ipv6@conference.ietf.jabber.com - 2002/11/18
[09:11] %% logger has arrived.
[09:17] %% logger has arrived.
[09:24] %% logger has arrived.
[09:31] %% logger has arrived.
[10:39] %% bensons has arrived.
[10:58] %% bensons has left.
[11:51] %% logger has arrived.
[17:47] %% starsu has arrived.
[17:48] %% bluebibi has arrived.
[17:48] <starsu> proxy
[17:49] %% inkyulee has arrived.
[17:49] <inkyulee> no scriber here?
[17:51] %% starsu has left.
[17:53] %% Joseph has arrived.
[17:57] %% avri has arrived.
[17:58] %% mrose has arrived.
[18:00] * Joseph has changed the subject to: http://www.jabber.com/chatbot/logs/conference.ietf.jabber.com/ipv6
[18:08] %% inkyulee has left.
[18:08] %% bluebibi has left.
[18:09] %% inkyulee has arrived.
[18:09] %% john loughney has arrived.
[18:12] %% john loughney has left.
[18:13] %% inkyulee has left.
[18:15] %% avri has left.
[18:42] %% aamelnikov has arrived.
[18:42] %% aamelnikov has left.
[21:08] %% logger has arrived.
[21:44] %% logger has arrived.
ipv6@conference.ietf.jabber.com - 2002/11/21
[06:48] %% hanzzz has arrived.
[06:57] %% kurtis has arrived.
[07:04] %% mrose has arrived.
[07:14] %% oletroan has arrived.
[07:18] %% ietfwatch has arrived.
[07:21] %% KeithMoore has arrived.
[07:24] %% JavierA has arrived.
[07:29] %% JavierA has left.
[07:30] %% JavierA has arrived.
[07:31] %% ggm has arrived.
[07:31] <ggm> bob hinden summarizes issues from WG perspective
[07:31] <ggm>
focussing on site-local addressing
scoped address architecture
limited
only disconnected
no multi site nodes, DNS
moderate
sime site-border router
no multi-site host/router
two faced/split DNS
full usage
all nodes are multi-site, make routing protocols
know about site boundaries, do multi-site DNS
[07:32] <ggm>
(complaint about how the WG is being steered on this issue)
looking for consensus on the way forward, controversial issues
[07:33] <ggm> second proposal
use site and global at the same time
multi site host is not required
routers need two modes
all i/f in same site == global
all i/f in different sites == link-local
reduce complexity document issues
architectural reasons
site local natural expression of network topology
retrofit to ipv4
make work better in ipv6
diosconnected networks
global prefix not always available
intermittantly connected nets with unstable global prefix
[07:33] <KeithMoore> how can he say that with a straight face?
[07:33] %% JavierA has left.
[07:34] <ggm> security issues
simple access control 'out of the box'
appliances assigned site local/link local addres
applications eg db servers only accepting site-local addrs
defense in depth because of multiple routers beyween attacker
and victim with filtering
[07:35] %% JavierA has arrived.
[07:35] %% JavierA has left.
[07:36] <ggm> renumbering/related issues
site local preserved across site renumbering
not so useful in practice, because renumbering
not common, slow, rare
except intermittently connected sites
site local in conf files don't have to change
when renumbering
eg filters/acls based on site local don't change
[07:36] %% smb@research.att.com has arrived.
[07:37] <kurtis> sigh...
[07:37] <KeithMoore> default address selection is hopelessly naive even for non-distributed apps
[07:38] <ggm> network stack complexity
TCP/UDP/IPV6 parts of stack
additional code (in his experience)
1-200 lines of code extra in routing tablelookup
and dest cache
neccessary for link locals, not just site locals
application complexity
def addr selection alg for many apps
dist apps do referrals
global mode use globals
site mode use site-locals
multi-sited hosts
getaddrinfo returns sitelocal w scope id
apps preserve scope-id info (use sockaddrs)
[07:38] <kurtis> It would be interesting if he could explain why his own company can't get their applications to work across multi addresses and site-borders today...
[07:38] <ggm> (are these slide braindumps ok?)
[07:38] %% jis has arrived.
