[Openvpn-devel] Depreciate IPv4-related options.

As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
be IPv6-only.  Removal of IPv4-related code and options will dramatically
reduce code complexity, confusing options, bugs and user questions.

Add deprecation warnings for IPv4-related config options to 2.4 branch,
so users have enough time to move their setups to work on IPv6-only
before 2.5 will be released.

This affects:

  --ifconfig
  --route
  --server
  --proto udp4/tcp4
  --ifconfig-pool

More IPv4-related options will be identified and depreciated later.

Trac: #208

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/options.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Hi,

On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering <gert@greenie.muc.de> wrote:
> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> be IPv6-only.  Removal of IPv4-related code and options will dramatically
> reduce code complexity, confusing options, bugs and user questions.
>
> Add deprecation warnings for IPv4-related config options to 2.4 branch,
> so users have enough time to move their setups to work on IPv6-only
> before 2.5 will be released.

Are you proposing to remove all IPv4 support from OpenVPN 2.5, so that
an IPv6 connection will be required and an IPv4-only connection will
not work?

Or is this is about removing IPv4-only options and code and leaving
options and code that work for either IPv4 or IPv6, so users could
continue to have an IPv4-only setup by changing the names of a few
options in their configuration files?

Either way, can anyone give an approximate release date for 2.5, so we
can have a time frame for the change? (Even a "not before" date would
be very helpful in evaluating the impact of these proposed changes.)

Best regards,

Jon Bullard (Tunnelblick developer)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Hello,

Jonathan K. Bullard, on dim. 01 avril 2018 06:17:55 -0400, wrote:
> Either way, can anyone give an approximate release date for 2.5, so we
> can have a time frame for the change? (Even a "not before" date would
> be very helpful in evaluating the impact of these proposed changes.)

I guess it'll be "not before" tomorrow.

Samuel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Hi,

On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering <gert@greenie.muc.de> wrote:

> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> be IPv6-only.  Removal of IPv4-related code and options will dramatically
> reduce code complexity, confusing options, bugs and user questions.
>
> Add deprecation warnings for IPv4-related config options to 2.4 branch,
> so users have enough time to move their setups to work on IPv6-only
> before 2.5 will be released.
>
> This affects:
>
>   --ifconfig
>   --route
>   --server
>   --proto udp4/tcp4
>   --ifconfig-pool
>
> More IPv4-related options will be identified and depreciated later.
>

Nice try :)

Selva
<div dir="ltr">Hi,<br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering <span dir="ltr">&lt;<a href="mailto:gert@greenie.muc.de" target="_blank">gert@greenie.muc.de</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will<br>
be IPv6-only.  Removal of IPv4-related code and options will dramatically<br>
reduce code complexity, confusing options, bugs and user questions.<br>
<br>
Add deprecation warnings for IPv4-related config options to 2.4 branch,<br>
so users have enough time to move their setups to work on IPv6-only<br>
before 2.5 will be released.<br>
<br>
This affects:<br>
<br>
  --ifconfig<br>
  --route<br>
  --server<br>
  --proto udp4/tcp4<br>
  --ifconfig-pool<br>
<br>
More IPv4-related options will be identified and depreciated later.<br></blockquote><div><br></div><div>Nice try :)</div><div><br></div><div>Selva</div></div></div></div>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Hi,

On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering <gert@greenie.muc.de> wrote:
> 
> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> > be IPv6-only.  Removal of IPv4-related code and options will dramatically
> > reduce code complexity, confusing options, bugs and user questions.
[..]
> 
> Nice try :)

Hah, caught in the act ;-)

(Apologies to Jonathan for scaring you about new user support issues...)

Trac #208 is really about *enabling* IPv6-only mode (which does not work
today), but not about *mandating* IPv6-only / taking away IPv4.

gert

Hi,

On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering <gert@greenie.muc.de> wrote:
> Hi,
>
> On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
>> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering <gert@greenie.muc.de> wrote:
>>
>> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
>> > be IPv6-only.  Removal of IPv4-related code and options will dramatically
>> > reduce code complexity, confusing options, bugs and user questions.
> [..]
>>
>> Nice try :)
>
> Hah, caught in the act ;-)
>
> (Apologies to Jonathan for scaring you about new user support issues...)

