[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WGLC ent-analysis-03: DSTM

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: WGLC ent-analysis-03: DSTM
From: Pekka Savola <pekkas@netcore.fi>
Date: Mon, 22 Aug 2005 13:10:43 +0300 (EEST)
Cc: v6ops@ops.ietf.org
In-reply-to: <200508191315.j7JDFvEV007151@givry.rennes.enst-bretagne.fr>
References: <200508191315.j7JDFvEV007151@givry.rennes.enst-bretagne.fr>

On Fri, 19 Aug 2005, Francis Dupont wrote:

    b.1) the set-up of the bidirectional v4-in-v6 tunnel with the tunnel
       server(s) which can happen without user intervention, e.g., using
       one of the processes described in
       draft-palet-v6ops-tun-auto-disc-03.txt.

=> note this I-D was submitted years after DSTM and is not a complete
solution (in fact, today it is not a solution at all :-).

Within an enterprise network (and having to discover v4-in-v6 TEP, so NATs are not an issue), the problem is much more constrained, so e.g., DHCPv6 is a possible solution. Softwires BOF might do something about this, or maybe not -- if folks are interested in this kind of problem, maybe they should speak up at a forum. In any case, the same approaches as are available for "DSTM" are probably also applicable here.

       This must include a way to auto-configure a v4 address [e.g., DHCPv4].

=> I believe you mean something providing the same service than DHCPv4,
not DHCPv4 itself.

While DHCPv4 may or may not require minor tweaks (e.g., relating to link-layer adaptation), I think it could basically be used itself, and for the service. Could you elaborate why you think it's inappropriate?

    b.2)  the automatic set-up of v4-in-v6 tunnels, so that between each
       host, an ad-hoc tunnel can be signalled and set up" [6to4-like
       traffic optimization]

=> I believe you have "direct tunnels" in the b.2 idea?


Yes.

    c) assignment of an address on top of v4-in-v6 tunnel(s), but
       deferred until the application wants to create v4 socket.
       [issues with dual-stack server apps, for example]

=> note that c) is needed if allocated IPv4 addresses are global.
To come back to the DHCPv4 analogy, with DHCPv4 an address is needed
when a node attaches to the network, with c) an address is need
when (and only when) a node has to make an IPv4 communication.


No, "global v4 addresses -> c)" does not follow.

It is a perfectly fine way to run and use addresses to give each node requiring v4 connectivity a static global address. Those which need them only now and then can also use global addresses, but the easiest would probably be using RFC1918 for those nodes.

The issue how aggressively to conserve v4 address space at the cost of more complexity and mechanisms like dynamic assignments/removals is a trade-off. Some may believe it's worth the effort; many others (like me) think it's not (and personally, I think it'll cause more harm than help).

I gave further reasons for my belief in my reply to Stig on Aug 10, with subject "Re: Enterprise Analysis DSTM Issue: dynamic setup", especially wrt. who needs a global or private address.

    d) automatic monitoring and tear-down of said v4-over-v6 tunnel(s)
       when the host detects it no longer needs the address/connectivity

=> as I've already explained, d) is a consequence of c).

While d) may be desirable by some if you want to release the global address back to the "pool" as soon as possible, it's not a direct consequence AFAICS. It'd be perfectly fine to deploy only c) with the assumption that if the host needs v4 even once, it gets v4 "for good" (at least as long as isn't rebooted).

While c) may not conserve address space as effectively as c)+d), it's something to be evaluated based on the tradeoffs.

    - c) is something implementations may try to do on their own, but I
  would recommend against it, and the IETF shouldn't work on that

=> c) is *not* an option when you have not one address per node, i.e.,
when b.1) is not usable.

I'm not sure what you meant with "is *not* an option". What is the option then?

    - d) doesn't seem to be worth the effort and is probably difficult to
  get right -- and for addresses, DHCPv4 and other methods already
  exist; not sure we want/need to do more work on that.

=> perhaps I have misunderstood d) but when the IPv4 address expires the
tunnel must be torn down...

No, I don't think it follows. I don't see why you couldn't just have a v4-in-v6 tunnel but the host wouldn't have any v4 address, right?

An analogue: when my DSL provider's DHCPv4 server goes down or the DSL modem's DHCP snooping breaks, my lease expires and on my BSD router the public v4 address I normally have is changed to "0.0.0.0". If I re-run DHCPv4, I get the address back. Why the same couldn't happen here? Why must the tunnel be removed?

  I have no problem having the enterprise analysis document include this
  kind of analysis, and describe the need for a) and b.1) -- and I think
  this is probably a good thing as it might lessen the confusion on the
  real requirements for v4-in-v6 tunnels -- but if we go further than
  that, we may have a problem....

=> we have already a problem with IPv4 global addresses: there are not
enough!

IANA has been allocating lots of /8's. Our organization has gotten a new /16 as well. I'd argue that the situation with v4 address availability has gotten better.

  > => the overload (if any) should be solved by the references...

  This is a working group document.  I don't think we can just refer to
  a non-wg, ambiguous document and expect it to clear up the ambiguities
  and confusion.

=> so your concerns are about the DSTM documents?


You could say so, yes.

  > => I saw the birth of DSTM: DSTM is Jim Bound's AIIH + Laurent
  > Toutain's DTI.

  That may be, but many people since have used the term,

=> the term is not (yet :-) a trade mark...

  and may have zero idea what the goals are or may have been.

=> this is a random remark which is not about the WG I-D.

I think it may still be relevant, though. Lots of people who want just simple v4-in-v6 tunnels, or something slightly more sophisticated (for example a) and b.1) in above terminology) think they need something called "DSTM". Reading the spec does not give them much idea about the goals or the background relevant to their own requirements. The enterprise analysis document seems like a natural place to discuss these requirements in the hopes of lessening the confusion.

  Certainly, if you wanted to create ad-hoc tunnels (6to4-like) between
  each host or the like, a protocol interoperability that goes beyond
  the plain tunnel broker would be needed.  But I wasn't implying that
  functionality (nor do I think it is needed).

=> what I said is the setup mechanism is orthogonal to the tunnel
mechanism and the only thing about it is just to have one (zero
doesn't work, two or more don't interoperate). BTW to be clearer
here I mean the setup of a tunnel between a node and a TEP.

Well, isn't TSP a solution here as well? Jeroen Massar also had done work in this space. Softwires BOF is working on this.

In any case, as far as I see, the DSTM spec is mostly just describing the concept and giving a couple of examples here and there which protocols could be used; I don't see how you could write an interoperable implementation based on it.

  What I meant is that if you already have a) and b.1), i.e., an ability
  for the host to set up a tunnel without manual configuration with a
  tunnel server, all your implementation needs to do is add a hack which
  triggers this activation when the v4 socket call is being made.

  There is no difference between b.1) and c) wrt. bits on the wire,
  right?

=> the difference between b.1) and c) is the type of IPv4 addresses.
If the IPv4 address can be statically allocated c) (and in fact b.1) too)
is not required, if the IPv4 address is global and cannot be statically
allocated (because the pool is too small), c) is required (and d) as
a consequence of c) too). BTW you could say that a NAT removes the
requirement but I don't think you'd like to use this argument.


In fact, I *do* like to use that argument :-).

In any case, while different kinds of addresses used may or may not affect the weighing of tradeoffs, I don't see how b.1) and c) differ on the wire. The protocol to set up the signalling, the tunneling, etc. can be the same, i.e., there's no difference on the wire, and a decision could be just an implementation decision.

I'm not sure if there's anything requiring interoperability in d) either, as I guess you could just remove the tunnel interface if you don't have an address anymore -- I'm not sure if it's even worth the trouble -- but that's debatable.

  >   My point is that I'm having hard time figuring out:
  >     1) what the document means when it's recommending DSTM, and
  >
  > => the references

  As said, I don't think a wg doc like this can shrug off these kinds of
  issues by just referring to non-wg documents and letting them sort
  things out.  Best would probably be summarizing the different
  requirements or non-requirements (a-d above) in this doc, removing the
  references altogether, and enhancing the dstm spec (or writing a
  separate draft describing the scenarios/requirements for v4-in-v6
  tunneling) to try to remove any confusion.

=> so you ask for a scenario with global IPv4 addresses (c)) or
for clear operational advantages for (c)).

I'm only looking for the second, because the first may or may not call for this scenario.

IPv6-dominant networks (section 6) are the reason to ask for at least a),
the text ("must acquire...locate...") suggests at least b.1).
It seems I have now a clear view of the "missing part" in the WG I-D...

yes, and these must be clearly separated from each other, especially if there is a scenario calling out for c) or d).

I propose this scenario:
- an IPv4 site with 200 nodes using a /24 is connected to the Internet.
- the site grows to 500 nodes, solutions are:
  * get more IPv4 addresses: I suppose it is not possible.
  * put a NAT: I suppose we don't want this!
    Note a NAT on addresses only should be enough.
  * switch to IPv6, get a /48, take advantages of IPv6 feature, etc,
   but what to do with partners (perhaps including the ISP :-) still
   using IPv4: lookup for the solution in the WG I-D?
- I assume there is a reasonnable number of "simultaneous" nodes which
  need an IPv4 address from the /24 pool. This assumption is used for
  the NAT or the DSTM solution (I have real world figures to support
  this assumption).
- the best solution is DSTM...

Frankly, the dominant v6 deployment for this problem seems like shooting birds with 160mm cannon (much much trouble that way), but that aside..

What are the chances that such a site is not already using NAT, or doesn't have the capability of getting more addresses?

In university world, lots of places actually use mostly global v4 addresses, but on the other hand, they also seem to be quite capable of obtaining more from their LIRs and RIR as needed.

I'd be interested in seeing which kind of figures you have, could you send e.g., offlist if long?

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: WGLC ent-analysis-03: DSTM
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- Re: WGLC ent-analysis-03: DSTM
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: Last Call on draft-ietf-v6ops-security-overview-02.txt
Next by Date: Anything happening with lrw/softwires WG?
Previous by thread: Re: WGLC ent-analysis-03: DSTM
Next by thread: Re: WGLC ent-analysis-03: DSTM
Index(es):
- Date
- Thread