Re: [RRG] Consensus check: renumbering - missing dimension
Christopher Morrow wrote: stateless-autoconfig is entirely not sufficient for site admins to use in a 'renumbering' event. There are many items passed out in DHCP responses which are used by the end systems and not included in stateless-autoconfig. Existing practices account for these items via DHCP in a mostly centralized manner, without these items site-admins will be left with no option but to manually touch each device... Take a moderately large enterprise of 50k systems in a global setting, how long will it take to touch each of the 50k devices and change even the basics: dns-server, wins-servers, domainname (assume you can not 'trust' the system owner/user to get this right, and assume you have limited helpdesk-staff). End systems don't matter. They are easy to renumber. Harder are the routers, the name servers, and all the services that are contained within a DNS response. Coordination with upstreams, change of ACLs, testing of perimeters, configuration of all IP-address aware systems, etc. Almost none of that is the end host. Eliot -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
As someone running a dual-stack v6 enterprise (smallish), I think I agree with everything written in the last few posts. Brian says that enterprises will want DHCPv6, for the reasons Dale says (SLAAC being 'distasteful' and the complexity of privacy addresses), but also DHCP is the model that admins are comfortable with today, and change is always viewed warily. Admins will believe that DHCP provides an easier way to tie addresses to users. I agree with Brian that the key thing about RFC4192 is that end systems can live happily in a multiaddressed state during a 'graceful' renumbering event, no need for that flag day cutover. But as Eliot says, the complexity isn't in the end systems, it's in the other devices in the network, which is where we need some level of automation as described by Iljitsch. In the past, Router Renumbering was suggested, but there were a number of problems with that. I think also that network management/monitoring tools need to be enhanced to understand renumbering events, e.g. perhaps to detect if certain hosts are not in the correct phase of RFC4192. The event could ideally be triggerable and configurable from such a tool. But that implies the tool also drives DNS scripts, firewall configurations, etc too. -- Tim -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On Aug 24, 2008, at 6:22 PM, Tony Li wrote: Do folks really feel that stateless autoconfig is a significant step forward vs. DHCP? Current dual-stack site admins would be especially welcome to opine. Tony When we enabled IPv6 on our whole campus network the main issue was that autoconfig did not give our security folks a log of the MAC to IP mapping over time. So we set up some scripts to grab the Neighbor Cache periodically as a temporary solution until we implemented DHCPv6. I've talked to several other universities who have either implemented equivalent scripts (even earlier than us) or plan to as they implement IPv6. Looking more closely at DHCPv6 our Neighbor Cache scripts may be more permanent than we planned since the client id in DHCPv6 may be based on the MAC of any interface on the host which is different than DHCP in IPv4 where the client id was based on the MAC of the interface the DHCP request came from. It looks like there is a reason for the difference, I just didn't spot the difference earlier. Any MAC address on the machine will help our security folks identify a machine but on the practical side we find it quite useful to block the MAC addresses of hosts, for example if they are compromised etc. And for the MAC blocking to be successful we need to have the correct MAC that a host uses on a given subnet. Longer term, security aside, we also will want DHCPv6 for more purely network administration reasons. We have had devices from unix workstations to lightweight Access Points and VoIP phones that learn extra info via DHCP. The workstations learned the address of tftp servers, the APs the addresses of controllers and the phones several different IP addresses. The APs now have at least two other methods of learning the IPs of the controllers and long term it is possible that phones would provide options other than DHCP also. But in addition to learning extra addresses we have also used the vendor class info to assign devices to different IP pools based on the vendor. I expect that just as we will have both IPv4 and IPv6 in our campus for quite a while we will likely be using both DHCPv6 and autoconfig for quite a while (especially with vendors like Apple saying they have no plans to implement DHCPv6). --- Bruce Curtis [EMAIL PROTECTED] Certified NetAnalyst II701-231-8527 North Dakota State University -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On 26 aug 2008, at 17:30, Templin, Fred L wrote: clients can contact relays via link-local multicast. That is exactly the problem. On 802.11 networks multicasts are sent at a very low speed for compatibility and because there are no ACKs for multicasts, so they use up a lot of airtime/bandwidth. The hack that I was talking about would be for accesspoints to not repeat multicasts from clients on the wireless network. (I'm guessing this would make the network at IETF meetings a lot faster during plenaries.) -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
RE: [RRG] Consensus check: renumbering - missing dimension
-Original Message- From: Iljitsch van Beijnum [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2008 8:46 AM To: Templin, Fred L Cc: Routing Research Group Subject: Re: [RRG] Consensus check: renumbering - missing dimension On 26 aug 2008, at 17:30, Templin, Fred L wrote: clients can contact relays via link-local multicast. That is exactly the problem. On 802.11 networks multicasts are sent at a very low speed for compatibility and because there are no ACKs for multicasts, so they use up a lot of airtime/bandwidth. The hack that I was talking about would be for accesspoints to not repeat multicasts from clients on the wireless network. (I'm guessing this would make the network at IETF meetings a lot faster during plenaries.) Who says the client has to contact the relay over an 802.11 network? Who says the client even has to reside on a different physical platform than the relay? AFAICT, an internal virtual link can service a client's requests through relay just the same as for an external physical link. Fred [EMAIL PROTECTED] -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On 8/24/08 7:22 PM, Tony Li allegedly wrote: Do folks really feel that stateless autoconfig is a significant step forward vs. DHCP? Current dual-stack site admins would be especially welcome to opine. Speaking in relative ignorance but reporting ... I was talking to someone a few days ago who bemoaned what he saw as a lack of administrative control with stateless autoconfig. -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On Sun, Aug 24, 2008 at 7:22 PM, Tony Li [EMAIL PROTECTED] wrote: |The reasoning is that IPv6 was designed that way, so why not |use the feature if it proves to be useful, at least for small/medium |sites. Do folks really feel that stateless autoconfig is a significant step forward vs. DHCP? Current dual-stack site admins would be especially welcome to opine. stateless-autoconfig is entirely not sufficient for site admins to use in a 'renumbering' event. There are many items passed out in DHCP responses which are used by the end systems and not included in stateless-autoconfig. Existing practices account for these items via DHCP in a mostly centralized manner, without these items site-admins will be left with no option but to manually touch each device... Take a moderately large enterprise of 50k systems in a global setting, how long will it take to touch each of the 50k devices and change even the basics: dns-server, wins-servers, domainname (assume you can not 'trust' the system owner/user to get this right, and assume you have limited helpdesk-staff). -chris Tony -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On 2008-08-26 09:28, Christopher Morrow wrote: On Sun, Aug 24, 2008 at 7:22 PM, Tony Li [EMAIL PROTECTED] wrote: |The reasoning is that IPv6 was designed that way, so why not |use the feature if it proves to be useful, at least for small/medium |sites. Do folks really feel that stateless autoconfig is a significant step forward vs. DHCP? Current dual-stack site admins would be especially welcome to opine. stateless-autoconfig is entirely not sufficient for site admins to use in a 'renumbering' event. There are many items passed out in DHCP responses which are used by the end systems and not included in stateless-autoconfig. Existing practices account for these items via DHCP in a mostly centralized manner, without these items site-admins will be left with no option but to manually touch each device... Take a moderately large enterprise of 50k systems in a global setting, how long will it take to touch each of the 50k devices and change even the basics: dns-server, wins-servers, domainname (assume you can not 'trust' the system owner/user to get this right, and assume you have limited helpdesk-staff). My memory is that back when stateless auto-config was conceived, the main target was the dentist's office scenario, i.e. basic Appletalk-like zeroconf sites. Unfortunately we still have one hole in this area: no way to advertise a DNS server address in RA messages. See RFC 4339. I'm quite sure that larger sites with any kind of IT management will need DHCPv6. But I don't see why that interacts with the multi-prefix issue. Brian -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
RE: [RRG] Consensus check: renumbering - missing dimension
|I'm quite sure that larger sites with any kind of IT management |will need DHCPv6. | |But I don't see why that interacts with the multi-prefix issue. There was an assertion made by someone that IPv6 was going to be significantly easier to renumber. Tony -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On 2008-08-26 13:08, Tony Li wrote: |I'm quite sure that larger sites with any kind of IT management |will need DHCPv6. | |But I don't see why that interacts with the multi-prefix issue. There was an assertion made by someone that IPv6 was going to be significantly easier to renumber. s/easier/less awful/ But I think the reason is not specific to stateless-autoconf or DHCPv6. In my mind it's because v6 prefixes will never be in desperately short supply, so the normal model is add/deprecate/drop rather than replace. That's the point of RFC 4192. Brian -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
RE: [RRG] Consensus check: renumbering - missing dimension
|But I think the reason is not specific to stateless-autoconf or DHCPv6. |In my mind it's because v6 prefixes will never be in desperately |short supply, so the normal model is add/deprecate/drop rather than |replace. That's the point of RFC 4192. Hmmm... Ok, to my mind that only addresses one small part of the pain. ;-) If we have an architectural solution then we're renumbering identifier prefixes then those shouldn't be 'hard' to get either. Tony -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On Aug 25, 2008, at 5:35 PM, Brian E Carpenter wrote: My memory is that back when stateless auto-config was conceived, the main target was the dentist's office scenario, i.e. basic Appletalk-like zeroconf sites. And IPX had it, often on a much larger scale (we had thousands of hosts using it). Unfortunately we still have one hole in this area: no way to advertise a DNS server address in RA messages. See RFC 4339. RFC 5006 now provides this, although I only know of one implementation. Cheers, Dale AS59 AS2381 -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
Re: [RRG] Consensus check: renumbering - missing dimension
On 2008-08-23 19:48, Tony Li wrote: Hi Robin, |BTW, I found that the poll URL generated a No such poll response. Indeed. Mea culpa. Sorry, I don't know how that got corrupted. Here's the correct poll: http://www.doodle.ch/participation.html?pollId=ziu439pxxpcx33da I was about to click enthusiastically on choice #3 when I realised that I really wanted to discriminate between IPv4 and IPv6. For IPv4, I consider that the train left the station many years ago, and the only reasonable answer is None at all. For IPv6, habits are not yet set in stone, and I think we should stick to our guns, so the reasonable answer is Once per ISP added or dropped. The reasoning is that IPv6 was designed that way, so why not use the feature if it proves to be useful, at least for small/medium sites. Brian -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg
RE: [RRG] Consensus check: renumbering - missing dimension
|The reasoning is that IPv6 was designed that way, so why not |use the feature if it proves to be useful, at least for small/medium |sites. Do folks really feel that stateless autoconfig is a significant step forward vs. DHCP? Current dual-stack site admins would be especially welcome to opine. Tony -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: http://psg.com/lists/rrg/ ftp://psg.com/pub/lists/rrg