Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops wg item?
"John Mann (ITS)" <john.mann@monash.edu> Thu, 14 July 2011 00:29 UTC
Return-Path: <john.mann@monash.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6D911E808D for <v6ops@ietfa.amsl.com>; Wed, 13 Jul 2011 17:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.775
X-Spam-Level:
X-Spam-Status: No, score=-4.775 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, J_CHICKENPOX_32=0.6, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ctfc-juCaC7Y for <v6ops@ietfa.amsl.com>; Wed, 13 Jul 2011 17:28:57 -0700 (PDT)
Received: from na3sys009aog120.obsmtp.com (na3sys009aog120.obsmtp.com [74.125.149.140]) by ietfa.amsl.com (Postfix) with ESMTP id F358F21F893C for <v6ops@ietf.org>; Wed, 13 Jul 2011 17:28:56 -0700 (PDT)
Received: from mail-gw0-f44.google.com ([74.125.83.44]) (using TLSv1) by na3sys009aob120.postini.com ([74.125.148.12]) with SMTP ID DSNKTh44SCZnu1aTg8A1QPfSHNG7NwfAmNGt@postini.com; Wed, 13 Jul 2011 17:28:57 PDT
Received: by gwb20 with SMTP id 20so3119538gwb.31 for <v6ops@ietf.org>; Wed, 13 Jul 2011 17:28:55 -0700 (PDT)
Received: by 10.90.76.1 with SMTP id y1mr1869150aga.136.1310603334284; Wed, 13 Jul 2011 17:28:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.118.6 with HTTP; Wed, 13 Jul 2011 17:28:34 -0700 (PDT)
In-Reply-To: <E1829B60731D1740BB7A0626B4FAF0A65C6B37F052@XCH-NW-01V.nw.nos.boeing.com>
References: <E1829B60731D1740BB7A0626B4FAF0A65C6A78B6E1@XCH-NW-01V.nw.nos.boeing.com> <31BCF9EC-7A49-4C5B-B62A-CAECF66F23F1@bogus.com> <E1829B60731D1740BB7A0626B4FAF0A65C6A8F723F@XCH-NW-01V.nw.nos.boeing.com> <E1829B60731D1740BB7A0626B4FAF0A65C6B30E217@XCH-NW-01V.nw.nos.boeing.com> <CA+OBy1PHzy6Ww_LUeY_kk-JU-g3etOcXTHA6wLrr-jWjBiZmaA@mail.gmail.com> <E1829B60731D1740BB7A0626B4FAF0A65C6B37F052@XCH-NW-01V.nw.nos.boeing.com>
From: "John Mann (ITS)" <john.mann@monash.edu>
Date: Thu, 14 Jul 2011 10:28:34 +1000
Message-ID: <CA+OBy1Mo+hqaVMWzKYWNaUt8pDDVVZ=ftj_s54ez749h6bLWmA@mail.gmail.com>
To: v6ops@ietf.org
Content-Type: multipart/alternative; boundary="00163630edcd2e751304a7fc9ee6"
Subject: Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops wg item?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2011 00:29:03 -0000
v6ops people, Fred and I have done round of review off-list. This is my reply to that .. On 14 July 2011 02:53, Templin, Fred L <Fred.L.Templin@boeing.com> wrote: > ** > Hi John, > > Thanks again for the comments, and see below for proposed > resolutions: > > ------------------------------ > *From:* John Mann (ITS) [mailto:john.mann@monash.edu] > *Sent:* Tuesday, July 05, 2011 11:24 PM > *To:* Templin, Fred L > > *Subject:* Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops wg item? > > Fred, > > The per-page heading is "Routing Loop Attack". > > Good catch. I will change this to "ISATAP Operational Guidance". > > > 1. Introduction > > s/RANGERS/RANGER/ > > > There are actually two documents - RANGER is [RFC5720] and RANGERS > is [RFC6139]. I was meaning to cite the latter. > > > 2. Enabling IPv6 Services using ISATAP > > "Many existing sites within the Internet predominantly use IPv4-based > services for their internal networking needs, but there is a growing > requirement for enabling IPv6 services to support communications with > IPv6-only correspondents." > > This sentence is a a re-hash of the last paragraph of section 1. > Perhaps it can be removed ?? > > > Good point, but I'd still like a lead-in sentence to that paragraph so > how would it be if I simply replaced that sentence with the following: > > "Existing IPv4 sites within the Internet will soon need to enable > IPv6 services." > Fine. > > "Smaller sites that wish to enable IPv6 > typically arrange to obtain public IPv6 prefixes from an Internet > Service Provider (ISP), where the prefixes may be either purely > native, the near-native prefixes offered by 6rd [RFC5969] or the > transitional prefixes offered by 6to4 [RFC3056][RFC3068]. " > > I would split this into > Smaller sites that wish to enable IPv6 > can arrange to obtain public IPv6 prefixes from an Internet > Service Provider (ISP), where the prefixes may be either purely > native, or the near-native prefixes offered by 6rd [RFC5969]. > Or use an ISP-independant method like > transitional prefixes offered by 6to4 [RFC3056][RFC3068], > or prefixes from a tunnel-broker [ref?]. > > > Good point, although I think perhaps a bit more should be said about > 6to4. Rephrasing slightly, see if this sounds OK: > > "Smaller sites that wish to enable IPv6 can arrange to obtain public IPv6 > prefixes from an Internet Service Provider (ISP), where the prefixes may > be either purely native or the near-native prefixes offered by 6rd > [RFC5969]. > Alternatively, the site can obtain prefixes independently of an ISP e.g., > via > a tunnel broker [RFC3053], by using one of its public IPv4 addresses to > form a 6to4 prefix [RFC3056][RFC3068], etc." > Please add something like Note that 6to4 is not recommended for new implementations [draft-ietf-v6ops-6to4-to-historic or draft-moore-6to4-experimental ], and should be implemented with care [ draft-ietf-v6ops-6to4-advisory or RFC-new ]. > "Advertising ISATAP > routers configure their site-facing ISATAP interfaces as advertising > router interfaces " > > "site-facing" isn't defined. How many interfaces each router has is not > defined. > > => Each advertising ISATAP router configures an site-internal interface > as an ISATAP advertising router interface. > > "ISATAP hosts > configure their site-facing ISATAP interfaces as simple host > interfaces and ..." > > "site-facing"? how many interfaces? > > => Each ISATAP host configures an interface as a simple ISATAP host > interface and ... > > > I get your point, and I think perhaps a bit more work is needed here. > Any node (host or router) can have any number of ISATAP interfaces > connected to any number of sites. The host may be an advertising > ISATAP router on some sites, a non-advertising ISATAP router on > other sites, and a simple ISATAP host on other sites. Each such > "personality" of the node would be represented by a distinct ISATAP > interface. With that in mind, here is a proposed rewrite of the paragraph: > > "The ISATAP service is based on two node types known as > advertising ISATAP routers and simple ISATAP hosts. (A third node > type known as non-advertising ISATAP routers is defined in > [draft-templin-isupdate] but out of scope for this document.) Each node > may further have multiple ISATAP interfaces (i.e., one interface for > each > site), and may act as an advertising ISATAP router on some of those > interfaces and a simple ISATAP host on others. Hence, the node type > is considered on a per-interface basis. > > Advertising ISATAP routers configure their ISATAP interfaces as > advertising router interfaces (see: [RFC4861], Section 6.2.2). ISATAP > hosts configure their ISATAP interfaces as simple host interfaces and > also coordinate their autoconfiguration operations with advertising > ISATAP > routers. In this sense, advertising ISATAP routers are "servers" while > ISATAP hosts are "clients" in the service model." > I am a little bit confused here about the possibility that a host may be connected to a number of sites. For the purposes of this document, is it useful to simplify the model a little: | *IPv4 view* | *ISATAP view* | *Connectivity* | *Multi-site* | | host | ISATAP host | connected to one ISATAP subnet | No | | gateway | advertising ISATAP router | can connect to multiple ISATAP subnets | Possible | [ I know, I have introduced a new term "gateway" ] > 3.3. Reference Operational Scenario - Shared Prefix Model > > I think this could be _slightly_ improved by being a bit more explicit when > packets are encapsulated, > and whether they are sent to a host/routers IPv4 or IPv6 address. > > > I like the idea of being more explicit. In your proposed text below, > however, would you mind if I omitted the "IPv6-in-IPv4" and just > used the word "encapsulated". Reason being is that, since we > are talking about ISATAP, IPv6-in-IPv4 is already assumed. > > > "Assuming 'A' is closest, 'C' receives an > _IPv6-in-IPv4 encapsulated_ > RA from 'A' then configures a default > IPv6 route with next-hop address fe80::5efe:192.0.2.1 via the ISATAP > interface and processes the IPv6 prefix 2001:db8::/64 advertised in > the PIO. " > > " 'D' next performs an > _IPv6-in-IPv4 encapsulated_ > anycast RS/RA exchange that is serviced by 'B', " > > "If the site is not partitioned internally, the > router that receives the packet can use ISATAP to statelessly forward > the packet directly to 'C' _using IPv6-in-IPv4 encapsulation_. > > Yes, IPv6-in-IPv4 should be clear in context. > === > Otherwise, excellent stuff. > > > Thanks, and I hope this work may be useful to you and others. > > > I have installed, but not gone live with a slightly different model. > I don't know if it is interesting enough to be included in the draft ... > > Large enterprise network, mostly IPv6 dual-stack, but not on wireless. > Staff wireless --> one /64 ISATAP subnet > Student wireless --> different ISATAP subnet > Staff and student wireless aren't geographically separate, so I can't split > PRL by site. > One pair of ISATAP gateways for staff advertise anycast 130.194.29.255/32 > One pair of ISATAP gateways for students advertise anycast > 130.194.29.254/32 > PRL contains 130.194.29.255 and 130.194.29.254 > > Separation managed by ACL inbound on ISATAP interface including > ... > permit ipv6 FE80::200:5EFE:317F:0/112 any > deny ipv6 FE80::200:5EFE:0:0/96 any > deny ipv6 FE80::5EFE:0:0/96 any > ... > i.e. permit encapsulated RS's from ISATAP-mapped 49.127/16 but not from > other IPv4 address ranges > > > I like this method for logically partitioning an ISATAP link that is not > physically partitioned. A similar method is covered in the third > paragraph of Section 3.5, but your description augments what is > already there. Please check the following to see if this looks like > a worthwhile augmentation of that paragraph: > > "When individual prefixes are used, site administrators can configure > advertising ISATAP routers to advertise different individual prefixes > to > different sets of clients, e.g., based on the client's IPv4 subnet > prefix. > (For example, administrators can configure each advertising ISATAP > router to provide services to some sets of ISATAP clients but not > others through inbound IPv6 Access Control List (ACL) entries that > discard encapsulated messages with certain ISATAP source addresses > based on the embedded IPv4 subnet prefix). When a shared prefix is > used, the site administrator could instead configure the ISATAP routers > to advertise the shared prefix to all clients." > Fine, except for the last sentence. s/could/would/ ?? If a shared prefix is used, when would that shared prefix _not_ be advertised to all clients. > > John > > > Thanks again for all of your great suggestions. Please let me know > if this adequately addresses everything. > > Fred > fred.l.templin@boeing.com > === New I see that loop avoidance gets mentioned in sections 3.6 and 10. How about more-generic address checking? An ISATAP router SHOULD check all incoming encapsulated addresses to make sure that the embedded IPv6 source address is valid -- link-local or global within the range of IPv4-mapped addresses for that subnet. An ISATAP router SHOULD check all IPv6 packets to be encapsulated to make sure that the IPv6 destination address is valid -- link-local or global within the range of IPv4-mapped addresses for that subnet, or multicast. For SLAAC-assigned addresses in the shared prefix model above providing services to 192.0.2.0/24, the valid addresses would be fe80::5efe: 192.0.2.0/120 and 2001:db8::5efe:192.0.2.0/120 . However, if Global IPv4 addresses are used, the ISATAP prefix is 0200:5efe:: rather than 0000:5efe:: see http://tools.ietf.org/html/rfc5214#section-6.1 Is 192.0.2.0/24 an example "global" or "private" address? http://tools.ietf.org/html/rfc3330 doesn't say. This question impacts the examples in this Draft, and elsewhere such as http://tools.ietf.org/html/draft-ietf-v6ops-tunnel-loops-07#section-3.2.4.5 The "wisdom of crowds" is divided on this: Google search for "isatap fe80::200:5efe:C000" == 243 hits Google search for "isatap fe80::5ef5:C000" == 571 hits My Cisco router seems to do the local/global bit wrong [ "????" and "####" == address obfuscation. ] --- Interface Tunnel9 ipv6 address 2001:388:608C:????::/64 eui-64 tunnel mode ipv6ip isatap ... Tunnel9 is up, line protocol is up Global unicast address(es): 2001:388:608C:????:0:5EFE:82C2:####, subnet is 2001:388:608C:????::/64 [EUI] --- The 82C2:#### mapped IPv4 address is 130.194.0.0/16 which is definitely globally valid. John > > On 2 July 2011 08:54, Templin, Fred L <Fred.L.Templin@boeing.com> wrote: > >> ** >> Hi Joel, >> >> Me again. There have have been others who have also expressed >> concerns about DHCPv6 and other "undocumented features" on >> ISATAP links, so I decided to split the document into two pieces. >> >> The new piece is now called: "ISATAP Updates" and I guess might >> be more appropriate for some other working group. The other piece >> retains the original name and is strictly about operational >> aspects >> of widely-deployed implementations: >> >> http://www.ietf.org/internet-drafts/draft-templin-v6ops-isops-12.txt >> What should we do next - ask the wg for comments? >> >> Thanks - Fred >> >> ------------------------------ >> *From:* v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] *On >> Behalf Of *Templin, Fred L >> *Sent:* Wednesday, June 22, 2011 8:13 AM >> *To:* Joel Jaeggli >> *Cc:* v6ops@ietf.org >> *Subject:* Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops wg item? >> >> Hi Joel, >> >> Thanks for your comments, and see below for responses: >> >> ------------------------------ >> *From:* Joel Jaeggli [mailto:joelja@bogus.com] >> *Sent:* Friday, June 17, 2011 12:50 PM >> *To:* Templin, Fred L >> *Cc:* v6ops@ietf.org >> *Subject:* Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops wg item? >> >> On Jun 3, 2011, at 8:13 AM, Templin, Fred L wrote: >> >> Hello, >> >> Significant improvements have been made to this document >> (below) based on comments received and new observations. >> IMHO, this is an important document for enabling transition >> to IPv6 within IPv4 sites; hence, I would like to call for >> working group adoption at this time. >> >> Thanks - Fred >> fred.l.templin@boeing.com >> >> >> Replying to this message as a way to maintain the threading. these notes >> are relative to the current version of the draft which I reviewed last week: >> >> http://tools.ietf.org/html/draft-templin-v6ops-isops-10 >> >> So I tried for a while to separate the operational advice that could be >> applied to my 2005 era knowledge of isatap and there's quite a few things >> that jive with that (tunnel loops for example). >> >> OK. >> >> In other cases such isatap dhcpv6 (4.5) I'm a bit-off in the weeds, what >> implementations are capable of doing that? Are we recommending that they do >> it? do they already? >> >> I can't speak for current implementations, but the DHCPv6 approach is >> based on the fact that address and prefix assignment on IPv6 interfaces >> are seperable functions. IPv6 prefixes assigned to ISATAP interfaces can >> only be used for autoconfiguration of ISATAP addresses and not ordinary >> IPv6 addresses. However, an ordinary IPv6 address can be assigned to >> an ISATAP interface the same as for any other IPv6 interface as long as >> it is not covered by a prefix assigned to the interface. >> >> Regarding aero (section 4.6) that looks pretty much like new work or an >> extension to the specification. >> >> AERO is a new but backwards-compatible method of doing redirection >> of an on-link neighbor to another on-link neighbor. However, ISATAP >> interfaces can still use standards ICMPv6 Redirect messages the same >> as for any IPv6 interface. Advertising ISATAP routers should only send >> ICMPv6 redirects when they are certain that the redirected ISATAP node >> can tunnel packets directly to the target of the redirect, however. >> Perhaps >> a few more words saying explicitly that standards ICMPv6 redirects are >> still supported would help? >> >> Are there participants with extant isatap deployements or host >> implementations or knowledge fresher than mine that would care to comment on >> this draft. >> >> >> There are certainly vendors who are shipping ISATAP in their products >> today. Perhaps they can comment. >> >> section 9 alternative approaches, there's some consensus that rfc 3056 was >> never really deployed so the reference to 6to4 should probably be to 3068 >> >> >> >> OK - I can fix this. >> >> Thanks - Fred >> fred.l.templin@boeing.com >> >> >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops >> >> >
- [v6ops] 'draft-templin-v6ops-isops' as v6ops wg i… Templin, Fred L
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Joel Jaeggli
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Templin, Fred L
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Templin, Fred L
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Templin, Fred L
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Joel Jaeggli
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Dmitry Anipko
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … John Mann (ITS)
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Joel Jaeggli
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … John Mann (ITS)
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … John Mann (ITS)
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Templin, Fred L
- Re: [v6ops] 'draft-templin-v6ops-isops' as v6ops … Templin, Fred L