Re: RESENDING - Incremental Deployment of IPv6-only Wi-Fi for IETF Meetings

[Ted Lemon <mellon@xxxxxxxxx>]

On Jul 29, 2017, at 11:44 AM, Paul Hoffman <paul.hoffman@xxxxxxxx> wrote:

Exactly right. That's why many of us know first-hand that v6 has more hard-to-describe choices for end users than v4 does.

For the end user, there are no choices.   You plug your device into the network, and it works, or it doesn't.   What choices are you imagining?

I was not thinking of just people on this mailing list: like you, I talk to many people at IETF meetings. I find few people who are not strong v6 advocates saying that they think a v6-only is will Just Work for the average user.

Forgive me, but it's always easy to put words in the mouths of people who aren't saying anything.   What you are saying here is that everyone who is silent on this topic agrees that IPv6 isn't going to Just Work for the end-user.   Do you see the flaw in your reasoning?

On Jul 29, 2017, at 11:51 AM, Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote:

- I have no clue if Ubuntu supports this now - section 4.2

of the draft doesn't fill me with confidence, and I'm puzzled
as to how the draft figures ssh will continue to work "without
incident" given known_hosts has v4 addresses. And opting-in
here will change the state of known_hosts I guess in a way
that might in principle lead to attacks (that said I've not
checked what ssh clients know about dns64/nat64).

Right, so known_hosts is broken, because it remembers IP addresses.   This is something that ought to get fixed, not persisted.   Imagine how this feature interacts with the private service discovery feature that is being worked on in dnssd, when the host being connected to does IP address privacy.

I want _you_ in particular to use IPv6+nat64 because it will show you where some of the implementations of software that you currently use are broken, and then (I hope) you will get on board with trying to get them fixed.   That's the value proposition.   OpenVPN has known about their IPv6 brokenness for about four years, and they still haven't done anything about it.

One other note: if there were a perceived benefit for the folks
opting-in that'd help your cause I think. "You can help us all
make this better" is not a sufficiently direct benefit to attract
that many dogfood eaters IMO.

Right, that's why the "opt out" rather than "opt in" proposal.   We've had "opt in" since two Berlins ago, and we just don't get a lot of people trying the "opt in" network.   The value proposition is pretty obvious to me: we get to see how many people opt out.

On Sat, Jul 29, 2017 at 10:47 AM, Leif Johansson <leifj@xxxxxx> wrote:

It isn't. I see no villains.

When you say that something that someone is trying to do that you disagree with is political, you are implicitly saying that there is a villain, and it is that bad person who is trying to do something for "political reasons".   Please don't do that.

IPv6 has had a lot more testing than TLS 1.3.

On Jul 29, 2017, at 12:31 PM, Richard Barnes <rlb@xxxxxx> wrote:

However, just like the TLS 1.3 experimentation was not done on production servers that were meant for doing actual work, neither is the IETF network the right place to be discovering protocol issues.  If people want to opt in, fine, but let's not make it the default.

The conclusion that I would draw from this argument is that you believe that nobody should ever use TLS 1.3, because it is new, and it will always be the case that at some point in the process end-users will be exposed to it for the first time, and possibly run into issues.   That sort of thing should never happen in production, hence TLS 1.3 should never be deployed.

That really is what you are saying.   The IETF has been running IPv6-only with NAT64 as a transition tech for about four years, and I'm guessing you've never opted in.   So your argument is basically "it's not my problem, and it will never be okay for us to run this in production, let's just keep using IPv4."