No apologies necessary! I fell for it completely and have no excuse. I
probably laughed as hard as anyone else when I read your private reply
that pointed out today's date.

Best regards,

Jon

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Think of us poor mail list lurkers. Practically gave this one a heart attack!  Not having seen that private reply, I hope that means I can discard the long-ass (and quite irate) reply I was working on?

Marvin
(Sent from an ipv4 address)

> On Apr 1, 2018, at 8:52 AM, Jonathan K. Bullard <jkbullard@gmail.com> wrote:
> 
> Hi,
> 
>> On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering <gert@greenie.muc.de> wrote:
>> Hi,
>> 
>>> On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
>>>> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering <gert@greenie.muc.de> wrote:
>>>> 
>>>> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
>>>> be IPv6-only.  Removal of IPv4-related code and options will dramatically
>>>> reduce code complexity, confusing options, bugs and user questions.
>> [..]
>>> 
>>> Nice try :)
>> 
>> Hah, caught in the act ;-)
>> 
>> (Apologies to Jonathan for scaring you about new user support issues...)
> 
> No apologies necessary! I fell for it completely and have no excuse. I
> probably laughed as hard as anyone else when I read your private reply
> that pointed out today's date.
> 
> Best regards,
> 
> Jon
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Hi,

On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote:
> Think of us poor mail list lurkers. Practically gave this one a heart attack!  Not having seen that private reply, I hope that means I can discard the long-ass (and quite irate) reply I was working on?

Please share!

> (Sent from an ipv4 address)

Whatever journey OpenVPN takes, the Internet as a whole will need to 
either finish the move to IPv6, or give up and return to IPv4-only -
running dual-stack is just too expensive in the long run.  Like, twice
the amount of code needed for routing, address parsing, firewalling, ...

gert

Ok, I’ll only discard the irate part  ;-]

I had not considered the extra work and code required to maintain both versions. But I get it now. Here is the unfortunate position this puts us in:

We use OpenVPN for connection from 1000’s of devices located at customer facilities back to us. These devices/software have a lifespan of greater than 10 years and most are extremely expensive (not easily replaced). So a large quantity are incapable of ipv6 (and frankly many customer facility networks are not fully functional with ipv6). Also some of the devices/software at our end that interface with those legacy customer devices are also not ipv6 capable. 

So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.  There is much more detail about all this, but I wanted to keep this a short email. 

Thanks for listening. 

Marvin

> On Apr 1, 2018, at 11:39 AM, Gert Doering <gert@greenie.muc.de> wrote:
> 
> Hi,
> 
>> On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote:
>> Think of us poor mail list lurkers. Practically gave this one a heart attack!  Not having seen that private reply, I hope that means I can discard the long-ass (and quite irate) reply I was working on?
> 
> Please share!
> 
>> (Sent from an ipv4 address)
> 
> Whatever journey OpenVPN takes, the Internet as a whole will need to 
> either finish the move to IPv6, or give up and return to IPv4-only -
> running dual-stack is just too expensive in the long run.  Like, twice
> the amount of code needed for routing, address parsing, firewalling, ...
> 
> gert
> -- 
> "If was one thing all people took for granted, was conviction that if you 
> feed honest figures into a computer, honest figures come out. Never doubted 
> it myself till I met a computer with a sense of humor."
>                             Robert A. Heinlein, The Moon is a Harsh Mistress
> 
> Gert Doering - Munich, Germany                             gert@greenie.muc.de

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Hi,

On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote:
> I had not considered the extra work and code required to maintain both versions. But I get it now. Here is the unfortunate position this puts us in:
[..]

Well, that part of my e-mail was a bit of frustration speaking - I've
been advocating IPv6 for over 20 years now, and while large parts of
the access networks are offering IPv6 now, other parts are still being
*built* with IPv4 only, or stubbornly stick to IPv4 only...  thus, double
work everywhere, not only in OpenVPN, seemingly for a lifetime.

> So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.

As far as OpenVPN is concerned, I am not aware of any plans to remove 
IPv4 support.

The extra code adds some maintenance and testing effort, but since this
is all in place now (especially the test setups with "connect over IPv4
or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would
be more work to rip out IPv4 now... :-)

gert

Gert,

Without invalidating the reason for your frustration, I am breathing a sigh of relief.

As a complete aside, in some ways ipv4 is actually more useful to me in my work. In a private network I can tell where in the network the traffic is coming from. Even on the internet I can tell country, ISP etc. Very useful for security ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done in ipv6. 

BTW, a big thank-you to you and all the devs in the OpenVPN project!

Marvin

> On Apr 1, 2018, at 12:34 PM, Gert Doering <gert@greenie.muc.de> wrote:
> 
> Hi,
> 
>> On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote:
>> I had not considered the extra work and code required to maintain both versions. But I get it now. Here is the unfortunate position this puts us in:
> [..]
> 
> Well, that part of my e-mail was a bit of frustration speaking - I've
> been advocating IPv6 for over 20 years now, and while large parts of
> the access networks are offering IPv6 now, other parts are still being
> *built* with IPv4 only, or stubbornly stick to IPv4 only...  thus, double
> work everywhere, not only in OpenVPN, seemingly for a lifetime.
> 
>> So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.
> 
> As far as OpenVPN is concerned, I am not aware of any plans to remove 
> IPv4 support.
> 
> The extra code adds some maintenance and testing effort, but since this
> is all in place now (especially the test setups with "connect over IPv4
> or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would
> be more work to rip out IPv4 now... :-)
> 
> gert
> -- 
> "If was one thing all people took for granted, was conviction that if you 
> feed honest figures into a computer, honest figures come out. Never doubted 
> it myself till I met a computer with a sense of humor."
>                             Robert A. Heinlein, The Moon is a Harsh Mistress
> 
> Gert Doering - Munich, Germany                             gert@greenie.muc.de

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

On 02/04/18 10:12, Marvin Adeff wrote:
> Even on the internet I can tell country, ISP etc. Very useful for security ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done in ipv6. 

mostly because at this very moment Tunnel Brokers are widely used and
they act as a "proxy", effectively covering the real location of the
client host.

Many websites just show you (client) as connecting from the country
where your Tunnel Broker is located.

When using native IPv6 this problem does not exists anymore.

Therefore, the proper way to get over this "limitation" (even though I
don't think is a real problem, but this is of course my perspective) is
to speed up the transition and move everybody over native IPv6 (which is
something we can't achieve if we continue to be "afraid" of using IPv6
in our everyday life).

Cheers,

Antonio,
I certainly don’t disagree with you. 

However I think I’ve taken up enough bandwidth over this topic on Openvpn-devel. Thank you all. 

Marvin

> On Apr 1, 2018, at 7:20 PM, Antonio Quartulli <a@unstable.cc> wrote:
> 
>> On 02/04/18 10:12, Marvin Adeff wrote:
>> Even on the internet I can tell country, ISP etc. Very useful for security ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done in ipv6. 
> 
> mostly because at this very moment Tunnel Brokers are widely used and
> they act as a "proxy", effectively covering the real location of the
> client host.
> 
> Many websites just show you (client) as connecting from the country
> where your Tunnel Broker is located.
> 
> When using native IPv6 this problem does not exists anymore.
> 
> Therefore, the proper way to get over this "limitation" (even though I
> don't think is a real problem, but this is of course my perspective) is
> to speed up the transition and move everybody over native IPv6 (which is
> something we can't achieve if we continue to be "afraid" of using IPv6
> in our everyday life).
> 
> Cheers,
> 
> -- 
> Antonio Quartulli
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot