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id B3EA33AB008; Fri, 6 May 2022 02:59:57 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org B3EA33AB008
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.1.12
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1651805997; cv=none; b=my3pTprkJpubSqtlo8LQsToou8LRhIYYe98hFrn8ORoL2VEY37r+bjh1FBdWjRbRZcVzDVy9uUK02jDpTqCY9GUf4MmSavIASFWU7mReZJmXYXmNZHBu3CzcENJfCwEKYjde6YlWKDCM8cwBlyaWQ9ufT1V1mDb3iLj2sWAardw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1651805997; c=relaxed/relaxed; bh=BhGXrsY2WFpUFjT64jpH938NEwdUB9y4E6MmDcDa5wM=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=SqoUDqPbsHRysjakVFRb/ZX5VWgWaZjGtis7FQ741zWewViT6gcq6xTaeiNYG4lV9NbqwmrWCFDWuDvGkvpe5cV1ur+zQal+J8hRhNnl2iWJV//df2HAw6P+vnNy3QuvdnE4S8Ro34JcyN0bukxn7vi4GbK03LKo7ZNk70KXZMI=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org B3EA33AB008
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1651805997; bh=w9Rm1wxol+mdx51Eq8TYnWJkDCtqNCL/PMdNGaaJH/o=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=IiejYYnQgrfBebNnVNVzuy7KViWjpcpCeDyUzqDBIO/Fy10RV6TBMkc0SrPllgaNL 0p7UVPQZtCx6wLKHZNNAX38CMhSd+WZNr225Wn7jWjWlXT4eQiPmudt1z7COZWKruD DunbPOO5m6k8BKyh6lhFnEo3MgoBCR2w8z7nuQck=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id A9A7398800E; Fri, 6 May 2022 02:59:57 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 7A85598801F; Fri, 6 May 2022 02:59:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 7A85598801F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1651805997; bh=BhGXrsY2WFpUFjT64jpH938NEwdUB9y4E6MmDcDa5wM=; h=Mime-Version:From:Date:Message-Id:To; b=RJUW7GiOl4pORaKDVQFm6ArY5WhlbfqZTHk+I2Xlv1WkGPKY85tb8aOMM+qIA2ykF HwDpbH9CJvk2F7MDjMqg+uDiKsC6fmQ2azJiL7fy3gjSwSGJqaKyup2mu/eZkqWTp1 9JhIeElES/CnHJmiUyItkGgMmXgUoDZf3YLOV7vM=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kPQ9tN3_6g98; Fri, 6 May 2022 02:59:57 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id 251CD98800E; Fri, 6 May 2022 02:59:55 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAE=N4xdwvMPbUwOk6N=5quU+Bhc84u8F2Ep+bNOqE+A9_hAGcg@mail.gmail.com>
Date: Fri, 06 May 2022 12:59:52 +1000
Cc: Fred Baker <fredbaker.ietf@gmail.com>, Erik Auerswald <auerswald@fg-networking.de>, v6ops list <v6ops@ietf.org>, 6man list <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A767DA83-C5A2-4DBE-91FB-0CF507D041BF@isc.org>
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <20220425100310.GF67548@fg-networking.de> <CAPt1N1=XedJ7tY9pKDS3LvDMak6iPsK9fA=oF7Z0KkmGcA6-_A@mail.gmail.com> <CAO42Z2ydhe3hVOqSaN814hYh3oF3yG_du+gRkg6yD5haCqDnLQ@mail.gmail.com> <CAPt1N1=YdnZ_N+47v4A_EM70TobSt1sw5tcmBfQJEP5Y1zCwMg@mail.gmail.com> <CAO42Z2xyx2MpCCYQoXA9izRM7Xk42+Z-1OnL2PuzgsGfw1SFiw@mail.gmail.com> <20220428075001.GA86458@fg-networking.de> <3499CB52-0873-4DF5-A923-62BF91AA6FAB@gmail.com> <CAE=N4xcci50tOhtdxYVevcEFh4y8_CyF8qd0dRsXvpAKoX4yZQ@mail.gmail.com> <48435B34-A6F0-45B6-AA28-CB1E9E61EA6D@gmail.com> <CAE=N4xdwvMPbUwOk6N=5quU+Bhc84u8F2Ep+bNOqE+A9_hAGcg@mail.gmail.com>
To: Ed Horley <ed@hexabuild.io>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/xZXXHnQpKMn8vUOhua60nDY3Gho>
Subject: Re: [v6ops] ULA precedence [Thoughts about wider operational input]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2022 03:00:03 -0000


> On 6 May 2022, at 09:56, Ed Horley <ed@hexabuild.io> wrote:
> 
> 
> On Thu, May 5, 2022 at 4:45 PM Fred Baker <fredbaker.ietf@gmail.com> wrote:
> 
> 
> > On May 4, 2022, at 11:02 AM, Ed Horley <ed@hexabuild.io> wrote:
> > 
> > Just for clarification - when you say "same prefix" for ULA - are you assuming in the same /48? Or do you mean within all of ULA (fc00::/7 or the useable fd00::/8)?
> 
> You might look at section 3 of RFC 4193, and specifically at the global ID mentioned in section 3.2. I'm looking at the first 48 bits of the address and calling it a routing prefix. Let me put the question back to you: starting from RFC 4193, what other prefix would be under consideration, and why would it be under consideration?
> 
> Yes, I am familiar with section 3.2 - my question is because several on this mailing list in the past have said to ignore the stated pseudo-random requirement in that section and not to follow this section which states "Specifically, these prefixes are not designed to aggregate." Obviously, if you don't follow that then the question comes back to are we still assuming a /48? Or do we mean something different when we say "same prefix"? Is that defaulting to just the overall ULA prefix itself because people are designing networks starting at fd01::/32, fd02::/32, fd03::/32... fdff::/32, etc. which I completely understand is not how 4193 says to do it, but it is happening, so we need to be thinking about it perhaps? Just curious if anyone else is seeing this behavior with their customers at all?

You can still do pseudo random and have a contiguous block. Instead of /48 you select the prefix the same way using a random number to fill in the prefix bits but use /47, /46 etc. to get your contiguous block of /48 sites.  It still has similar collision resistant properties over the combined number of sites.  You can even start with a /48 and if you need a second site or exceed the capacity of the /48 with subnets then add the neighbouring site from the /47 if you are really worried about distributing multiple internal prefixes.  Repeat as you grow.  The automatic /48 will still help with keeping traffic local to the site.

As for people using fd01::/48 then fd02::/48 etc. well they are asking for trouble if addresses / packets leak or if there are merges.  The automatic entry would be for the /48 prefix.  If their router is doing site boundaries correctly then the fd01::/64 subnet is in a different site to the fd02::/64 subnet and communication between them should be blocked by default however this may not happen.  The router should however still see this configuration as having N connected /48 sites and if it is distributing routes they are for the /48 in use.  If the administrator adds a single covering prefix to the table manually or via a distribution mechanism then they loose the protection provided by the default table from leaked addresses.  Lets hope the router is sending administrative prohibited ICMPv6 message and that they are not be blocked.

Even using fd00:0000:0000:0000::/64 then fd00:0000:0000:0001::/64 etc, would be less problematic than fd01:: and fd02:: and just as easy to remember but still not a good idea.  

For the record whenever someone has suggested using those prefixes someone else says not too.  Just choose a random prefix.  Toss the coin 40 times (heads=1, tails=0).  It’s not quite as memorable but it avoids future problems.  If you do end up with a collision when merging companies you can alway choose new prefixes and re-number into them independently.

> -- 
> Ed Horley
> ed@hexabuild.io | (925) 876-6604
> Advancing Cloud, IoT, and Security with IPv6
> https://hexabuild.io
> And check out the IPv6 Buzz Podcast at https://packetpushers.net/series/ipv6-buzz/
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email