Re: Let's Focus on Moving Forward Re: V6 still not supported re: 202203261833.AYC

[Dave Bell <me () geordish org>]

Hi Pascal,

> From what I'm reading, it seems like you're implying that the bulk of the
ISP network does not need to change to implement this new IP protocol. If
that is the case, then you are incorrect.

Without the router that the customer connects to being aware of this new
protocol, then you are opening yourself up to address forgery on a massive
scale. The ISPs next hop needs to be able to inspect both the regular
source address, and the encapsulated source address to ensure that the
customer is sending legitimate traffic (uRPF). In my world the BNG is the
most complicated part of the network.

The CPE I'm sending out to my customers now presumably needs its NAT
implementation altering? It now does translation on the inner IP header
rather than the regular what is now outer.

So to summarize, to implement this I need to do the following:
* Install some CG-NAT device (You can argue its not CG-NAT because its
stateless - It will have a lot of traffic going through it, so its carrier
grade, and its translating from one type of IP to another, so its network
address translation.)
* Upgrade my BNGs to cope with the new address format for uRPF purposes
* Upgrade/replace all my CPE
* Have the network stack on my customers OS upgraded

Not to mention all the testing required to ensure that it all will work
smoothly.

That is a lot of work, and I still don't see the benefit over just moving
to IPv6.

Regards,
Dave

On Tue, 5 Apr 2022 at 10:30, Pascal Thubert (pthubert) <pthubert () cisco com>
wrote:

> Hello Dave:
>
>
>
> The problem we have not solved is with the (host, gateway, ISP network)
> that will not move; and I’m hearing in this list that there’s one big
> reason: because the step (the leap really) is too wide. And I also read a
> consensus that dual stack and large NATs are not the long term solution
> people want.
>
>
>
> The primary goal here is to avoid  dual stack forever, and not having
> enormous CG-NATs either. The proposal is to replace the leap that few can
> achieve by a series of baby steps that most can, and will to a point.
>
>
>
> To your example: say that you’re willing to migrate your host stack to
> IPv6-only. But then your ISP or your home gateway does not have it. Stuck.
> If you form a YATT address, the stateless translation will discover that
> there’s no v6 and turn the YATT packet into YADA. With that you can talk to
> any YADA and YATT node in the universe, though you can neither reach all
> IPv6 nodes nor all IPv4 nodes. That’s where the baby steps land.
>
>
>
> The motivation to go YADA from IPv4 (as opposed to IPv6 altogether) is
> feasibility. With YADA, the change is smaller in the upper stack and the
> applications. Say you have VMs that are IPv4 only, that you do not control
> the stack at all but just the hosting system. The hosting system can serve
> as/intercept DNS, NAT the YADA double-A destination to a single-A with an
> address from the pool, leaving the VM stack unchanged. An upgraded home
> gateway could do that too for the whole private network.
>
>
>
> YADA and YATT are equivalent, they are the IPv4 and IPv6 formulations of
> the same thing; what goes on the wire is whatever matches what the ISP
> network offers. Each AS or realm can decide to be one version only. The
> stateless NAT at the border can be wire speed, there’s state nor no
> complexity involved in that translation.
>
>
>
> When you’re already IPv6 you need none of that. IPv6 is the sphere than
> encompasses all the planes (realms) and the shaft. Plus all the air in
> between. But the IPv6 host could be so nice as to support YATT, which
> effectively is an effort on its part, but gives it a /64 for free,
> automatically. That’s a bonus that could become handy.
>
>
>
> Keep safe;
>
>
>
> Pascal
>
>
>
>
>
> *From:* Dave Bell <me () geordish org>
> *Sent:* mardi 5 avril 2022 9:45
> *To:* Pascal Thubert (pthubert) <pthubert () cisco com>
> *Cc:* Matthew Petach <mpetach () netflight com>; Vasilenko Eduard <
> vasilenko.eduard () huawei com>; NANOG <nanog () nanog org>
> *Subject:* Re: Let's Focus on Moving Forward Re: V6 still not supported
> re: 202203261833.AYC
>
>
>
> Considering this requires updating every single IP stack that wants to
> utilise this, what are the benefits of it other than just moving to IPv6?
>
>
>
> Regards,
>
> Dave
>
>
>
> On Tue, 5 Apr 2022 at 08:24, Pascal Thubert (pthubert) via NANOG <
> nanog () nanog org> wrote:
>
> Hello Matthew
>
>
>
> At the moment the draft has a general architecture, and it will take the
> right minds and experience to turn a model into a live network. Considering
> what the people in this list have already built, it’s no gigantic leap to
> figure they can build that too. Most of the building blocks that are
> implicit or TBD in the draft exist already.
>
>
>
> About linking ASN to realms, that’s Eduard’s view, I’ll let him answer.
> The draft is not like that, all existing ASN and IP addresses can be reused
> in every new realm, and there does not need to be any mapping. If people
> find a need or a reason to add constraints, that’s beyond me at this time,
> and against the natural philosophy of minimizing interdependences to
> maintain design freedom in each realm. The draft has one and one only
> dependency, that surface of the shaft is common to all realms.
>
>
>
> To your point, and unrelated to ASNs, the shaft can be physically
> distributed. Each physical place would announce 240.0.0.0/6, and the
> nearest alive would attract the traffic. See it as as many IXPs. In the
> current draft, there’s only one shaft that links all realms. And there’s a
> single realm number for each realm that is advertised in every physical
> instances of the shaft. All that is a  simplification to highlight the
> design.
>
>
>
> As the shaft lives on, a realm may be multihomed, the shaft might be
> subnetted to interconnect only specific realms, or to be advertised
> differently in different geographies. And then the subnets will need to be
> injected in the realms. The way around a breakage can be DNS, or BGP.
>
>
>
> All this is possible, you’ve already done it, and it’s really your play.
> We build the car, you drive it. Happy that you start figuring out how you
> prefer it to happen. While we figure out protocols to renumber more
> efficiently, fix source address selection, extend the NATs, you name it.
> There’s work for all and at every phase. But at this stage of the
> discussion, I favor the 10 miles view to get a shared basic understanding.
>
>
>
> On the side, I’d be happy to learn how you solved a situation like the one
> below, if there’s any article / doc?
>
>
>
> Keep safe;
>
>
>
> Pascal
>
>
>
> *From:* Matthew Petach <mpetach () netflight com>
> *Sent:* mardi 5 avril 2022 0:29
> *To:* Vasilenko Eduard <vasilenko.eduard () huawei com>
> *Cc:* Pascal Thubert (pthubert) <pthubert () cisco com>; Nicholas Warren <
> nwarren () barryelectric com>; Abraham Y. Chen <aychen () avinta com>; Justin
> Streiner <streinerj () gmail com>; NANOG <nanog () nanog org>
> *Subject:* Re: Let's Focus on Moving Forward Re: V6 still not supported
> re: 202203261833.AYC
>
>
>
>
>
>
>
> On Mon, Apr 4, 2022 at 10:41 AM Vasilenko Eduard via NANOG <
> nanog () nanog org> wrote:
>
> 240.0.01.1 address is appointed not to the router. It is appointed to
> Realm.
> It is up to the realm owner (ISP to Enterprise) what particular router (or
> routers) would do translation between realms.
>
>
>
> Please forgive me as I work this out in my head for a moment.
>
>
>
> If I'm a global network with a single ASN on every populated continent
>
> on the planet, this means I would have a single Realm address; for
>
> the sake of the example, let's suppose I'm ASN 42, so my Realm
>
> address is 240.0.0.42.  I have 200+ BGP speaking routers at
>
> exchange points all over the planet where I exchange traffic with
>
> other networks.
>
>
>
> In this new model, every border router I have would all use the
>
> same 240.0.0.42 address in the Shaft, and other Realms would
>
> simply hand traffic to the nearest border router of mine, essentially
>
> following a simple Anycast model where the nearest instance of the
>
> Realm address is the one that traffic is handed to, with no way to do
>
> traffic engineering from continent to continent?
>
>
>
> Or is there some mechanism whereby different instances of 240.0.0.42
>
> can announce different policies into the Shaft to direct traffic more
>
> appropriately that I'm not understanding from the discussion?
>
>
>
> Because if it's one big exercise in enforced Hot Potato Routing with
>
> a single global announcement of your reachability...
>
>
>
> ...that's gonna fail big-time the first time there's a major undersea
>
> quake in the Strait of Taiwan, which cuts 7/8ths of the trans-pacific
>
> connectivity off, and suddenly you've got the same Realm address
>
> being advertised in the US as in Asia, but with no underlying connectivity
>
> between them.
>
>
>
>
> https://www.submarinenetworks.com/news/cables-cut-after-taiwan-earthquake-2006
>
>
>
> We who do not learn from history are doomed to repeat it...badly.   :(
>
>
>
> Matt