Re: Operational experience with 3 degrees

[Pekka Savola <pekkas@netcore.fi>]

Commeting on the last issues.

On Wed, 19 Mar 2003, Christian Huitema wrote:
> The third issue was not really a surprise. In our deployment, the only
> way for users located behind NAT to get IPv6 connectivity is to use
> Teredo, and Teredo only works through about 90% of the NAT available on
> the market; the others are "symmetric" NAT. Since users buying NATs have
> no clue whether their NAT is symmetric or not, this results in
> complaints such as "the application does not work behind a NAT of brand
> X". After the feedback from the beta, we better know the size of the
> problem, and we are making sure that several solutions will be
> available, to be used as appropriate. 

This has been one of my objections to Teredo: even if it works on more or 
less 90% of NAT boxes, and fails on the rest, the 10% is still a large 
amount of appliances, and..

> The Teredo software will be
> updated to automatically reserve a UDP port using the UPNP protocol when
> the NAT support this protocol, or to use a user assigned port when the
> user is able to open a port in the NAT using a management interface. If
> that fails, the user will in some cases be able to get a new firmware
> for the existing NAT, without having to buy a new NAT. 

.. such firmware would *actually* make the NAT more insecure.  You can
implement NAT's in "loose" or "strict" mode.  What you're advocating is
turning relatively secure NAT's to insecure ones.

(Btrw, I don't find it realistic to assume NAT's which have this issue 
will support UPNP, but YMMV.)

> Indeed, another
> solution would be to have generous third parties provide tunnel
> servers...

This seems similar to 6to4 relays; they are not there in abundance, and 
there seems to be little sign the trend will change any time soon.

What Teredo is doing is splitting the IPv6 address space in two: those who 
can use it, can communicate bidirectionally relatively nicely.   But the 
connectivity to the rest of the Internet is a pain.  That doesn't look me 
to as a desirable approach.

>  The solution is obviously to deploy a
> Teredo relay in the site exit routers of the peer sites, or possibly in
> the ISP networks. Teredo relays are even simpler to implement than
> Teredo clients or servers, and can incorporate a number of "stateful"
> traffic control features that make them resistant to attacks. To
> facilitate this deployment, we should provide a very short Teredo relay
> specification.

I have doubts about this actually happening.  Believe me, it's not about 
the code size.  6to4 relay implementation is less than 10 lines of code at 
th minimum.  Code size is a factor for those who implement it (and 
consequently those who want to deploy it), but *not* those who don't 
intend to.

To avoid fragmentation of IPv6 Internet and keeping things simple and
working for all NAT users, I'm strongly favoring "bidirectional tunneling
through NAT" approach.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings