IPv6 Operations - IETF 100 Monday 13 November 13:30 Chairs: Lee Howard, Fred Baker, Ron Bonica Minutes: Barbara Stark Jabber: Mikael Abrahamsson ------------------- Agenda Invited talk: IPv6-only deployment at Cisco Khalid Jawaid, Cisco Systems Readout from the Hackathon Lee Howard Using Conditional Router Advertisements for Enterprise Multihoming 2017-10-09, Reporting of Happy Eyeballs Failures 2017-10-29, ------------------ IPv6-only deployment at Cisco https://datatracker.ietf.org/meeting/100/materials/slides-100-v6ops-sessa-ipv6-only-deployment-at-cisco/ Khalid Jawaid, Cisco Systems, presented. David Schinazi: Does not want to provide switch to disable privacy extensions. Privacy addresses are useful. If you want to track, why not track on MAC address. Khalid: When you sign on to a corporate network, you are agreeing to a corporate policy. David: When you use corporate network you have fewer privacy rights? Khalid: Yes. Marco Hogewoning: Are you suggesting that people who are dual stacking should move to v6 only? Khalid: Happy Eyeballs masks problems. Lorenzo Colitti: It falls on you to prove lower opperational costs to move to v6 only. Khalid: Yes, that is the justification of v6 only. Running dual stack costs money. Lorenzo Colitti: Concerned with tracking policies preventing use of multiple IPv6 addresses. Recommended implementation of IETF RFCs. Can trackusing 802.1x. Khalid: Will take that back and see if we can change the design of our network to do that. Daniel Shaw: Doyou hve something online, like a blg article, that youculd share. Khalid: Will provide a blog. Jen Linkova: People cannot remember to enable privacy addresses when they walk out the door, so we need to put emphasis on solutions that don't disable privacy addresses. Khalid: OK. David: Regulations do not seem to say how to track, merely that you need to track. There are various ways to track individual users and devices. Khalid: I don't know of ll the tools. But they say if it's in the RFC, then it has to be there. David: Tell them we will not enable [ability to disable privacy addresses]. --------------- Readout from the Hackathon https://datatracker.ietf.org/meeting/100/materials/slides-100-v6ops-sessa-readout-from-ietf100-hackathon/ Lee Howard presented initial slides (up to 13). Jen Linkova then talked for slides 14-20. Mikael Abrahamsson: Did you say you got LEDE to do NAT64? Lee: No Mikael: Offered assistance in setting up LEDE to do NAT64, so people can do at home. Lee: Interesting. We did not need LEDE to do this because IETF supplied NAT64. Lorenzo: Noticed that non-EUI-64 addresses were not supported. David: Configuration of VPN shouldn't matter. It should not be possible to get VPNs not to work. Jen: I thought it was possible to make VPN only use IPv4. Mikael: Offered assistance in setting up LEDE to do NAT64, so people can do at home. Lee: Interesting. We did not need LEDE to do this because IETF supplied NAT64. Lorenzo: Noticed that non-EUI-64 addresses were not supported. David: Configuration of VPN shouldn't matter. It should not be possible to get VPNs not to work. Jen: I thought it was possible to make VPN use IPv4. David: The case you are describing is a bug in the OpenVPN code. User configuring it wrong shouldn't be an option [to test]. Khalid: We tested Skype for business, jabber, etc., and it worked. Can we have NAT64-certified, like IPv6 certification? Lee: IETF doesn't certify, but others do. Tim Winters: If vendors want a cert, it can be offered. There must be interest. Jordi Palet: Tried OpenVPN with TCP and not just UDP. I have implemented NAT64 in OpenWRT. I will document everything that is missing in LEDE. Daniel: Did you differentiate between text/voice/video? Jen: Yes. Lee: I think we tested all functionality on all transition technologies. Lorenzo: It's not as easy as you say. I've gotten NAT64 to work on OpenWRT and it's really slow. Unacceptably slow. It's not just if it works; it's also how well it works. It's not trivial. ---------------- Using Conditional Router Advertisements for Enterprise Multihoming 2017-10-09, https://datatracker.ietf.org/meeting/100/materials/slides-100-v6ops-sessa-conditional-router-advertisements-for-enterprise-pa-multihoming/ Jen Linkova presented slides Erik Nordmark: It seems like a useful think. Was wondering about hysteresis of link flaps. on't know if easy way to test. Jen: It might be good to delay a little before changing network topology. But maybe some dampening and not immediately propagating change. Lorenzo: Have you tested on various implementations? I think on Android if you deprecate all addresses it will leave completely so perhaps you should not do that. If you test on various implementations and tell us what was wrong then we could fix. Jen: Maybe use ULAs if you really want to keep an address that doesn't go away when uplink goes away. Mikael: This looks like something homenet could solve. ----------------- Reporting of Happy Eyeballs Failures 2017-10-29, https://datatracker.ietf.org/meeting/100/materials/slides-100-v6ops-sessa-reporting-of-happy-eyeballs-failures/ Jordi Palet presented. Mikael: What was the rationale for using .1 as the prefix? That is used as 64 relay. Jordi: I was using .1 as a suffix for an IP address. Just a suggestion. Can define any other address. Lorenzo: I would suggest choosing another address. And don't use just v6 for reporting. Need to guarantee reporting works. Maybe use HE for reporting. Most problems we see with v6 are in the last mile. Jordi: Most problems are at destination and not access network. Fred Baker: We have different experiences producing opposite results. I think you need HE. Jordi: Need to report using v6 as well as v4. Fred: OK so you can't use HE. Fred: Khalid, in your talk you said HE was a problem; can you elaborate? Khalid: Our view is tha problem is either at the origination or destination. David: If problem is not on your network, why care? You can't fix it. Jordi: In testing access network with deployed IPv6, we discovered problem in transit network. By reporting problems in other networks, we were able to get them to fix problems. Jordi: Clarified why the doc was submitted twice with different IDs. It was an error. David: We need to talk more about privacy. Concerned there was no security section. This is leaking what iPhone user is connecting to. We need to talk a lot more about privacy. We didn't deploy HE to make IPv6 better. We did it to incent people to deploy IPv6. This is not to help people; it's to make your network better. I'd like to help, but not at expense of security and privacy. Fred: We're identifying a syslog problem. Syslog should be running over DTLS. David: That's a start. But it's still reporting everything users connect to. Lorenzo: I'm not going to discuss idea that if you don't disclose info then it isn't a privacy leak. We won't implement because it's a huge privacy problem. If you want it to be relevant and implemented, you need to be concerned with security. Jordi: Maybe this is not best way, but please provide input on how to improve. Lorenzo: Maybe it can be improved, but it also may be possible there is no way to improve to fix this problem. Jen: Provided security scenario. Chris Morrow: Why would I care about this? If the problem is on my local network and I'm an enterprise provider, then maybe I care. But if the problem is on a remote network, it's hard to tell them. Other than researchers saying x% of things are broken, I don't understand point. Fred: Not ready to think about adoption at this point. Fred: We're running early. Will now do another topic not on today's agenda. ------------- IPv6-Only Terminology Definition https://datatracker.ietf.org/meeting/100/materials/slides-100-v6ops-sessa-ipv6-only-terminology/ Jordi Palet presented slides. George Michaelson: Diagram shows arbitrary L2 forwarding. Corporations that have not constrained forwarding capabilities of L2 are ignored. Jordi: I'm saying whether network has certain capabilities, from perspective of the operator. Alexandre Petrescu: I see picture of cellular network in your slide. I know of 2 main cellular IPv6 architectures and neither is IPv6-only. Jordi: I know many people who say they have an IPv6-only network. Alexandre: Core network is IPv4 and IPv6. Jordi: If at edge you only have NAT64 then tht is IPv6-only. Alexandre: No. There is no IPv6-only core cellular network. I will send comments to list. Lorenzo: The same network can support v4, v6, and v6-only links. There is definitely a v6-only SSID and other context, so there may be something good to define. Joel Jaeggli: You probably don't have a case where clients have v4 but network does not. Alain Durand: Does not see point. What matters is what clients can do. Jordi: I am saying whether network is supporting IPv4 natively. Alexandre: I wanted to say that there is a case where PCP/PPP type is IPv6-only. Jordi: Talking about actual native transport. Marco: Things work or don't. We don't need this. I don't think this helps. Jordi: We need terminology when discussing options with providers. David: I'm confused. I don't know what problem you're trying to solve and think you may be making things worse. Don't create a term. Jordi: We do not have same understanding of "IPv6 only" David: Agreed. And this won't help. Use full length descriptions of what you mean, rather than trying to create a term to avoid using full length descriptions. Jen: You might create more confusion by trying to define this term. Lee: Not all networks are Internet networks. I think what I'm hearing from the conversation: I'm not sure we agree there is a problem to be solved. Fred: No consensus to move forward with this.