[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipv6-unique-local-addr-08.txt



Mark Andrews <Mark_Andrews@xxxxxxx> wrote:

|> Mark Andrews <Mark_Andrews@xxxxxxx> wrote:
|> 
|> |> Mark Andrews <Mark_Andrews@xxxxxxx> wrote:
|> |> 
|> |> |> Mark Andrews <Mark_Andrews@xxxxxxx> wrote:
|> |> |> 
|> |> |> |+    Advertising locally assigned ULA AAAA records in the global DNS i
|> s
|> |> |> |+    MUST NOT occur as they are not globally unique and will lead
|> |> |> |+    to unexpected connections.
|> |> |> 
|> |> |> I strongly object to making this a "MUST NOT," especially with the grow
|> ing
|> |> |> uncertainty that there will ever be a _permanent_ centrally assigned fl
|> avo
|> |> r
|> |> |> of ULA available without recurring fees.
|> |> |
|> |> |	Publishing AMBIGIOUS addresses in the GLOBAL DNS is WRONG.
|> |> 
|> |> Wrong in what way?  Morally?  If you don't want to be troubled by the
|> |> presence of locally assinged ULAs in my forward DNS, just don't request
|> |> names from my forward DNS.
|> |
|> |	A host may have *both* a LOCALLY ASSIGNED ULA and a global
|> |	addresses.  In fact this is highly likely.  If I have a
|> |	machine withe the same ULA when I attempt to connect the
|> |	remote machine I will get my machine according to the address
|> |	selection rules.
|> 
|> This may be true, but it is not responsive in spite of the tasteful use of
|> ALL CAPS.  You are starting with the premise that you are attempting to
|> access my machines by looking up a name in my DNS.  If you don't like the
|> way I populate my DNS then you don't need to use my DNS.
|
|	If it in the global DNS is in NOT "your DNS".  It is everybodies.

What are you talking about?  The data in my DNS resides in my servers or
in servers that I contract to hold it.  You don't see it unless you query
those servers.

|	If you want to put it in your DNS then use split DNS.   Stop
|	polluting the commons.

This is not a commons issue.  Stop trying to assert jurisdiction over my
property.

|> |> |	If you need to publish them in the DNS you need to use a 
|> |> |	split DNS configuration.
|> |> 
|> |> No, that will not work if I want to use locally assigned ULA addresses for
|> |> dynamic tunnels that anyone can access.  And in any case, do you really wa
|> nt
|> |> us to be in a position of mandating split DNS?  I have no objection to fol
|> ks
|> |> running split DNS if they so desire, but I do not so desire and I certainl
|> y
|> |> do not wish to force split DNS on anyone.
|> |
|> |	Then choose a centrally assigned ULA.
|> 
|> As I'm sure you are aware, centrally assigned ULAs are not currently availabl
|> e
|> and their future availability on the terms originally suggested is becoming
|> increasingly unlikely.
|
|	Centrally assigned ULAs will appear.

I never said that they will not, only that it is unlikely that they will
exist on the terms originally suggested in discussion by this working group.

|> |The two types of ULA have
|> |	different usage patterns.  Pick the correct one for the job.
|> 
|> When the proposal to create ULAs was "split" in order to accommodate a longer
|> process for the centrally assigned flavor (because of the supposed need for
|> comments from the existing address registries) the locally assigned flavor
|> had the necessary attributes to support a wide variety of usage patterns.
|> You propose to restrict the usage of the locally assigned flavor in such a
|> way that many interesting applications will demand the centrally assigned
|> flavor.  I propose that if we really want to do that then we should first
|> insure that the centrally assigned flavor comes into existence on reasonable
|> terms.

I see that you again declined to respond to my proposal that we first insure
that the centrally assigned ULAs come into existence on reasonable terms.

|> |> |This is no different to how we handle
|> |> |	RFS 1918 address.
|> |> 
|> |> Umm, if locally assigned ULA addresses are going to have to be treated the
|> |> same as RFC1918 addresses, why couldn't we have just kept site local addre
|> sse
|> |> s?
|> |
|> |	Centrally assigned ULAs are globally unique.  The restiction if
|> |	you read what was written above was on LOCALLY ASSIGNED ULAs.
|> 
|> And if you read what I wrote above you will see that I was indeed speaking
|> of locally assigned ULAs, even though I didn't put it IN ALL CAPS.
|>
|> |	There is a choice.  You choose which set of tradeoffs to apply
|> |	when select your ULA.  You could even have one of each type.
|> 
|> This is a false choice.  It is impossible to choose the set of tradeoffs
|> because we have no idea what the attributes of centrally assigned ULAs (if
|> they ever exist at all) will be.  Basically, we copped out on mandating the
|> critical attributes of centrally assigned ULAs (permanent assignment, low
|> one-time fee) yet now you want to mandate restrictions on locally assigned
|> ULAs that will force a requirement for the centrally assigned flavor.
|
|	You believe permanent assignment, low one-time fee was manditory.

In as much as those attributes were core to the original proposal, yes.  But
that is irrelevant to the impossibility of examining tradeoffs when we have
no idea what the attributes of centrally assigned ULAs will be.  It is rash
to use the assumption that there will be useful choices in the future to
restrict choices today.

|	I never did.  The *only* thing critical about centrally assigned
|	addresses is that that are uniquely assigned within the specified
|	address range.

But uniquely assigned addresses are already available.  They are expensive
and they are not permanent.  Do you really expect anyone to believe that
you thought that the sole purpose of the centrally assigned ULA proposal
was to create a new numerical range with no specific allocation attributes?
Either you totally missed the point or else you are arguing so disingenuously
that progress is impossible.

|The rest is just nice to have.  If the registries
|	charge too much then people will move to locally assigned ULA and
|	live with the limitations imposed by those addresses.

That answer was acceptable before you proposed to impose such a severe
restriction on locally assigned ULAs.

|> |> |They don't get published in the GLOBAL DNS
|> |> |	because they are AMBIGIOUS.
|> |> 
|> |> Merely repeating this assertion (even IN ALL CAPS) really isn't a useful
|> |> argument.  We have spent many months discussing ULAs as a solution to the
|> |> ambiguity of site local addresses.  This seems like a last minute attempt
|> |> to cripple them.
|> |
|> |	No.  It is a attempt to prevent harm from incorrect use.
|> 
|> Harm to whom?
|
|	Harm to users of the DNS.

Again, nobody forces you to use the DNS of a publisher of locally
assigned ULAs.

|RFC 1535 was written in response to
|	resolvers return address which connected to the wrong machines
|	when putting in fully qualified addresses.  You are asking
|	the WG to endore a similar policy because you believe centrally
|	assigned addresses will never occur.

No, I'm asking the WG to wait until centrally assigned addresses exist before
effectively crippling locally assigned ULAs.  But for the record I do not
accept your premise that any small chance of ambiguity is euqally objectionable
to an almost guaranteed ambiguity.

|> |> |> An important feature of even locally assigned ULAs is that they are glo
|> bal
|> |> ly
|> |> |> unique "enough" for many/most purposes that have been discussed.  After
|>  mo
|> |> nth
|> |> |> s
|> |> |> of analysis to that end, their lack of absolute uniqueness is insuffici
|> ent
|> |>  to
|> |> |> justify adding new prohibition on a particular range of uses at this la
|> te 
|> |> dat
|> |> |> e.
|> |> |
|> |> |	They are unique enough to link serveral hundred / thousand sites
|> |> |	*with minimal renumbering required*.
|> |> |
|> |> |	They are not unique enough to link millions of sites where the
|> |> |	is no way of knowing that renumbering is required.
|> |> 
|> |> Even if you are correct that they are not unique enough to link millions
|> |> of sites (and I do not accept that you are correct--duplicates could be
|> |> handled by cooperating sites by a de facto uniqueness mechanism outside
|> |> the scope of this proposal) how does this justify restricting the utility
|> |> of locally assigned ULAs in the several hundred/thousand sites case?
|> |> 
|> |> How about a compromise?  Let's first insure that centrally assigned ULAs
|> |> are available for permanent assignment with no recurring fees (and at most
|> |> a nominal initial fee).  Once that is accomplished we would be in a better
|> |> position to weigh the costs/benefits of recommending locally assigned ULAs
|> |> in various contexts.  Such recommendations could be in a document separate
|> |> from the core ULA document.  Restricting the use of locally assigned ULAs
|> |> before we even know whether there will be an alternative seems a bit rash.
|> |> After all, this topic has been under discussion for a very long time; what
|> 's
|> |> the rush now?
|> 
|> I see that you declined to reply to my suggested compromise.  How about we
|> make centrally assigned ULAs work before we break locally assigned ULAs?
|> 
|> |	It's not rash.  They have limitations.
|> 
|> You are confusing architectural limitations with administrative restrictions.
|> The architectural limitation of locally assigned ULAs is that there is some
|> chance of duplication.  This implies that exposure of such addresses outside
|> of the realm in which their uniqueness can be guaranteed may lead to ambiguit
|> y.
|> This is true regardless of the mechanism used to expose those addresses: glob
|> al
|> DNS, some other name lookup system, or even the passing of a literal address
|> in some random protocol.
|> 
|> Your proposal to prohibit locally assigned ULAs from the global DNS is an
|> administrative restriction--one which considerably devalues the addresses
|> in question.
|
|	They were already devalued.  It was inherent consequence of the
|	assignment technique.  You must be the only one who thought that
|	publishing of locally assigned ULA in the global DNS was going to
|	occur.

Actually, I never expected any kind of useful ULAs to exist at all.  I
expected pretty much the kind of two-pronged attack we are seeing.  First
turn the centrally assigned ULAs into rentals like the rest of the global
space and then restrict the locally assigned ULAs to the point where they
are unusable.

|I know from the start as should have anyone who has
|	ever dealt with site locals / link local / RFC 1918 addresses that
|	there were never going to be published in the global DNS.  They
|	were by ther very nature abmigious.
|
|	The fact that I said MUST NOT should not have come as suprise to
|	anyone here.

Well, it comes as no surprise to me because of my cynical assessment of the
entire site local "replacement" plan.  I would think it might come as a
surprise to folks who believed that they might really get some useful stable
address space out of this proposal.

|	Sure the addresses will leak from time to time.  You don't however
|	deliberately *publish* them however.
| 
|> |The fact that you
|> |	don't like the limitatitions does not mean that they should
|> |	not be acknowledged and dealt with appropriately.
|> 
|> The limitations of locally assigned ULAs have been acknowledged and discussed
|> extensively.  Your proposal to create an administrative restriction does
|> nothing to deal with the limitations; it merely forces the use of an as yet
|> undefined alternative where locally assigned ULAs would have been sufficient.
|> This is very reminiscent of the original site local debates.
|
|	Site local was much worse.  Here you choose which type of address to
|	use.

No, you misunderstand.  I was comparing the form of the debates, not the
addresses.  We were perpetually promised that once we got rid of site locals
we could have something better, though as yet unspecified.  Now we almost
have locally assigned ULAs which--if not burdened with various administrative
restrictions--might just be better.  You propose to kill those for anyone not
willing to use split DNS, and instead require centrally assigned ULAs which are
conveniently stuck in limbo waiting for the existing registries to figure out
how much they will cost.  It's interesting that you waited until well after
the central/local division (not to mention well after the original extended
discussions) to start insisting on the addition of your DNS restriction.

In any case, I will have to leave it to others to further this thread--if
indeed anyone cares to do so.  Please feel free to have the last word.

				Dan Lanciani
				ddl@danlan.*com

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@xxxxxxxx
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------