[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ocean: do not boil

To: "Margaret Wasserman" <mrw@windriver.com>
Subject: RE: ocean: do not boil
From: "Bound, Jim" <Jim.Bound@hp.com>
Date: Thu, 26 Sep 2002 08:55:20 -0400
Cc: <itojun@iijlab.net>, "Stewart Tansley" <stansley@microsoft.com>,<v6ops@ops.ietf.org>
Delivery-date: Thu, 26 Sep 2002 05:57:14 -0700
Envelope-to: v6ops-data@psg.com
Thread-index: AcJlPGq4xyDfc7QlRkGAOBdLZ9QyEAAHuyGg
Thread-topic: ocean: do not boil

Margaret,

> -----Original Message-----
> From: Margaret Wasserman [mailto:mrw@windriver.com]
> Sent: Thursday, September 26, 2002 4:52 AM
> To: Bound, Jim
> Cc: itojun@iijlab.net; Stewart Tansley; v6ops@ops.ietf.org
> Subject: RE: ocean: do not boil 
> 
> 
> At 04:07 AM 9/26/02, Bound, Jim wrote:
> >every input I get is that they don't want NAT and want it to 
> go away as 
> >soon as possible.
> 
> To be replaced by NAT-PT?

No.

> 
> What is the technical advantage to running an IPv6-only 
> internal network
> that uses NAT-PT to reach external IPv4-only services, as 
> opposed to running
> a shared IPv4/IPv6 network with IPv4 NAT?

None.

> 
> [Please give _technical_ reasons, like X works with NAT-PT, 
> but doesn't
> work with IPv4 NAT...  I understand that some folks have 
> emotional/marketing/
> other reasons for wanting to use something they think of as 
> "pure IPv6", and
> we may need to deal with that attitude in the marketplace.  
> I'd just like to
> put that aside for a moment and understand the technical 
> differences between
> these two solutions.]

Another solution is to use DSTM to avoid using NAT-PT.  Which is technically a different solution.

> 
> I've been thinking about this a lot, and I have come up with 
> the following
> thoughts:
> 
> Network set-up is fairly similar in these two cases:
> 
>          - An IPv4/IPv6 network with IPv4 NAT requires:
>                  - Setting up an IPv4 NAT box(es).  This includes
>                          providing at least one globally routable
>                          IPv4 address (to use as the source address
>                          for translated packets).
>                  - Configuring routers with IPv4 and IPv6
>                          prefixes and default routes,
>                          including IPv4 default routes
>                          that lead out through the NAT box(es)
>                  - Setting up an IPv4 DHCP server
>                  - Running dual-stack hosts and routers
> 
>          - An IPv6-only network with NAT-PT requires:
>                  - Setting up a NAT-PT box(es).  This includes
>                          providing at least one globally routable
>                          IPv4 address (to use as the source address
>                          for translated packets).
>                  - Configuring routers with IPv6 prefixes and default
>                          routes, plus static routes to send traffic
>                          addressed to IPv4 mapped addresses 
> out through
>                          the NAT-PT box(es)
>                  - Running special DNS resolver code on the 
> hosts and/or
>                          configuring DNS servers to return 
> AAAA IPv4 mapped
>                          addresses for any A records.
> 
> Please note that both solutions require IPv4 service at the 
> translation
> point, including at least one globally routable IPv4 address.
> 
> Once the network has been set-up, these two choices _should_ work the
> same for IPv4 traffic sent outside the site.  However, there are a
> few of key differences:
> 
>          - The IPv4 NAT solution supports the use of IPv4-only
>                  services within the site, whereas NAT-PT only
>                  supports IPv4 communication with the outside (there
>                  is no internal IPv4 routing).
> 
>          - The NAT-PT solution does not require running a DHCP server
>                  or assigning private IPv4 prefixes to 
> internal networks.
> 
>          - The NAT-PT solution involves changes to DNS (either to
>                  resolver on each host, or to the server), 
> and the IPv4
>                  NAT solution does not.
> 
> Are there some other technical advantages to the NAT-PT 
> solution that I
> am missing?
> 
> How will hosts know that they are running in a NAT-PT environment,
> and that they shouldn't send IPv4 traffic?  Will they default to
> using IPv4-mapped addresses whenever they don't have IPv4 addresses
> configured?  What would be the implications of this behaviour
> (if any) in the event of a DHCP failure on an IPv4-only or IPv4/IPv6
> network that is running these same implementations?
> 
> Is the routing set-up necessary to support multiple NAT-PT boxes the
> same as the routing set-up needed to support multiple IPv4 NATs?  What
> are the key differences, if any?
> 
> I am concerned about the DNS modifications needed to make NAT-PT work
> correctly.  We know that applications that currently work behind an
> IPv4 NAT will work properly with the IPv4 NAT choice.  Are we _sure_
> that all of those applications will work properly in the NAT-PT case?
> Who has explored this in detail, and what did you find?
> 
> BTW, I think it is _very_ appropriate for the working group to be
> analyzing different solution choices at this point.  Two of 
> our scenario
> documents are nearly complete (3GPP and unmanaged) and work is already
> underway on the analysis documents.  Those analysis documents will
> contain our recommended solutions for different scenarios, so it
> makes perfect sense for us to discuss which solutions we will
> recommend and why.

This can be completely avoided when users have a large pool of IPv4 address space or can use private IPv4 address space with DSTM and then NAT-PT is NOT required.

NAT-PT breaks end-2-end security and apps just like NAT in IPv4.

/jim

> 
> Margaret
> 
> 
> 
>

Prev by Date: RE: ocean: do not boil
Next by Date: Re: ocean: do not boil
Previous by thread: RE: ocean: do not boil
Next by thread: Re: ocean: do not boil
Index(es):
- Date
- Thread