Re: Review: draft-ietf-v6ops-nap-01.txt

["Gunter Van de Velde (gvandeve)" <gvandeve@cisco.com>]

> As an aside, when you say 'topology hiding' Gunter, do you really mean
> subnet/link topology, or the number of hosts, or...?

When i see 'topology hiding' i make a reference that an entity outside
the network can not make any correlation between the location
of a device and the address of a device on the local network.

This is something that can be achieved with MIP without loosing
any of the end-to-end aspects. Same for the /128's PI addresses.
There could be additional mechanisms, some simple, some more complex.

The draft is not to recommend usage of any of these, however it is to
inform people that there are possibilities to achieve similar result
without address translation. By mentioning that 'topology hiding' is
useless, that it makes no sense and is complete brainless nonsense, well
in that case many NAT biassed people who sincerely believe in
the topology hiding may find IPv6 a 'too risky protocol that does not
provide same features and functionality as IPv4 with respect to security'

Don't get me wrong.. i do not believe in topology hiding myself, however
many people do, and we have to offer alternatives and that is what the
document is about. A potential alternate solution is to make a v6ops
study on the value of topology hiding when using IPv6? and by that make
disarm the motivation to make usage of either MIP, /128 or any other complex
mechanisms.

Groetjes,
G/

At 09:29 23/08/2005 +0100, Tim Chown wrote:
> On Tue, Aug 23, 2005 at 03:54:39PM +0800, Fred Baker wrote:
> >
> > On Aug 23, 2005, at 3:17 PM, Gunter Van de Velde (gvandeve) wrote:
> >
> > >Unfortunatly the industry need for having a tool to provide
> > >topology hiding is
> > >real.... and is very easy to deploy in the IPv4 world by using
> > >address translation, hence
> > >the IPv6 community better provides some solution for this and the
> > >MIPv6
> > >one seems most appropriate to me at the moment. (The /128 ULA's is
> > >a different
> > >story)
> >
> > Compared to having an address space one doesn't advertise outside,
> > mobile ip v6 seems really complex. I'm not fond of ULAs, but as I
> > said in another context, simply having a prefix that is not
> > advertised seems quite sufficient for hiding internal-only systems.
> > And it's only the internal-only systems any of this hides; systems
> > that can be seen from the outside can be seen from the outside, and
> > the fact that they are on the same or different LANs is really window-
> > dressing compared to that.
>
> My view is along those of Stig and Fred.
>
> Given how NAP is in itself a 're-education' tool, we could/should use it
> as an opportunity to highlight what can be done with IPv6.   The schemes
> for topology hiding proposed to date add back a lot of the complexity that
> IPv6 in principle removes.   I really don't agree with the NAP draft's
> approach on the topology hiding issue, though otherwise I think it's an
> excellent document.  I think some simpler words can be said, and MIPv6
> or host routing avoided (or Mark's scheme, sorry :).
>
> As an aside, when you say 'topology hiding' Gunter, do you really mean
> subnet/link topology, or the number of hosts, or...?
>
> --
> Tim/::1