[Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Dave Taht]

This is one of those endless bikesheds I'd totally given up on. Thx ted!

https://www.rfc-editor.org/rfc/rfc8375.txt

-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Ted Lemon]

[-- Attachment #1: Type: text/plain, Size: 667 bytes --]

On Oct 22, 2018, at 11:51 PM, Dave Taht <dave.taht@gmail.com> wrote:
> This is one of those endless bikesheds I'd totally given up on. Thx ted!

If you're feeling like an adventure, you might find the latest draft of the homenet naming architecture entertaining.

https://github.com/ietf-homenet-wg/simple-naming/blob/master/draft-ietf-homenet-simple-naming.txt <https://github.com/ietf-homenet-wg/simple-naming/blob/master/draft-ietf-homenet-simple-naming.txt>

I decided to keep going on it since the submission deadline was extended, so it's pretty close to feature complete except for the HNCP part.

I'm curious: are you using HNCP on your networks?


[-- Attachment #2: Type: text/html, Size: 1956 bytes --]

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Dave Taht]

On Mon, Oct 22, 2018 at 9:13 PM Ted Lemon <mellon@fugue.com> wrote:
>
> On Oct 22, 2018, at 11:51 PM, Dave Taht <dave.taht@gmail.com> wrote:
>
> This is one of those endless bikesheds I'd totally given up on. Thx ted!
>
>
> If you're feeling like an adventure, you might find the latest draft of the homenet naming architecture entertaining.
>
> https://github.com/ietf-homenet-wg/simple-naming/blob/master/draft-ietf-homenet-simple-naming.txt

Read it just now. this is an ietf notion of "simple", yes?

>
> I decided to keep going on it since the submission deadline was extended, so it's pretty close to feature complete except for the HNCP part.
>
> I'm curious: are you using HNCP on your networks?

Mikael is the sole survivor here, so far as I know.

2 years back, I gave up on deploying ipv6 any further than the lab.
Getting dynamic ipv6 reliably into my production network... I gave up.
I asked for a static allocation from comcast, haven't heard back yet.

As examples that persist, dhcpv6-pd renewals seem to be broken in
openwrt still, so I get a bunch of prefixes... and a few a days later
they vanish. I get static routes to nowhere, often, out of that. And:
with only a /60 available, I also run out of prefixes to allocate if
something reboots at the wrong time at the wrong place, and so on.


>


-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Ted Lemon]

[-- Attachment #1: Type: text/plain, Size: 1927 bytes --]

That is good feedback, if depressing.   I'm kind of in the same boat—I
really want to do some work on this for OpenWRT, but it hasn't come up to
the top of the stack yet.   The reason I was asking is that when I've said
at IETF that I don't think HNCP is actually complete yet, I get a lot of
rotten tomatoes from the authors.

On Tue, Oct 23, 2018 at 11:09 AM Dave Taht <dave.taht@gmail.com> wrote:

> On Mon, Oct 22, 2018 at 9:13 PM Ted Lemon <mellon@fugue.com> wrote:
> >
> > On Oct 22, 2018, at 11:51 PM, Dave Taht <dave.taht@gmail.com> wrote:
> >
> > This is one of those endless bikesheds I'd totally given up on. Thx ted!
> >
> >
> > If you're feeling like an adventure, you might find the latest draft of
> the homenet naming architecture entertaining.
> >
> >
> https://github.com/ietf-homenet-wg/simple-naming/blob/master/draft-ietf-homenet-simple-naming.txt
>
> Read it just now. this is an ietf notion of "simple", yes?
>
> >
> > I decided to keep going on it since the submission deadline was
> extended, so it's pretty close to feature complete except for the HNCP part.
> >
> > I'm curious: are you using HNCP on your networks?
>
> Mikael is the sole survivor here, so far as I know.
>
> 2 years back, I gave up on deploying ipv6 any further than the lab.
> Getting dynamic ipv6 reliably into my production network... I gave up.
> I asked for a static allocation from comcast, haven't heard back yet.
>
> As examples that persist, dhcpv6-pd renewals seem to be broken in
> openwrt still, so I get a bunch of prefixes... and a few a days later
> they vanish. I get static routes to nowhere, often, out of that. And:
> with only a /60 available, I also run out of prefixes to allocate if
> something reboots at the wrong time at the wrong place, and so on.
>
>
> >
>
>
> --
>
> Dave Täht
> CTO, TekLibre, LLC
> http://www.teklibre.com
> Tel: 1-831-205-9740
>

[-- Attachment #2: Type: text/html, Size: 2670 bytes --]

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Mikael Abrahamsson]

On Tue, 23 Oct 2018, Dave Taht wrote:

> Mikael is the sole survivor here, so far as I know.

I ended up disabling the homenet stuff because lifetimes didn't align with 
my preference in provider (my non-preferred provider has longer 
lease-times than my preferred provider, so in the whole source-selection 
mechanism my non-preferred provider won). Also, there is no good way to 
detect L2 failures towards providers.

https://tools.ietf.org/html/draft-patterson-intarea-ipoe-health-05 solves.

> As examples that persist, dhcpv6-pd renewals seem to be broken in 
> openwrt still, so I get a bunch of prefixes... and a few a days later 
> they vanish. I get static routes to nowhere, often, out of that. And: 
> with only a /60 available, I also run out of prefixes to allocate if 
> something reboots at the wrong time at the wrong place, and so on.

I do not have this problem. I get /56 PD from provider and it hasn't 
changed yet.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Dave Taht]

Mikael Abrahamsson <swmike@swm.pp.se> writes:

> On Tue, 23 Oct 2018, Dave Taht wrote:
>
>> Mikael is the sole survivor here, so far as I know.
>
> I ended up disabling the homenet stuff because lifetimes didn't align
> with my preference in provider (my non-preferred provider has longer
> lease-times than my preferred provider, so in the whole
> source-selection mechanism my non-preferred provider won). Also, there
> is no good way to detect L2 failures towards providers.
>
> https://tools.ietf.org/html/draft-patterson-intarea-ipoe-health-05 solves.

I just ping6 my upstream dns server, roughly the same algorithm. But
if it goes down, you don't want to take away the local ipv6 addresses,
just the default route, and when you do that, you end up falling back to
ipv4.

which also needs that ping.

>> As examples that persist, dhcpv6-pd renewals seem to be broken in
>> openwrt still, so I get a bunch of prefixes... and a few a days
>> later they vanish. I get static routes to nowhere, often, out of
>> that. And: with only a /60 available, I also run out of prefixes to
>> allocate if something reboots at the wrong time at the wrong place,
>> and so on.
>
> I do not have this problem. I get /56 PD from provider and it hasn't
> changed yet.

(this is a case where I'm using dhcpv6-pd internally to get
prefixes. Just one hop to comcast seems to work)

You probably live in a place with reliable power. I get a power flicker
at least once a week. the corest routers are on battery backup but that
only lasts a few hours and the last big outage was about 9 hours about 6
weeks ago. When everything reboots, chaos reigns. When only some things
reboot, different kinds of chaos reign.

I am glad to see some standardized support for naming happen, but even
then, names have to expire, somehow also.

Secondly a usable set of /56s would be "enough" in my case (about 40
boxes), /60 doesn't divide into that.

thirdly, I don't want to assign routable ipv6 prefixes to everything,
just to end-user APs and when I last tried hnpd it wanted to give even
my p2p boxes /64s

fourthly, we have dnsmasq, odhcpd, odhcpc, babel and hnetd all battling
it out with slightly different notions of how to redistribute things.

fifthly, I started running into babel trouble in my original deployment
when I ended up exporting, oh, 13? 11? prefixes and IPs per router by
default. (and had 80 routers at the time) I have a bunch of "fixes" for
babel on github of varying utility, but what mostly worked was to
aggressively filter each "area" down to just the few routes that were
needed - and then getting those filters right, through hnetd, was
essentially impossible.

These days I try to keep each area at one packet total for updates.

I know my use case is "special" compared to the desired needs of
homenet. The prefix allocation mechanism I need here is basically an
authenticated request from many (ipv4 or ipv6 link local) hops deep into
the network, which... I used to do with an itty bitty shell script over
ssh, until I gave up for these other reasons.

static, permanent, real ipv6 to your edge is better, then you can do
whatever you want, however you want, do it once, and never do it again.

I've come to rather appreciate NAT for what it does to separate my
policies from my ISP's.

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Dave Taht]

On Tue, Oct 23, 2018 at 8:42 AM Ted Lemon <mellon@fugue.com> wrote:
>
> That is good feedback, if depressing.   I'm kind of in the same boat—I really want to do some work on this for OpenWRT, but it hasn't come up to the top of the stack yet.   The reason I was asking is that when I've said at IETF that I don't think HNCP is actually complete yet, I get a lot of rotten tomatoes from the authors.

Did they ever get it to work over dtls?

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Ted Lemon]

[-- Attachment #1: Type: text/plain, Size: 939 bytes --]

No, but that's coming.   Their security model was borked.

BTW, the naming architecture does handle cleaning up names.

I think your use case is a very interesting one.   If it doesn't work
reliably, that's a bad sign.   Not shocking at present, though.   There are
a lot of things that need to be fixed in HNCP before it can really work;
I'm sorry to hear that about Babel, though.

On Tue, Oct 23, 2018 at 12:16 PM Dave Taht <dave.taht@gmail.com> wrote:

> On Tue, Oct 23, 2018 at 8:42 AM Ted Lemon <mellon@fugue.com> wrote:
> >
> > That is good feedback, if depressing.   I'm kind of in the same boat—I
> really want to do some work on this for OpenWRT, but it hasn't come up to
> the top of the stack yet.   The reason I was asking is that when I've said
> at IETF that I don't think HNCP is actually complete yet, I get a lot of
> rotten tomatoes from the authors.
>
> Did they ever get it to work over dtls?
>

[-- Attachment #2: Type: text/html, Size: 1323 bytes --]

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Michael Richardson]

Dave Taht <dave.taht@gmail.com> wrote:
    > 2 years back, I gave up on deploying ipv6 any further than the lab.
    > Getting dynamic ipv6 reliably into my production network... I gave up.
    > I asked for a static allocation from comcast, haven't heard back yet.

Dude.  Comcast is a residential monopoly ISP. Inappropriate for labs.
IPv6 is trivial with a reasonable ISP (I realize that almost an oxymoron)
I pay $125CDN/month for 50Mbs/10Mbs with /56 over VDSL2.
(That's for an all-you-can-eat business plan, with priority NOC access)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Dave Taht]

On Tue, Oct 23, 2018 at 4:28 PM Michael Richardson <mcr@sandelman.ca> wrote:
>
> Dave Taht <dave.taht@gmail.com> wrote:
>     > 2 years back, I gave up on deploying ipv6 any further than the lab.
>     > Getting dynamic ipv6 reliably into my production network... I gave up.
>     > I asked for a static allocation from comcast, haven't heard back yet.
>
> Dude.  Comcast is a residential monopoly ISP. Inappropriate for labs.
> IPv6 is trivial with a reasonable ISP (I realize that almost an oxymoron)
> I pay $125CDN/month for 50Mbs/10Mbs with /56 over VDSL2.
> (That's for an all-you-can-eat business plan, with priority NOC access)

There are no alternatives where I am, except pointing a radio at the side of a
mountain. After climbing the mountain.




-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Mikael Abrahamsson]

On Tue, 23 Oct 2018, Dave Taht wrote:

> I just ping6 my upstream dns server, roughly the same algorithm. But
> if it goes down, you don't want to take away the local ipv6 addresses,
> just the default route, and when you do that, you end up falling back to
> ipv4.

I want to lower the preferred lifetime for the PD PIO from that connection 
to 0 when upstream lifecheck fails (ie, send RA with 0 preferred 
lifetime). So correct, don't take away the addresses, just make sure 
they're not chosen anymore for outgoing connections.

> You probably live in a place with reliable power. I get a power flicker 
> at least once a week. the corest routers are on battery backup but that 
> only lasts a few hours and the last big outage was about 9 hours about 6 
> weeks ago. When everything reboots, chaos reigns. When only some things 
> reboot, different kinds of chaos reign.

Right. The frequent re-addressing of interfaces (every time it goes up and 
down actually) is one thing I pointed out years ago is a weak spot in the 
homenet implementation.

> Secondly a usable set of /56s would be "enough" in my case (about 40 
> boxes), /60 doesn't divide into that.

Agreed, /56 is what's needed.

> thirdly, I don't want to assign routable ipv6 prefixes to everything, 
> just to end-user APs and when I last tried hnpd it wanted to give even 
> my p2p boxes /64s

Yes, it allocates /64 per interface. You can share interface with multiple 
things by creating bridge interfaces.

> fourthly, we have dnsmasq, odhcpd, odhcpc, babel and hnetd all battling 
> it out with slightly different notions of how to redistribute things.

Right, a device that speaks homenet should not request PD.

> I've come to rather appreciate NAT for what it does to separate my 
> policies from my ISP's.

Configuring static ULA addresses might be a way to handle it. Doesn't help 
reaching them from the outside though. We need DNS or other mechanism to 
keep track of addresses as they change over time.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Dave Taht]

Mikael Abrahamsson <swmike@swm.pp.se> writes:

> On Tue, 23 Oct 2018, Dave Taht wrote:
>
>> I just ping6 my upstream dns server, roughly the same algorithm. But
>> if it goes down, you don't want to take away the local ipv6 addresses,
>> just the default route, and when you do that, you end up falling back to
>> ipv4.
>
> I want to lower the preferred lifetime for the PD PIO from that
> connection to 0 when upstream lifecheck fails (ie, send RA with 0
> preferred lifetime). So correct, don't take away the addresses, just
> make sure they're not chosen anymore for outgoing connections.
>
>> You probably live in a place with reliable power. I get a power
>> flicker at least once a week. the corest routers are on battery
>> backup but that only lasts a few hours and the last big outage was
>> about 9 hours about 6 weeks ago. When everything reboots, chaos
>> reigns. When only some things reboot, different kinds of chaos
>> reign.
>
> Right. The frequent re-addressing of interfaces (every time it goes up
> and down actually) is one thing I pointed out years ago is a weak spot
> in the homenet implementation.

SLAAC remains my preference. :)

>
>> Secondly a usable set of /56s would be "enough" in my case (about 40
>> boxes), /60 doesn't divide into that.
>
> Agreed, /56 is what's needed.
>
>> thirdly, I don't want to assign routable ipv6 prefixes to
>> everything, just to end-user APs and when I last tried hnpd it
>> wanted to give even my p2p boxes /64s
>
> Yes, it allocates /64 per interface. You can share interface with
> multiple things by creating bridge interfaces.

Well, openwrt has the ability to use a tag like "local" or "ula".
I do not know if hnetd will pick that up or not.

Can't bridge a network this wide over this many wifi links. 

>> fourthly, we have dnsmasq, odhcpd, odhcpc, babel and hnetd all
>> battling it out with slightly different notions of how to
>> redistribute things.
>
> Right, a device that speaks homenet should not request PD.

But I need that to get from my ISP.

>
>> I've come to rather appreciate NAT for what it does to separate my
>> policies from my ISP's.
>
> Configuring static ULA addresses might be a way to handle it. Doesn't
> help reaching them from the outside though. We need DNS or other
> mechanism to keep track of addresses as they change over time.

Wish. And long ago we tried to publish a draft that tied dns names
simply to slaac addresses.

Re: [Cerowrt-devel] meanwhile... .home, finally has a home.arpa.

[Mikael Abrahamsson]

On Wed, 24 Oct 2018, Dave Taht wrote:

>> Right, a device that speaks homenet should not request PD.
>
> But I need that to get from my ISP.

Right, it should request PD from the ISP (homenet external port) but it 
should not request PD from homenet internal ports.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se