[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-v6ops-ent-scenarios-00.txt

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D ACTION:draft-ietf-v6ops-ent-scenarios-00.txt
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Fri, 12 Dec 2003 13:15:09 +0100
Organization: IBM
References: <200310161930.PAA19049@ietf.org>

Some comments...

> 3.2  Scenarios Characteristics
...
>    - Do any of the software functions store IP addresses?

Should be "store, display, or allow input of IP addresses?"

...
>    - Do any of the hardware functions store IP addresses?

ditto

> 4.3  IPv6 communicating with IPv4
> 
>    An IPv6 only node wants to communicate with an IPv4 only node.
> 
>    In cases where the IPv6 host cannot be a dual stack, in order to
>    continue support of communications with IPv4 nodes an IPv4/v6
>    translator is required.  Introduction of such translator will prevent
>    usage of end-to-end security and application carrying embedded IP
>    addressing information.

There's a big hole here - i.e. the alternative solution which is an
applications proxy. www.ipv6-test.ibm.com is running code.

> 
>    **Note to V6ops WG: Should we discuss porting of applications too in
>    the legacy section?

No. That should remain a separate document.

> 5.1  DNS
> 
>    DNS will now have to support both IPv4 and IPv6 DNS records and the
>    Enterprise will need to determine how the DNS is to be managed and
>    accessed, and secured.
> 
>    **Note to V6ops WG: Should we get into other DNS issues?

Probably DNSOP should do some of that. But how DNS interacts with stateless and
stateful autoconfiguration probably needs to be discussed here, for example.

> 5.4  Security
> 
>    Current existing mechanisms used for IPv4 to provide security need to
>    be supported for IPv6 within the Enterprise. 

That's not true if NAT is viewed as a security mechanism. We need to describe
how security-by-hiding is achieved in IPv6 - presumably by a combination of
some form of local addressing in parallel with global addressing, and
appropriate filters and ACLs in the firewall.

>              ...IPv6 should create no
>    new security concerns for IPv4.

Is that certain? Where is the complete threat analysis?
> 
>    **Note to V6ops WG: Should we get into other security issues?

Yes. Fears about security will be a major hurdle in enterprise
deployment. We need much, much more about security - probably a complete
BCP on its own.

> 5.5  Applications
> 
>    Existing applications will need to be ported to support both IPv4 and
>    IPv6.

s/ported/ported or proxyed/

> 
>    **Note to V6ops WG: Should we get into other application issues?

Not in this document.

...
>    **Note to V6ops WG: What other components are we missing?

Multihoming.

  Brian

References:
- I-D ACTION:draft-ietf-v6ops-ent-scenarios-00.txt
  - From: Internet-Drafts@ietf.org

Prev by Date: Minutes from IETF58
Next by Date: Re: I-D ACTION:draft-ietf-v6ops-application-transition-00.txt
Previous by thread: I-D ACTION:draft-ietf-v6ops-ent-scenarios-00.txt
Next by thread: I-D ACTION:draft-ietf-v6ops-unman-scenarios-03.txt
Index(es):
- Date
- Thread