Hello Dave: If you have a v4 only network and are willing to migrate to v6 that’s certainly neat and the YATT traffic will just be another v6 traffic that your BCP 38 rules will process. Still you’ll find IPv4 only customers, and you’ll end up with both v4 and v6, and CG NATs, etc. This is what we need to compare with, not IPv6 only.
YADA applies to those who would not want dual stack and CG NAT, at least as the main rule. Those who would prefer to see end point transition for the most part to something easier to digest if not full v6. To your points: - yes the NAT is not stateful and that makes all the difference in the world. It becomes a network operation like an MPLS tunnel encapsulation that your router does BAU day in day out - I’ll trust you on your filters but filters for IPv4 only does probably do something for IP in IP, be it for the case where it’s v6 inside. Not saying it’s free, it’s a one-time opex. But not seeing that it’s the same cost as dual stack and CG NATs either, which are both opex and capex. - Upgrade/replace all my CPE + Have the network stack on my customers OS upgraded That’s where the kneejerk rejection shows the most. For the one thing if the customer OS is upgraded then why would you update the CPE? Then not all devices need this, many are hapopy with the current state of affairs? And the other way around if the CPE is upgraded, do we need to update the users devices? So presented as you did it’s plain dishonest. That’s why I found the YADA pun so funny actually. Unless we’re uncharacteristically efficient on this one, the CPE software will be upgraded a number of times before this thing takes off, and the CPE themselves might be replaced for the most part. The way I see it, adoption can happen from one customer alone. And yes, that would add to the list of ways to bypass BCP 38. So yes, it would be neat that you install rules that understand IP in IP if you do not already have them, with something for YADA in addition, and yes, that’s not free. But compared to CG NAT and dual stack? Well, I’d be happy to help people have that choice. Keep safe; Pascal From: Dave Bell <m...@geordish.org> Sent: mardi 5 avril 2022 13:03 To: Pascal Thubert (pthubert) <pthub...@cisco.com> Cc: Dave Bell <m...@geordish.org>; Matthew Petach <mpet...@netflight.com>; Vasilenko Eduard <vasilenko.edu...@huawei.com>; NANOG <nanog@nanog.org> Subject: Re: Let's Focus on Moving Forward Re: V6 still not supported re: 202203261833.AYC Hi Pascal, From what I'm reading, it seems like you're implying that the bulk of the ISP network does not need to change to implement this new IP protocol. If that is the case, then you are incorrect. Without the router that the customer connects to being aware of this new protocol, then you are opening yourself up to address forgery on a massive scale. The ISPs next hop needs to be able to inspect both the regular source address, and the encapsulated source address to ensure that the customer is sending legitimate traffic (uRPF). In my world the BNG is the most complicated part of the network. The CPE I'm sending out to my customers now presumably needs its NAT implementation altering? It now does translation on the inner IP header rather than the regular what is now outer. So to summarize, to implement this I need to do the following: * Install some CG-NAT device (You can argue its not CG-NAT because its stateless - It will have a lot of traffic going through it, so its carrier grade, and its translating from one type of IP to another, so its network address translation.) * Upgrade my BNGs to cope with the new address format for uRPF purposes * Upgrade/replace all my CPE * Have the network stack on my customers OS upgraded Not to mention all the testing required to ensure that it all will work smoothly. That is a lot of work, and I still don't see the benefit over just moving to IPv6. Regards, Dave On Tue, 5 Apr 2022 at 10:30, Pascal Thubert (pthubert) <pthub...@cisco.com<mailto:pthub...@cisco.com>> wrote: Hello Dave: The problem we have not solved is with the (host, gateway, ISP network) that will not move; and I’m hearing in this list that there’s one big reason: because the step (the leap really) is too wide. And I also read a consensus that dual stack and large NATs are not the long term solution people want. The primary goal here is to avoid dual stack forever, and not having enormous CG-NATs either. The proposal is to replace the leap that few can achieve by a series of baby steps that most can, and will to a point. To your example: say that you’re willing to migrate your host stack to IPv6-only. But then your ISP or your home gateway does not have it. Stuck. If you form a YATT address, the stateless translation will discover that there’s no v6 and turn the YATT packet into YADA. With that you can talk to any YADA and YATT node in the universe, though you can neither reach all IPv6 nodes nor all IPv4 nodes. That’s where the baby steps land. The motivation to go YADA from IPv4 (as opposed to IPv6 altogether) is feasibility. With YADA, the change is smaller in the upper stack and the applications. Say you have VMs that are IPv4 only, that you do not control the stack at all but just the hosting system. The hosting system can serve as/intercept DNS, NAT the YADA double-A destination to a single-A with an address from the pool, leaving the VM stack unchanged. An upgraded home gateway could do that too for the whole private network. YADA and YATT are equivalent, they are the IPv4 and IPv6 formulations of the same thing; what goes on the wire is whatever matches what the ISP network offers. Each AS or realm can decide to be one version only. The stateless NAT at the border can be wire speed, there’s state nor no complexity involved in that translation. When you’re already IPv6 you need none of that. IPv6 is the sphere than encompasses all the planes (realms) and the shaft. Plus all the air in between. But the IPv6 host could be so nice as to support YATT, which effectively is an effort on its part, but gives it a /64 for free, automatically. That’s a bonus that could become handy. Keep safe; Pascal From: Dave Bell <m...@geordish.org<mailto:m...@geordish.org>> Sent: mardi 5 avril 2022 9:45 To: Pascal Thubert (pthubert) <pthub...@cisco.com<mailto:pthub...@cisco.com>> Cc: Matthew Petach <mpet...@netflight.com<mailto:mpet...@netflight.com>>; Vasilenko Eduard <vasilenko.edu...@huawei.com<mailto:vasilenko.edu...@huawei.com>>; NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: Let's Focus on Moving Forward Re: V6 still not supported re: 202203261833.AYC Considering this requires updating every single IP stack that wants to utilise this, what are the benefits of it other than just moving to IPv6? Regards, Dave On Tue, 5 Apr 2022 at 08:24, Pascal Thubert (pthubert) via NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> wrote: Hello Matthew At the moment the draft has a general architecture, and it will take the right minds and experience to turn a model into a live network. Considering what the people in this list have already built, it’s no gigantic leap to figure they can build that too. Most of the building blocks that are implicit or TBD in the draft exist already. About linking ASN to realms, that’s Eduard’s view, I’ll let him answer. The draft is not like that, all existing ASN and IP addresses can be reused in every new realm, and there does not need to be any mapping. If people find a need or a reason to add constraints, that’s beyond me at this time, and against the natural philosophy of minimizing interdependences to maintain design freedom in each realm. The draft has one and one only dependency, that surface of the shaft is common to all realms. To your point, and unrelated to ASNs, the shaft can be physically distributed. Each physical place would announce 240.0.0.0/6<http://240.0.0.0/6>, and the nearest alive would attract the traffic. See it as as many IXPs. In the current draft, there’s only one shaft that links all realms. And there’s a single realm number for each realm that is advertised in every physical instances of the shaft. All that is a simplification to highlight the design. As the shaft lives on, a realm may be multihomed, the shaft might be subnetted to interconnect only specific realms, or to be advertised differently in different geographies. And then the subnets will need to be injected in the realms. The way around a breakage can be DNS, or BGP. All this is possible, you’ve already done it, and it’s really your play. We build the car, you drive it. Happy that you start figuring out how you prefer it to happen. While we figure out protocols to renumber more efficiently, fix source address selection, extend the NATs, you name it. There’s work for all and at every phase. But at this stage of the discussion, I favor the 10 miles view to get a shared basic understanding. On the side, I’d be happy to learn how you solved a situation like the one below, if there’s any article / doc? Keep safe; Pascal From: Matthew Petach <mpet...@netflight.com<mailto:mpet...@netflight.com>> Sent: mardi 5 avril 2022 0:29 To: Vasilenko Eduard <vasilenko.edu...@huawei.com<mailto:vasilenko.edu...@huawei.com>> Cc: Pascal Thubert (pthubert) <pthub...@cisco.com<mailto:pthub...@cisco.com>>; Nicholas Warren <nwar...@barryelectric.com<mailto:nwar...@barryelectric.com>>; Abraham Y. Chen <ayc...@avinta.com<mailto:ayc...@avinta.com>>; Justin Streiner <strein...@gmail.com<mailto:strein...@gmail.com>>; NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: Let's Focus on Moving Forward Re: V6 still not supported re: 202203261833.AYC On Mon, Apr 4, 2022 at 10:41 AM Vasilenko Eduard via NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> wrote: 240.0.01.1 address is appointed not to the router. It is appointed to Realm. It is up to the realm owner (ISP to Enterprise) what particular router (or routers) would do translation between realms. Please forgive me as I work this out in my head for a moment. If I'm a global network with a single ASN on every populated continent on the planet, this means I would have a single Realm address; for the sake of the example, let's suppose I'm ASN 42, so my Realm address is 240.0.0.42. I have 200+ BGP speaking routers at exchange points all over the planet where I exchange traffic with other networks. In this new model, every border router I have would all use the same 240.0.0.42 address in the Shaft, and other Realms would simply hand traffic to the nearest border router of mine, essentially following a simple Anycast model where the nearest instance of the Realm address is the one that traffic is handed to, with no way to do traffic engineering from continent to continent? Or is there some mechanism whereby different instances of 240.0.0.42 can announce different policies into the Shaft to direct traffic more appropriately that I'm not understanding from the discussion? Because if it's one big exercise in enforced Hot Potato Routing with a single global announcement of your reachability... ...that's gonna fail big-time the first time there's a major undersea quake in the Strait of Taiwan, which cuts 7/8ths of the trans-pacific connectivity off, and suddenly you've got the same Realm address being advertised in the US as in Asia, but with no underlying connectivity between them. https://www.submarinenetworks.com/news/cables-cut-after-taiwan-earthquake-2006 We who do not learn from history are doomed to repeat it...badly. :( Matt
