[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt

To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Subject: Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt
From: Alain Durand <Alain.Durand@Sun.COM>
Date: Mon, 16 Sep 2002 09:42:20 -0700
Cc: v6ops@ops.ietf.org
Delivery-date: Tue, 17 Sep 2002 01:05:53 -0700
Envelope-to: v6ops-data@psg.com


Jun-ichiro itojun Hagino wrote:

so tell me - assuming that there are mixture of IPv4/v6 dual stack
nodes and IPv6-only nodes in your site. when IPv4 traffic comes in to
your firewall box, how a firewall can decide if it should let the
traffic go through as is, or to translate it in SIIT way?

If it is v4 traffic, the firewall applies v4 sanity checks.
The SIIT box does not need to be collocated with the
firewall.
Inbound packets that need translation (at least in NAT64)
have an IPv4 dst address of one of the NAT64/SIIT gateways.
They are easily identifiable by the firewalls if necessary.

What is the problem?
	so you assume every IPv6 site to have two IPv4 addresses, instead of 1?
	people wants to collocate their firewall and SIIT, to reduce IPv4
	address requirements.

I'm not assuming that.
Please read more carefully what I wrote.
--> 'The SIIT box does not need to be collocated with the firewall.'
It does not mean it can not.

Actually, I think that a solution like this one (SIIT+NAT64)
would enable me to deploy an Ipv6 only island in my network
with reasonable chances to make it work
(that is, no worse than today's NAT)

SIIT/NAT64 are RSIP for IPv4 and IPv6 - end node knows what needs to
be done at NAT box, and end node must act like IPv4 box (see RFC2765
page 6 for very strange description - it asks IPv6-only node to compute
IPv4 AH checksum). i don't think they are workable even in IPv6-only
cloud.

SIIT/NAT64 is not RSIP. It does not negotiate anything with the NAT box
It is much more like plain IPv4 NAT. Same model. Things that work
today with IPv4 NAT still work with NAT64. Things that do not work
with IPv4 NAT (like IPsec) still do not work with NAT64.
	SIIT/NAT64 is RSIP.  a proof - SIIT/NAT64 FTP client has to know
	about how to deal with PORT/PASV command, even though they run on
	IPv6-only stack.

 If the IPv6-only node only implements EPSV/EPRT
	(with IPv6 address support only), it won't be able to use FTP over
	SIIT/NAT64.  SIIT/NAT64 imposes very strange requirement to the end
	devices.

	normal NAT box, and good translators, does not impose any new
	requrirement to end clients.  NAT-PT and TRT requires no modification
	at all to IPv6-only (or IPv4/v6 dual stack) nodes in the cloud

I may be ignorant, then please educate me with a clear example
how NAT64 is different from NAT-PT in that regard.

An IPv6-only end node working in an NAT64 environement
will have to inplement what you call SIIT kernel behavior,
that's all. the 'peer' address will be an IPv6 address, the same way
as NAT-PT. It just happend that this address is a v4-mapped address,
but as it would be sent over the wire, I still see no difference with NAT-PT
in that regard.

   - Alain.

Prev by Date: Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt
Next by Date: Re: v6ops in the subject line
Previous by thread: Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt
Next by thread: Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt
Index(es):
- Date
- Thread