IETF Logo Mail Archive

Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]

Nick Buraglio <buraglio@es.net> Tue, 26 April 2022 00:48 UTC

Return-Path: <buraglio@es.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647DFC18D82A for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 17:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CG5rajo0okB4 for <v6ops@ietfa.amsl.com>; Mon, 25 Apr 2022 17:48:29 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F9F9C1D5AAA for <v6ops@ietf.org>; Mon, 25 Apr 2022 17:48:25 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id v1so16551954ljv.3 for <v6ops@ietf.org>; Mon, 25 Apr 2022 17:48:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=PFQ8EXrxI2fOhbe5191qW0UScEgcQjD8o28/RZLN9lE=; b=GzCh7eDK92et5iyRO5aL3JJ4q96nLWRZQUtWqZwPllTofn5UBn1CwFlJ71nbLha5X/ 0elEFmHlT2fyIaHRwcLthvZnWbS17wqX2w4IHuZObT0slYhnmSi0uNhxaZ0oZMn8d+Le 1Q8h4gPXHO5GyWniGPoA8LV25B7G1tjnMG60ThDm8nHXHhK6aail5XkgEddMlQFn/LlH E9Ht3JpC7SAoZZHei2+OItrI0EaFdTpL+rqmLDhd1ILN91iKhX6+80sTs7AARaloecMX F5FeSt4C9cSSumXTJMOegg5CtjTpb2y2PRgs8EmZUwglmEjP477pB7obNGNR6xyulD81 d59g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=PFQ8EXrxI2fOhbe5191qW0UScEgcQjD8o28/RZLN9lE=; b=mBMSW9+VzRsC7UZAWcwTeXcZIpAaV2RRuD1FUZ0YufYLcMQCgkMTHKeJIECgr9DLJw j2hHirtKi/Q7UpYKsOhRTAetmFXPSs+vlaSfIBbHp6FQTWA5pcBbnYrtLG/rVHjx+m/4 NM0J14Rc3/8sSZVmJTO1++FGuoa2xp+TClvKTYopKME4QoyQ/JDf3KoqFM33Hwl7BarG XIbSYFxeYg9JYk4mS1qX4lNeQ7oOIU5wZSj925bvqbmZKU/D1C3Kg38bH1XxwqzX7RdB TX+XrAqrkEZ9Ssxp/hnyP3iQdryzw3ufPfA3n6dx8Ide0tuzTQKvAve/VONjXWn25I4A VODw==
X-Gm-Message-State: AOAM5330/PTEaRUnppd0Uxu1WJ3rRvpM4VydnqzX9C2iJNvrDQbWjkfg oDwvu7xix2QGGZU6Tz+3MNNEMTbFkH3xMynskKlO+JZwRvMs9I4mGOPDD/X11/4r6rWULVHMkB5 UiL8hWRXQ+coZsGhAjTMTdVq1Drfx0ftddtCYM/7pSCeKYM+CqRxPZQhPsxbCL/PeHcXLcmjTzN Ekq9Tc
X-Google-Smtp-Source: ABdhPJz5B0F4RwOMrxNSwJIPcyKLW6vd1X8drSr5EAgsM98brDJfqx7b2DAdcOxbdGVzvS6ZTqcnCs2Q+77Qj8EHYRE=
X-Received: by 2002:a2e:bf08:0:b0:247:f79c:5794 with SMTP id c8-20020a2ebf08000000b00247f79c5794mr12513272ljr.398.1650934102731; Mon, 25 Apr 2022 17:48:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5+tA8WvjvWirxqE6kQ9LQAG0NcpWyCLGVooB=G7gZ9ETb2zQ@mail.gmail.com> <20220424172743.GA218999@fg-networking.de> <CAKD1Yr1v0Tkh+pWD-ts=PL3gZf7Qj6OHW6Cuvj8iGcSSMibjew@mail.gmail.com> <0afe25f5-52b7-a438-0696-cf8b0a83c2dc@gmail.com> <BN8PR07MB70760D9693580F5BDCB61DD995F89@BN8PR07MB7076.namprd07.prod.outlook.com> <CAKD1Yr3Z9wGQ+uiA2WcW00MrOiLyHs+bSoFjHVtrixCi2qp4DA@mail.gmail.com> <BN8PR07MB7076A6456CAB48EF428D6E8695F89@BN8PR07MB7076.namprd07.prod.outlook.com> <65d0d9ac-77fc-c200-09e3-0c3949ca1541@gmail.com> <CAN-Dau2FS99ewfgH8xk-jSJFCnO92CJV9ZC98DUE2UDR7V1Eww@mail.gmail.com> <CANMZLAYbpZBDA8uFnJqfWfWTQ4S9RN4a-DqWe36qzfAfDtXiQA@mail.gmail.com> <CAN-Dau0BjRR2_7xz38DpJsz0Y=Z_8bV5n-=Eh1QUVEDzqVxmaA@mail.gmail.com>
In-Reply-To: <CAN-Dau0BjRR2_7xz38DpJsz0Y=Z_8bV5n-=Eh1QUVEDzqVxmaA@mail.gmail.com>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Mon, 25 Apr 2022 19:48:11 -0500
Message-ID: <CAM5+tA-YPT-r5YrHEQ-gZ6U7cQLo3s4y7n1DOrsS_s_xD8PzFw@mail.gmail.com>
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>
Cc: 6man list <ipv6@ietf.org>, Brian Carpenter <brian.e.carpenter@gmail.com>, Erik Auerswald <auerswald@fg-networking.de>, Ted Lemon <elemon@apple.com>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/related; boundary="000000000000be34b305dd840cb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/zby7Z6DmvaICMysk1XXvuq8P3yQ>
Subject: Re: [v6ops] Vicious circle [ULA precedence [Thoughts about wider operational input]]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 00:48:33 -0000

My experience is pretty dated from my prior job, so take this with that
caveat, but my understanding of PCI-DSS is that the “functional
requirements” are highly interpretable and almost wholly up to the auditor
discretion.
For example, In the environment I was in the auditor deemed that VLAN
ragged segregation was insufficient and that he required us to use a VRF.
This was non-negotiable from the answers to my inquiry.
I was told that Campuses almost exactly like ours with similar architecture
but different auditors used VLANs just fine. We were also required to have
an IPS when a passive IDS would have been completely sufficient.

Compliance doesn’t generally care about technology implementation, just
risk mitigation.

On Mon, Apr 25, 2022 at 19:38 David Farmer <farmer=40umn.edu@dmarc.ietf.org>
wrote:

> I’ve asked that too and have never received an answer, I always get
> pointed requirement 1.3.7, that is it.
>
> Sorry, I can’t be more helpful.
>
> On Mon, Apr 25, 2022 at 18:58 Brian Carpenter <brian.e.carpenter@gmail.com>
> wrote:
>
>> No, I explicitly don't want to look at audit rules. I want someone who
>> understands them to explain what the functional requirements are. NAT is
>> not a functional requirement.
>>
>> Regards,
>>     Brian Carpenter
>>     (via tiny screen & keyboard)
>>
>> On Tue, 26 Apr 2022, 11:06 David Farmer, <farmer@umn.edu> wrote:
>>
>>> You want to look at PCI DSS 3.2 requirement 1.3.7.
>>> [image: image.png]
>>>
>>> Compensating controls is an option, but auditors have to sign off on
>>> them, and the whole process is about minimizing exceptions and getting a
>>> clean audit. IT isn't in charge of this, finance people are, it's not
>>> technical, it's all about the money, and numbers with 7 or 8 significant
>>> digits or more.
>>>
>>> I've been on that the merry-go-round several times, I believe in IPv6
>>> E2E, but if anyone asks me just do NPTv6 or NAT66, whatever the
>>> auditor wants you to do.
>>>
>>> Have fun on the merry-go-round, I'll pass.
>>>
>>> Thanks
>>>
>>> On Mon, Apr 25, 2022 at 5:32 PM Brian E Carpenter <
>>> brian.e.carpenter@gmail.com> wrote:
>>>
>>>> Kevin,
>>>>
>>>> > Auditing frameworks and auditors are just not ready for IPv6 and
>>>> without migration strategies like NAT, they'll have no reason to be because
>>>> IPv4 will continue to dominate.
>>>>
>>>> You're describing a vicious circle, and the question is how can we
>>>> break it?
>>>>
>>>> Advocating NPTv6 might achieve that, but many of us dislike that
>>>> strategy.
>>>>
>>>> Can you explain what are the technical requirements in PCI-DSS land
>>>> that have been interpreted as requiring NAT44? Is it time for RFC4864bis,
>>>> because this is exactly what we were aiming at with that RFC?
>>>>
>>>> Regards
>>>>     Brian Carpenter
>>>>
>>>> On 25-Apr-22 17:34, Kevin Myers wrote:
>>>> > This misses the problem entirely though.
>>>> >
>>>> > It's not a choice to reconsider, these are regulatory requirements.
>>>> The
>>>> fact that a handful of enterprises have deployed IPv6 doesn't move the
>>>> needle on compliance for the vast majority of them.
>>>> >
>>>> > No retail enterprise is going to choose IPv6 without NAT internally
>>>> if it means not being permitted to use credit cards because of a failed
>>>> PCI-DSS audit.
>>>> >
>>>> > Auditing frameworks and auditors are just not ready for IPv6 and
>>>> without migration strategies like NAT, they'll have no reason to be because
>>>> IPv4 will continue to dominate.
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>>> > *From:* Lorenzo Colitti <lorenzo@google.com>
>>>> > *Sent:* Sunday, April 24, 2022, 11:27 PM
>>>> > *To:* Kevin Myers <kevin.myers@iparchitechs.com>
>>>> > *Cc:* Brian E Carpenter <brian.e.carpenter@gmail.com>; Erik
>>>> Auerswald <auerswald@fg-networking.de>; Ted Lemon <elemon@apple.com>;
>>>> v6ops list <v6ops@ietf.org>; 6man list <ipv6@ietf.org>
>>>> > *Subject:* Re: [v6ops] ULA precedence [Thoughts about wider
>>>> operational
>>>> input]
>>>> >
>>>> > There are several fortune 500 companies that have publicly stated
>>>> that they have deployed IPv6 with global addressing, so that's definitely
>>>> possible.
>>>> >
>>>> > As for "is it better to deploy IPv6 with NAT66 or not to deploy at
>>>> all", I would guess it depends who you ask. My personal answer would be no.
>>>> It's possible that when faced with app and OS incompatibilities, those
>>>> enterprises might reconsider. Or they might pick the same technical
>>>> solutions as the enterprises that have already deployed with global
>>>> addresses.
>>>> >
>>>> > On Mon, Apr 25, 2022 at 12:42 PM Kevin Myers <
>>>> kevin.myers@iparchitechs.com <mailto:kevin.myers@iparchitechs.com>>
>>>> wrote:
>>>> >
>>>> >     IPv6 NAT is already being deployed in large enterprises for the
>>>> few
>>>> that want to tackle IPv6. Vendor implementations exist, so that ship
>>>> has sailed regardless of where the IETF lands.
>>>> >
>>>> >     Most of the Fortune 500 fall under regulatory compliance of one
>>>> body or another (PCI-DSS, FIPS, HIPAA, etc) and none of them are setup well
>>>> for an IPv6 no-NAT world. Most of the discussion I see around enterprise
>>>> adoption on the IETF lists misses this point. It matters very little
>>>> whether NAT is a "good" or "bad" practice when it comes to selecting an
>>>> operational model. Enterprises choose operational models that will pass
>>>> audits
>>>> and the overwhelming majority rely heavily on NAT.  We can make the
>>>> argument that compliance bodies and auditors should update their guidance
>>>> and standards and they absolutely should, but it will probably take
>>>> close
>>>> to a decade to change the regulatory compliance auditing landscape to
>>>> the
>>>> point that IPv6 without NAT is commonplace.
>>>> >
>>>> >     If auditors won't sign off on end to end GUA addressing, then NAT
>>>> is going to remain.
>>>> >
>>>> >     Enterprises are more than willing to punt IPv6 for another decade
>>>> and will likely have no issues in doing so given how little IPv4 space most
>>>> of them need compared to service providers. Even when IPv6 becomes the
>>>> predominant transport type for an Internet handoff everywhere, it will
>>>> still just live in the underlay while IPv4 remains the predominant choice
>>>> in the overlay, in apps,  and internally in the DC for enterprises.
>>>> >
>>>> >     At what point does it become more important to have IPv6
>>>> implemented, than to have it "perfectly" implemented?
>>>> >
>>>> >     Kevin Myers
>>>> >     Sr. Network Architect
>>>> >     IP ArchiTechs
>>>> >
>>>> >     -----Original Message-----
>>>> >     From: v6ops <v6ops-bounces@ietf.org <mailto:
>>>> v6ops-bounces@ietf.org>> On Behalf Of Brian E Carpenter
>>>> >     Sent: Sunday, April 24, 2022 9:48 PM
>>>> >     To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:
>>>> 40google.com@dmarc.ietf.org>>; Erik Auerswald <
>>>> auerswald@fg-networking.de
>>>> <mailto:auerswald@fg-networking.de>>; Ted Lemon <elemon@apple.com
>>>> <mailto:elemon@apple.com>>
>>>> >     Cc: v6ops list <v6ops@ietf.org <mailto:v6ops@ietf.org>>; 6man
>>>> list <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>>>> >     Subject: Re: [v6ops] ULA precedence [Thoughts about wider
>>>> operational input]
>>>> >
>>>> >     On 25-Apr-22 12:16, Lorenzo Colitti wrote:
>>>> >      > On Mon, Apr 25, 2022 at 2:28 AM Erik Auerswald <
>>>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de> <mailto:
>>>> auerswald@fg-networking.de <mailto:auerswald@fg-networking.de>>> wrote:
>>>> >      >
>>>> >      >       "Since ULAs are defined to have a /48 site prefix, an
>>>> implementation
>>>> >      >        might choose to add such a row automatically on a
>>>> machine with
>>>> >      >        a ULA."
>>>> >      >
>>>> >      >     The result is that only the local ULA prefix,
>>>> i.e., exactly the
>>>> >      >     local IPv6 addresses, are preferred over IPv4
>>>> (and IPv6 GUA).
>>>> >      >     This should be exactly what is needed to use ULA addresses
>>>> inside
>>>> >      >     an organization, or for a lab.
>>>> >      >     [...]
>>>> >      >     Implementing the non-normative suggestion from Section
>>>> 10.6 of RFC
>>>> >      >     6724 would in all likelihood result in making
>>>> ULA usable for local
>>>> >      >     tests and even first steps in deploying IPv6.  ULA
>>>> addresses would
>>>> >      >     only be used locally.  Existing IPv4 based Internet access
>>>> would not
>>>> >      >     be impaired by adding IPv6 ULA.
>>>> >      >
>>>> >      >
>>>> >      > That does seem like it might make ULA more useful, yes.
>>>> >      >
>>>> >      > Additionally, maybe we could clarify that the longest-prefix
>>>> match rule
>>>> >     does not apply to ULAs outside the same /48? I think that would
>>>> fix
>>>> the issue observed by +Ted Lemon <mailto:elemon@apple.com <mailto:
>>>> elemon@apple.com>> in home networks:
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>>>> <
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>
>>>> <
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00
>>>> <
>>>> https://datatracker.ietf.org/meeting/113/materials/slides-113-6man-source-address-selection-for-foreign-ulas-00>>
>>>> .
>>>> >
>>>> >     When two networks each with its own ULA prefix are intentionally
>>>> merged, longest match would be the right thing, wouldn't it? (Assuming that
>>>> the split DNSs are also merged, and of course internal routing.) In
>>>> that case there is no "foreign" ULA prefix.
>>>> >
>>>> >      >     In order to keep IPv6 deployment similar to IPv4, IPv6 NAT
>>>> could be
>>>> >      >     considered.  To make this work as intended, the address
>>>> selection
>>>> >      >     policy table could be adjusted to contain the
>>>> local ULA prefix
>>>> >      >     with precedence greater or equal to GUA and the same label
>>>> as GUA.
>>>> >      >
>>>> >      >
>>>> >      > This seems like it would encourage the use of IPv6 NAT. I
>>>> think there is reasonably strong consensus within the IETF that that is not
>>>> the
>>>> right way to go, because it pushes problems on to application
>>>> developers.
>>>> This adds costs for NAT traversal software development and maintenance,
>>>> and requires devices to implement NAT keepalives, increasing battery usage.
>>>> >
>>>> >     That may be the IETF's consensus, but there is a very large
>>>> fraction of the enterprise network operations community that strongly
>>>> disagrees,
>>>> and in fact regards this as a red line issue. It isn't even clear that
>>>> they'd accept NPTv6 as an alternative to NAPT66. If this is indeed the only
>>>> way to get IPv6 inside enterprises, what is the right thing for the
>>>> IETF to do?
>>>> >
>>>> >             Brian
>>>> >
>>>> >     _______________________________________________
>>>> >     v6ops mailing list
>>>> >     v6ops@ietf.org <mailto:v6ops@ietf.org>
>>>> >     https://www.ietf.org/mailman/listinfo/v6ops <
>>>> https://www.ietf.org/mailman/listinfo/v6ops>
>>>> >
>>>> >
>>>>
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>
>>>
>>>
>>> --
>>> ===============================================
>>> David Farmer               Email:farmer@umn.edu
>>> Networking & Telecommunication Services
>>> Office of Information Technology
>>> University of Minnesota
>>> 2218 University Ave SE
>>> <https://www.google.com/maps/search/2218+University+Ave+SE?entry=gmail&source=g>
>>>       Phone: 612-626-0815
>>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>>> ===============================================
>>>
>> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE
> <https://www.google.com/maps/search/2218+University+Ave+SE?entry=gmail&source=g>
>       Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
-- 
---
Nick Buraglio
Planning and Architecture
Energy Sciences Network
+1 (510) 995-6068

v2.23.0 | Report a Bug | By Email