[07:38] <kurtis> (more or less)
[07:39] <hanzzz> (yep)
[07:39] <ggm> DNS
two faced DNS only current solution
draft-ietf-ipng-site-prefixes-05
extended for dist apps
nice idea, too late
Mark Andrews siggestion works with link-locals too
[07:40] <kurtis> Wait, move around site-local domains. Then it's not really site-locals anymore? then it's global addresses!!!
[07:40] <ggm> Mobile IPv6
Can a MN use s site local home address?
yes within home site
MIPv6 could support site local home
and use it when away from home to talk back
to home.
not as currently specified
[07:40] <KeithMoore> thanks for making it brief
[07:40] <ggm> <ends>
[07:41] <ggm> from the floor
[07:41] <ggm> site locals == link locals from routing perspective asserted: I do not agree
[07:41] <ggm> from the perspective of the routing protocols, its different
[07:42] <ggm> I was trying to outline simple cases
[07:42] <ggm> clarification: to add site locals into the stack only added 1-200 lines. host or router?
[07:42] <ggm> A:: primarily host but have some simple router support
[07:42] <ggm> Q so how do you actually route?
[07:43] <ggm> Q and how much routing protocol support in the stack?
[07:43] <ggm> A we have static routing
[07:43] %% da4089 has arrived.
[07:43] <ggm> Bob Habermann on routing/forwarding of site local addr
[07:43] <oletroan> Brian H
[07:43] <ggm> (ok. diagrams. see the docs folks>
[07:44] <ggm> ummmmm, boxes and squares like coach said just end run around to the goal line... (sorry)
[07:45] <ggm> test platform, bay networks IPv6 stack
s/w router
RIPng
[07:45] <ggm> modify routing table to add zone id
monolithic table, zone id as index
separate tables, figure out which to use on ingress/zoneid
[07:50] %% hanzzz has left.
[07:53] %% hanzzz has arrived.
[07:54] %% ggm has left.
[07:56] %% Magnus_Strømdal has arrived.
[07:56] %% fsolensky has arrived.
[07:57] %% ggm has arrived.
[07:57] %% hta has arrived.
[07:57] <ggm> connectivity glitch. should I repost what I have from loss of signal or leave alone?
[07:57] <hanzzz> please repost
[07:58] <fsolensky> If it won't cause you to lose track of what's going on now.
[07:58] <ggm> RIPng easiest to do
read write correct table
change to route exch messages
forwarding plane
correct forwarding table lookup
dest/src addr checks
test scenario
reachability tested with ping6
throughput with FTP
freebsd dumped table
[07:58] <ggm> results
10k feet, looks like VPN box
differs by sharing RIB/FIB global prefix
perf hit in forwarding
going to 3 sites cause 20% system pef drop
(s/w forwarding)
extra lookups, demux, then route lookup
scope checks on src/dest
specific FIBs in h/w would help
[07:58] <ggm> comments
routing/forwarding only
no app testing no DNS
RIPng simple
Link state more difficult
Site boundaries should not be arbitrary
igp/egp
OSPF boundary areas
Site border routers can work
how often does a router have to support two sites?
(missed discussion in depth)
[07:58] <ggm> (now back live)
[07:58] <fsolensky> thx
[07:59] <hanzzz> thnx
[07:59] <ggm> connected site local considered harmful. rob austein
[08:00] <ggm> scopes and borders
is single site border a good place to put a border for all
of the things like routing/security/naming/addressing
[08:03] %% alcor has arrived.
[08:03] %% alcor has left.
[08:03] %% rafdalb has arrived.
[08:03] %% hanzzz has left.
[08:03] %% rafdalb has left.
[08:03] %% ggm has left.
[08:04] %% hanzzz has arrived.
[08:06] %% ggm has arrived.
[08:06] %% hta has left.
[08:06] <ggm> suspicion this is not the case. enough different things
that a single clean 'edge' is not a useful concept
applications and scope
most aps have no concept of scope
most apps have no way to express scope
stuff leaks across the borders
one size does not fit all
seems nice but its wrong
area border is not the same as the naming realm
two faced dns borders, firewalls, demarcations point(s)
[08:07] <ggm> private addresses do not enhance security
attacks via border machine
attacks via leakage
weakened node security due to false sense of security
firewalls have to filter bad globals stuff anyway
[08:08] <ggm> (in room 802.11 is crap. so I am loosing connectivity from time to time. sorry)
[08:09] %% Magnus_Strømdal has left.
[08:09] <ggm> Reachability vs Ambiguity
Firewalls limit reachability
Private Addressing realms also limit reachability
This is not an improvement
draft-ietf-dnsop-dontpublish-unreachable
[08:14] <ggm> Multiple sites
devices that have to live in multiple sites is hard
multiple tables, or zoneid to select in one table
probably same complexity (I thinkthats what he said)
complex forwarding and leakage rules
2 faced DNS is bad enough, but what about <n>-way?
[08:14] %% ggm has left.
[08:14] %% hta has arrived.
[08:15] %% agaton has arrived.
[08:16] %% azinin has arrived.
[08:17] %% ggm has arrived.
[08:17] <ggm> Multiple sites
devices that have to live in multiple sites is hard
multiple tables, or zoneid to select in one table
probably same complexity (I thinkthats what he said)
complex forwarding and leakage rules
2 faced DNS is bad enough, but what about <n>-way?:
other approaches in DNSSEC are scary
sound reasonable, but ...
summary
if we have to keep site-local at all only use
in disconnected state
globally unique addresses would be better even in
disconnected case
[08:17] <ggm> Hinden speaks
[08:17] <ggm> what next?
[08:17] %% Magnus_Strømdal has arrived.
[08:18] %% JavierA has arrived.
[08:19] <ggm> hinden have multiple feelings about this, having same
discussions, thoughts, concerns.
flesh out my view. middle ground. between
limited usage, and as many sites as possible
in all possible ways. this is not the position
of the chair. a vehicle for discussion, makes
some sense, the pragmatic part of my brain says
people are going to do this anyway, its what
firewalls do anyway, we have to deal with this
building the bits, have real guidance instead
of wishing it will go away.
[08:20] <ggm> can build simple routers, can have interfaces
not in any site, can have blackhole routes to FEC0::/10
firewall at site border that enforces site boundary
little or no impact on routing protocols etc
[08:20] <ggm> rob sees it as more complicated, I see it as simpler.
[08:21] <ggm> we have no official requirements for multi-sited nodes
all routers should have blackhole route, keep it from leaking
Vendors may build multi-site nodes
customers will insist,
IETF doesn't have to require it
useful to document why we think this is hard, has issues
[08:22] %% azinin has left.
[08:22] <oletroan> it doesn't make sense that all routers have the blackhole route. only SBR routers should.
[08:22] <ggm> DNS keep site local out of global DNS
need equiv of site border router for DNS
Range of solutions
enterprise/home may need different solutions
Two-face/split DNS
common for enterprises today
Mark Andrews proposal
Ask DNS-EXT wg to take on work, better than doing here
[08:23] <ggm> APPLICATIONS issues are real
however site-local usage isn't worse than
firewalls creating scopes with limits or
limited scope addresses
important that APIs allow application to override
address selection defaults
[08:24] <kurtis> oletroan: It's better to make it default and have people turn it off if really needed (although I would prefer you could not turn it off)
[08:25] <oletroan> kurtis: I would rather prefer to not special case site-locals, apart from on site-borders. treating them as globals should be fine.
[08:25] %% ggm has left.
[08:26] %% ggm has arrived.
[08:26] <ggm>
hence the models proposed limited/moderate/full
other divisions?
do we do vote? for one or more or ...
open mike, hinden will moderate., try not to defend
(PERSonal proposal) ask audience to
(huge queue to mike)
[08:27] <ggm> Margaret personal view is not chair view
site local were invented for not yet connected sites
labs, sites which will never be connected
if allow them to be used on connected sites
as private addressing, overloading use of prefix
is default to allow forwarding? if disconnected yes
but if connected then clearly conservative is no.
