[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-nap-00.txt

To: qing.li@bluecoat.com
Subject: Re: draft-ietf-v6ops-nap-00.txt
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Tue, 19 Apr 2005 11:52:20 +0930
Cc: v6ops@ops.ietf.org
In-reply-to: <1fa00ceb17d588552993a64190aadd06@cisco.com>
References: <48D44BB27BDE3840BDF18E59CB169A5C839E32@bcs-mail3.internal.cacheflow.com> <1fa00ceb17d588552993a64190aadd06@cisco.com>

On Tue, 19 Apr 2005 07:04:09 +0900
Fred Baker <fred@cisco.com> wrote:

> 
> On Apr 19, 2005, at 6:50 AM, Li, Qing wrote:
> 
> > 	I just got back from a trip and just caught up on emails.
> > 	I wasn't able to conclude from the NAP thread whether
> > 	the NAP doc will include additional text on proxies, or
> > 	whether there was any suggestion on another document in
> > 	which discussions on IPv6 capable proxies may be more
> > 	approriate.
> 
> I'm not sure that a real consensus was reached. The nearest thing I 
> heard to a consensus was that proxies deserve their own document, as 
> they are both a v4 and a v6 problem, but that v6-specific issues might 
> be raised in this document.
> 

Here is a summary of what I think were key points of the
discussion. Please correct me if I've misunderstood, mistated or
misrepresented any of them.

I think this draft is specifically addressing the benefits of NAT to
IPv4, and how certain identified properties and configurations of IPv6
can provide those benefits without resorting to address translation. 

Proxies were advocated as another topology hiding tool. 

In a globally addressed scenario (which may be parallel with ULA
addressing), proxies aren't that effective as topology hiding tools, as
they only hide the topology for a specific application protocol eg.,
HTTP. Proxies won't hide the topology from techniques that don't use
that specific application protocol. There are quite a number of
discovery techiques that could be successfully used as alternatives in a
proxied combined global / ULA scenario.

In a ULA only scenario, proxies at the edge of the ULA / Global boundary
would provide a topology hiding feature. Two drawbacks though are that
this breaks end-to-end, which is one of the things (I think) IPv6 is
intended to restore; proxies have to be configured correctly, to ensure
they don't proxy internal, ULA located resources for globally located
nodes, which would defeat the fundamental purpose of deploying ULA only
and a proxy in the first place, namely hiding the internal network yet
providing access to global resources. Accessing internal resources from
global nodes could be seen to be a form of topology discovery - it may
provide enough internal information for other attack methods such as
social engineering. Proxies don't inherently provide full topology
hiding, even for the application protocol they support - they have to be
configured correctly first.

This draft is specifically addressing features of IPv6 that provide
IPv4+NAT benefits, and proxies aren't IPv6 specific, so detailing their
use in this draft may be out of scope. I personally thought they
shouldn't be mentioned at all, others thought they could be mentioned,
but not in detail, because they aren't IPv6 specific.

I think that is all the points discussed; please add any if I've missed
them. The discussion seemed to die off there; possibly that means
consensus was reached ?

Regards,
Mark.

-- 

    The Internet's nature is peer to peer.

Follow-Ups:
- RE: draft-ietf-v6ops-nap-00.txt
  - From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>

References:
- RE: draft-ietf-v6ops-nap-00.txt
  - From: "Li, Qing" <qing.li@bluecoat.com>
- Re: draft-ietf-v6ops-nap-00.txt
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Internal WG Review: Recharter of IPv6 Operations (v6ops) - version 2
Next by Date: RE: WG Last Call: draft-ietf-v6ops-mech-v2-07.txt
Previous by thread: Re: draft-ietf-v6ops-nap-00.txt
Next by thread: RE: draft-ietf-v6ops-nap-00.txt
Index(es):
- Date
- Thread