RE: draft-ietf-v6ops-nap-00.txt <PROXIES>

["John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>]

Mark, Pekka, Brian, et. al.;

I do not have strong feelings on how much information on proxies goes into
the draft.

I do believe the most compelling arguments supporting the elimination of NAT
in the IPv6 architecture need a discussion of what you can achieve - and
what you give up - if you deploy proxies.  As a practical matter, even
considering the peer-to-peer IPv6 Internet of the future, in the near and
middle term the continued use of stateful firewalls (breaks end-to-end) and
proxy servers (breaks end-to-end) will be a reality.  I think a reasonable
deployment model for the enterprise is giving "internal use only" nodes ULA
addresses.  Any node needing Internet access would have both a ULA (for
internal use and, most likely, HTTP via the proxy) *and* a global-scope
address (for peer-to-peer applications).  Other nodes may use a ULA and the
proxy to obtain a "basic" Internet capability (unable to be a full Internet
peer).

That allows security managers to continue to use a model they are
comfortable with for most traffic, and arguably does provide benefits
(caching, policy enforcement, topology hiding), but also allows an
enterprise to roll out peer-to-peer services as a matter of course as
needed.  By using IPv6 and eliminating NAT, enterprise network managers gain
great flexibility - even if they continue to use proxies to fulfill some
needs.

I just think that is the reality, and to try to push a model that eliminates
NAT *and* proxy (and probably some people would like to eliminate stateful
edge firewalls even at this early stage) will result in some feeling that
the NAP draft doesn't go far enough in recognizing the need for continuity
from today's network.

----------------------------------------------------
John Spence, CCSI, CCNA, CISSP
Native6, Inc.
IPv6 Training and Consulting
jspence@native6.com
www.native6.com
----------------------------------------------------