[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt
- To: Alain Durand <Alain.Durand@Sun.COM>
- Subject: Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt
- From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
- Date: Tue, 17 Sep 2002 01:05:10 +0900
- Cc: v6ops@ops.ietf.org
- Delivery-date: Mon, 16 Sep 2002 09:05:54 -0700
- Envelope-to: v6ops-data@psg.com
>> so tell me - assuming that there are mixture of IPv4/v6 dual stack
>> nodes and IPv6-only nodes in your site. when IPv4 traffic comes in to
>> your firewall box, how a firewall can decide if it should let the
>> traffic go through as is, or to translate it in SIIT way?
>
>If it is v4 traffic, the firewall applies v4 sanity checks.
>The SIIT box does not need to be collocated with the
>firewall.
>Inbound packets that need translation (at least in NAT64)
>have an IPv4 dst address of one of the NAT64/SIIT gateways.
>They are easily identifiable by the firewalls if necessary.
>
>What is the problem?
so you assume every IPv6 site to have two IPv4 addresses, instead of 1?
people wants to collocate their firewall and SIIT, to reduce IPv4
address requirements.
>>> Actually, I think that a solution like this one (SIIT+NAT64)
>>> would enable me to deploy an Ipv6 only island in my network
>>> with reasonable chances to make it work
>>> (that is, no worse than today's NAT)
>>
>> SIIT/NAT64 are RSIP for IPv4 and IPv6 - end node knows what needs to
>> be done at NAT box, and end node must act like IPv4 box (see RFC2765
>> page 6 for very strange description - it asks IPv6-only node to compute
>> IPv4 AH checksum). i don't think they are workable even in IPv6-only
>> cloud.
>SIIT/NAT64 is not RSIP. It does not negotiate anything with the NAT box
>It is much more like plain IPv4 NAT. Same model. Things that work
>today with IPv4 NAT still work with NAT64. Things that do not work
>with IPv4 NAT (like IPsec) still do not work with NAT64.
SIIT/NAT64 is RSIP. a proof - SIIT/NAT64 FTP client has to know
about how to deal with PORT/PASV command, even though they run on
IPv6-only stack. If the IPv6-only node only implements EPSV/EPRT
(with IPv6 address support only), it won't be able to use FTP over
SIIT/NAT64. SIIT/NAT64 imposes very strange requirement to the end
devices.
normal NAT box, and good translators, does not impose any new
requrirement to end clients. NAT-PT and TRT requires no modification
at all to IPv6-only (or IPv4/v6 dual stack) nodes in the cloud.
itojun