[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-v6ops-nap-04
Thanks Margaret.
We've just received a revised set of DISCUSS comments from Cullen at
https://datatracker.ietf.org/public/pidtracker.cgi?command=view_comment&id=58529
which we are digesting. I suspect all your substantive issues
will be addressed during that digestion, except two:
Margaret Wasserman wrote:
...
> o One approach uses explicit host routes in the IGP to remove the
> external correlation between physical topology attachment point
> and end-to-end IPv6 address. In the figure below the hosts would
> be allocated prefixes from one or more logical subnets, and would
> inject host routes to internally identify their real attachment
> point. This solution does however show severe scalability issues
> and requires hosts to securely participate in the IGP, as well as
> having the firewall block all external to internal traceroute for
> the logical subnet. The specific limitations are dependent on the
> IGP protocol, the physical topology, and the stability of the
> system. In any case the approach should be limited to uses with
> substantially fewer than the maximum number of routes that the IGP
> can support (generally between 5,000 and 50,000 total entries
> including subnet routes). Hosts should also listen to the IGP for
> duplicate use before finalizing an interface address assignment as
> the duplicate address detection will only check for use on the
> attached segment, not the logical subnet.
[Substantive] This is a _much_ improved description of this mechanism.
However, I am still of the opinion that an informational document is not
the right place to define a new untraceable addressing mechanim.
It certainly can't purport to be a formal spec. But removing it
would leave a hole. Would you be OK with adding some clear
disclaimer text saying that it is not a formal spec?
...
> o On a local network, any user will have more security awareness.
> This awareness will motivate the usage of simple firewall
> applications/devices to be inserted on the border between the
> external network and the local (or home network) as there is no
> Address Translator and hence no false safety perception.
[Substantive] IPv6 will not make users have more security awareness.
When we say something like this, we are emitting the same type of
marketing hype that we deride in the vendors of NAT products. This
bullet should just be omitted.
Yes, it's a bit slack, and naive about the way real users behave.
Brian
- References:
- [no subject]
- From: Margaret Wasserman <margaret@thingmagic.com>