[08:28] <ggm> we can't tell people not to use local addresses, but we
can try to give them a better way than in IPv4.
just because RFC1918 was misused doesn't mean we have
to mirror that mechanism, could do some better things.
[08:28] <ggm> guys, I don't know the speakers, so I can't really tag this stuff well. maybe somebody else can do this better.
[08:28] <oletroan> Erik Nordmark
[08:28] <oletroan> previous was Margaret Wasserman
[08:28] <oletroan> next is Itojun
[08:28] <ggm> nordmark not even disconnected site is a safe thing to do
[08:29] <kurtis> oletroan: Then, why don't we just use global addresses?
[08:29] <kurtis> If we want a special "globally threated block" what have we gained?
[08:30] <ggm> nordmark continues
[08:30] <ggm> do you erect boundaries as part of the initial creation
with differnt addressing domains, but then as you do
networking, make the changes, or do you start out addressing
everything from day #1, what do you do when you decide you
want to open things up? if you have globaladdr /filters then
its simple to open up. continue to use local contexts, but
punch through is harder.
[08:31] <oletroan> kurtis: it will still be filtered on borders. agree, globals are much better. there are still uses were site-locals makes sense. e.g not yet connected, temporarily connected, ISP gives short-lived global addresses.
[08:31] <ggm>
go off and try to solve interesting/hard problems even if
we do this for disconnected sites only people will work out
how to glue together
Hinden I agree with a lot of this, in use statements have to
address this.
[08:31] <ggm> itojun two important issues not mentioned
[08:33] <oletroan> Keith Moore... this will take a while. :-)
[08:33] <ggm> DNS spamming by DNS dynamic update with local addresses
significant problem
said that it is possible to use site local addr in mobile ip but
I don't think this is correct, for mobile node there is no
way to disambiguate, I think mobile ip aspect has to be
diagnosed carefully. if vote, I vote for robs proposal
[08:34] %% fsolensky has left.
[08:35] %% ggm has left.
[08:35] %% fsolensky has arrived.
[08:35] %% hanzzz has left.
[08:38] <oletroan> Alain Durand
[08:38] %% ggm has arrived.
[08:39] <ggm> hinden take to mobile-ip (was earlier in week comment from floor)
carrot for the complexity is people think this is what
they are supposed to do, its what they do now.
there will be layers of filtering, but even assuming this
is true, it takes away ability to do monitoring,
[08:39] <ggm> KiethMoore you cannot trust addresses. it is NOT reasonable for apps
to decide to take site-local without auth, we must not
support this.
marginal security benefit, at cost of complexity in
implementation all over. lot to pay for dubious benefit
understand why wanted, why looks good at surface, why
people haven't looked in depth. its not justified, as
engineers we give what works, not what people want
i want to propose different compromise. they are for
disconnected, occasional connectivity, so treat them
as globals.
[08:39] <ggm>
second (which keith is not so sure he supports) all
nodes need global addrs, along with it provide advice
to apps to use site-local when known to be on-site
dubious because apps don't know they are doing this
in advance, a few
third alternative is 'deprecated' -some sympathies to
use these things on isolated nets in the past, but
right now, need to say, its easy to understand how to
use IPv6 to dtrt, but easier to say DONT USE site local
and get the dtrt outcome, but harder to say use sitye
local and do a,b,c,d.. harder to achieve outcome
[08:39] <ggm>
ALain DUrand do not like site local. declared bias
look at the topic, learn from history
[08:41] %% Magnus_Strømdal has left.
[08:43] <ggm> resp to alain scoped addr arch doc author. its to be for site locals
inherent bias of people to look at anything new with
suspicion, problem with site locals is that a number
of people haven't wrapped minds around the concept
completely.
[08:43] %% ggm has left.
[08:43] <oletroan> that was Brian Zill
[08:44] %% Magnus has arrived.
[08:44] %% hanzzz has arrived.
[08:44] <oletroan> Alex Conta(?) speaking
[08:45] %% da4089 has left.
[08:46] %% starsu has arrived.
[08:47] %% ietfwatch has left.
[08:49] <hta> comment: problem with sitelocal is that lots of people have wrapped their minds around the concept completely and concluded that they definitely don't like it.
[08:51] %% starsu has left.
[08:52] %% Magnus has left.
[08:53] %% d has arrived.
[08:53] %% starsu has arrived.
[08:53] %% starsu has left.
[08:54] %% fsolensky has left.
[08:58] <hta> has everyone in the ipv6 room fallen off the chatroom?
[09:00] %% SandyT has arrived.
[09:01] <d> looks that way
[09:02] <kurtis> I am here...
[09:03] <hta> any sense-of-the-room yet? I'd be there if I wasn't here (I'm AD for nomcom)
[09:04] <kurtis> WE are about to vote...
[09:04] <kurtis> But the option to get rid of SL is not an option...
[09:06] %% oletroan has left.
[09:07] %% SandyT has left.
[09:08] <hta> just hum for the most restrictive option available.....
[09:09] %% hartmans has arrived.
[09:10] <kurtis> We have just added the opition of globally non-ambigious addresses
[09:11] <kurtis> ...now the chairs are lost
[09:11] <kurtis> and there is no clear view on what we are voting on...
[09:11] <hta> sigh....
[09:12] <kurtis> voting in progress...
[09:14] %% ggm has arrived.
[09:14] %% ggm has left.
[09:15] %% hta has left.
[09:15] %% SandyTurner has arrived.
[09:15] %% hta has arrived.
[09:16] <kurtis> ..and here starts the dicussion on what we really voted on....
[09:16] <hta> was there any clarity in options that were universally unpopular?
[09:16] <kurtis> 30: remove SL, 51: Limited use, 57: Moderate useage
[09:16] <kurtis> More or less none for full useage
[09:17] <hta> hooray! (count your blessings)
[09:17] <smb@research.att.com> I was *very* pleased with that.
[09:18] <kurtis> But I am not clear how Christain can interpret this as a vote for a compromise....
[09:18] <hta> need to revote on limited/moderate split after the extremist positions are taken out (and have to clarify what they mean)
[09:19] <hta> I'm coming over....
[09:19] %% ggm has arrived.
[09:19] <ggm> what a time to loose connectivity,. do people want my logs which were missed? they are probably superflous and don't have the vot or post-vote stuff.
[09:19] <smb@research.att.com> There are O(number of people in the room) different opinions.
[09:22] <ggm>
Hinden try this different way
Rob since the first show of hands done with a second one promised
if we don't do it, then its 'not fair'
Marg time management issues. we can skip Ralf continue this or
call it off and proceed?
overwhelming decision to continue this one
[09:22] %% agaton has left.
[09:22] <ggm>
Hinden go through this again, vote for what you DONT like
can vote multiple times against things too eveil to contemplate
[09:23] <kurtis> ggm: can I suggest that you post your logs after the discussions just for the completion of the web-logs?
[09:23] <ggm> 0 choice is 'remove site local'
[09:23] <ggm> (sure) what I have to the vote at end
[09:23] <ggm> to be clear: vote is an ANTI vote: against the idea.
[09:24] <ggm> jabber people want to vote? :-)
[09:24] <kurtis> so are we allowed to vote multiple times now?
[09:24] <ggm> 60-70 against 0
[09:24] <ggm> yes can vote multiple times
[09:24] <kurtis> ok, thanks
[09:24] <ggm> now 1: do not persue limited use option
[09:25] %% smb@research.att.com has left.
[09:25] %% smb@research.att.com has arrived.
[09:25] %% smb@research.att.com has left.
[09:25] <ggm> confusion about voting being discussed
[09:26] <ggm> focus on choice between limited usage or moderate usage
[09:27] <ggm> do we have consensus to focus on limited or moderate?
[09:27] <jis> yes
[09:27] <ggm> clear consensus to focus on one of those two or something inbetween (humor)
[09:28] <ggm> (link problems. do not want it to die right now)
[09:28] %% hta has left.
[09:28] %% jis has left.
[09:28] <ggm> Margaret WG has not agreed to remove site local entirely, but has rejected full use
[09:28] <ggm> offer from the floor to come up with limted/moderate usage defns for people to work on
[09:29] <ggm> Kieth Moore violently disagrees :-)
[09:29] <ggm> KiethMoore: risk of getting meaningless choices
[09:29] <ggm> Durand near to conclusion. lets get there. limited use is disconnected, moderate is for connected,. please vote on this
[09:29] <ggm> Margaret not either or.
[09:30] <ggm> <other> THere are transients
[09:30] <ggm> Margaret want more voting choice?
[09:30] <ggm> <other> during discussion on list, interest inwriting BCP or document on what site local was good for, need to capture in parallel so people know what they are doing.
[09:30] <ggm> Margaret had consensus on list to do that, need to find body
[09:31] %% hartmans has left.
[09:31] <ggm> <other> we have agreed without explicitly saying that the community(s) have use cases, which are going to need to be accomplished, have we documented the use-cases?
[09:31] %% warlord has arrived.
[09:31] %% _ruffi_ has arrived.
[09:32] <ggm> Hain need to get clarification on globally unique site local. we don't have an agreement on that. need to go to globallt unique provider indpendant format, trying to make it non routable wont happen.
[09:32] <ggm> Hinden/Margaret globally unique provider independant site local addr
[09:32] <ggm> Hain be very afraid of a globally unique non-routable. it will be routed.
[09:32] %% _ruffi_ has left.
[09:32] <ggm> Hain we just need it globally unique space.
[09:32] %% JavierA has left.
[09:32] <ggm> Margaret unsolvable problem
[09:33] <ggm> KiethMoore agree with Hain. its hard.
[09:33] <ggm> KiethMoore want to understand the polling, rephrase.
[09:33] <ggm> KiethMoore appears to me we have near consensus to use site local in disconnected and similar cases
[09:33] %% mrose has left.
[09:33] <ggm> KiethMoore may also be ok to be used in other cases subject to constraints. trying to phrase carefully, is that accurate view?
[09:34] %% hanzzz has left.
[09:34] <ggm> <unknown> not productuve to chose between limited and moderate at this time. need to do more work to move to consensus
[09:34] <ggm> Margaret made big decision, not to persue full case. now have to come up with formal Qs about limits to use
[09:34] <kurtis> Thomas Narten (at the mike)
[09:35] <ggm> Thomas Narten == <unknown> ANswer to kieth: don't know need to tease out details
[09:35] <ggm> Margaret have to have real proposals to make decisons. need a realm. Brian has volunteered to work, lets bring to table
[09:35] <ggm> Narten what is problem, how important is issue
[09:35] <ggm> Margaret can't explore in next two minutes
[09:36] <ggm> Hinden teasing out issues very helpful
[09:36] <ggm> Narten flesh out problem statement
[09:36] %% warlord has left.
[09:36] %% warlord has arrived.
[09:36] %% warlord has left.
[09:36] <ggm> <unknown-2> saying possible to make provider independant site local work? drafts out about multi-6 etc
[09:37] <ggm> Margaret: Hain is being serious, need to explore issues
[09:37] <ggm> <unknown-3> like idea of BCP, willing to help.
[09:37] <ggm> CHairs to work on how to move forward.
[09:38] %% hanzzz has arrived.
[09:38] <ggm> historical follows. continuing ALain durant stuff
[09:38] <ggm>
another comment: site-locals for disconnected only
I don't agree, never got that sense from other authors
of scoped addressing arch doc. design is to allow to
mix with addresses/prefixes of other scopes. link local
are mixed commonly with globals and nobody expects you
not to put global on the net just because you are using
link local.
we already accepted the 'complexity' use non 1980's
mindset models. if you take on the v6 mindset, it
encompasses this, naturally, between link and globals
in the scoping, to communicate beyond link, its a useful
concept.
[09:38] <ggm>
solutions presented so far, I feel intermediate is best
way to go. I don't think full is problem but will
compromise, stick to intermediate at least at first
want to bring up operational network issues not on
any slides seen. typical way for ISPs to operate
is to have 'customer agg router' which is their
net on one side, hundreds of customers on other
which means, under many scenarios wouild be many
hundreds of 'sites' on one router. so doing routing
difficult case, keep it in mind, something which is
how networks are built today
[09:38] <ggm>
hardware vendor, concerned about once I build mechanisms
into h/w cannot change it, concerned that site addresses
being specified in document in draft standard, didn't hear
people have too much experience in deployment really
tested mechanism, that particular mechanism just got through
(not here to talk about addr arch)
[09:38] <ggm> another point on slides was misleading, people do things
with local things they do with scoped, I don't think
this is true, in future when don't allow forwarding
still have topology info in globals which aren't in
scoped local, when discussed, don't create traps.
tony hain bais to pragmatism. concept of scope exists in reality
continue to meet people wher they are, and move on
or we can fight it. site scope addr exist, need to
exist, operationally must be used, provide other ways
to move forward, most args against are FUD
to addresspoints, get to end goal, BCP needs to state
this in acceptable way, permit change
[09:38] <ggm> greg daly didn't have bias before presentation, come to a decison
here come out against this site local address solution
recognize needs for behaviours to do nonchange when move
between providers, stuff like that important, people
doing it with 1918 because they don't have real addrs
looking at generic routing arch of backbone, moved to
provider prefixes, small route table, 2**64 prefixes
don't want tables of that size. need to do is keep
that arch, keep it but can alloc unique site specific
addrs which are non aggregatable, non routable so
people can have simple static local routing
problem is to know addr is not yours. if can solve
then can use site locals
[09:39] <ggm>
SMBellovin original design specced out is so bad I wont address
didn't even define a site. buys you security, is
totally bogus, only if app g/w used totally. nodes
on nets don't only use ALGs. want regular internet
most nodes will have globals anyway. few nodes that
don't (printers etc) defaults to reject not in /48
thats the rational definition of site.
operational nightmare caused by 1918, icmp failing
to get through from backbones, operationally we
can't filter, no more likely in V6 model
[09:39] <ggm> David global addr wanted by everyone
2 issues what goes in doc and what do people want
design doc so as people experiment, will stay constrained
limit to disconnected sites, is only reasonble thing
security cannot come from site locals. o
huitema will reach compromise, too many opinions. that
compromise will end up being bad one. say 'dont do
1918' wont stop usage. if we want to stop 1918 like
usage have to provide alternative, otherwise will
get usage whatever we say.
have a compromise should be rational, work on alternatives
difference between reachability and availability
most operational problems come from ambiguity need to
know who said what, even if you can't reach them. have
to have globally unique unreachable addresses
[09:39] <ggm> <missed one> can see scenarios where site local is used, site local
not in node, stuff won't work all the time. go multi site
and some things will break. reality for end users will
be intermittant service, debug problems. no worse than
today but is that the goal?
<missed name> don't want people to ONLY use site-local and NAT.
most people in this room have been behind NATs,
experienced the problems
if do site-local, won't need /10
hinden think we are heading towards globally unique but
unroutable addresses -thats not a trivial thing eithero
do a vote
[09:39] <ggm>
kieth moore problem with phrasing the question this way. glosses
over all the layer-7 issues, silent on this stuff.
at least two fundamental q's not being asked on this
thing which affect the choices in this scenario
is there consensus to accept site-local as ok?
is there consensus to work on stable, global site-local
framework.
unknown1 need to include fixes to addrs arch doc.
hinden its draft standard, can't change it
unknown2 these are not the only choices. several people
put alternates.
unknown3 limit uses as strictly defined, not open for defn.
unknown4 how are the Q's going to be asked
[09:39] <ggm> thats it to the vote.
[09:40] <ggm> sorry for loss of sequence, context.
[09:40] <ggm> ggm out
[09:40] %% ggm has left.
[09:40] %% hanzzz has left.
[09:41] %% KeithMoore has left.
[09:44] %% JavierA has arrived.
[09:44] %% JavierA has left.
[09:46] %% SandyTurner has left.
[09:46] %% kurtis has left.
[09:53] %% d has left.
[10:53] %% oletroan has arrived.
[11:15] %% warlord has arrived.
[11:16] %% warlord has left.
[13:33] %% oletroan has left.
[15:13] %% tskjesol has arrived.
[15:15] %% tskjesol has left.