RE: The argument for writing a general purpose NAT for IPv6

["Gunter Van de Velde \(gvandeve\)" <gvandeve@cisco.com>]

I am slightly confused here. The NAP document is a document to 
describe that what you have with NAT can be done natively with 
IPv6 (without the header modification option) and this is seen 
in both the abstract and the introduction.

<>
Abstract

   Although there are many perceived benefits to Network Address
   Translation (NAT), its primary benefit of "amplifying" available
   address space is not needed in IPv6.  In addition to NAT's many
   serious disadvantages, there is a perception that other benefits
   exist, such as a variety of management and security attributes that
   could be useful for an Internet Protocol site.  IPv6 was designed
   with the intention of making NAT unnecessary, and this document shows
   how Local Network Protection (LNP) using IPv6 can provide the same or
   more benefits without the need for address translation. 
<>

And there is also in the introduction

<>
   This document describes the uses of a NAT device in an IPv4
   environment that are regularly cited as 'solutions' for perceived
   problems.  It then shows how the goals of the network manager can be
   met in an IPv6 network without using the header modification feature
   of NAT.  It should be noted that this document is 'informational', as
   it discusses approaches that will work to accomplish the goals of the
   network manager.  It is specifically not a BCP that is recommending
   any one approach, or a manual on how to configure a network.
<>

To come back to the question of simple firewall:

1) if a CPE is running NAT, then it tends to have statefull behaviour
for filtering aspects

thus
2) If this is what you want, then just implement the statefull behaviour
with IPv6.

Will the end result will be same wrt statefull filtering?

I don't understand the problem discussed and maybe there is need 
for a problem statement draft to clear out the confusion.

G/


-----Original Message-----
From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
Behalf Of Gert Doering
Sent: Thursday, April 19, 2007 2:30 AM
To: james woodyatt
Cc: IETF V6OPS WG
Subject: Re: The argument for writing a general purpose NAT for IPv6

Hi,

On Wed, Apr 18, 2007 at 03:45:40PM -0700, james woodyatt wrote:
> On Apr 18, 2007, at 15:35, Gert Doering wrote:
> >I share the sentiment that "unmanaged networks and stateful 
> >firewalls" is a problematic scenario, but it seems that this is what 
> >we *have* (due to not-so-well informed decision processes).
> 
> I don't think I would agree with this characterization of how we have 
> arrived at the present situation.  As the authors of draft-ietf-nap 
> have noted, the situation is the result of the most informed community

> of Internet experts in the world, the IETF, recognizing its own 
> technical consensus about the need for stateful firewalls in 
> residential gateways.

Well, just to clarify this.  I didn't mean to imply that *you* have been
"not so well-informed" - but the whole process went wrong.

Please do also note that a single IETF *draft* is not necessary "the
IETF consensus", but "a single working group in the IETF, and most
likely just a few individuals in that working group that found time to
read the draft and comment on it" - and it's very well possible that
these individuals have overlooked some of the implications that this
might bring with it.

Personally, I am guilty of not having read the NAP draft in detail - the
general direction "we don't need NAT with IPv6" was something I agreed
to, but the consequence "if we require stateful firewalls on zero-conf
networks, we will have lots of interesting new problems" was something
at least I didn't think of.

[..]
> If anything, I would have to accept my share of personal 
> responsibility for my involvement in allowing Apple to ship the first 
> release of firmware for the AirPort Extreme base station *without* the

> stateful firewall protecting its unmanaged local network.  This was 
> clearly an uninformed decision, and Apple was roundly disparaged
> in the technical press for it-- presumably by well-informed critics.

> This mistake might have been avoided if I had seen draft-ietf-nap 
> sooner than I did.

I can't agree with this assessment.  I think that people who complain
about "this device has no (automatic, zero-conf and default-on)
firewall!!!" 
when there is no mechanism yet to distribute policy information between
hosts behind the firewall and the firewall itself are doing IPv6 a
disservice, and are not very well-informed.

(I hope that Apple AirPort Extreme base station has a configuration knob
to turn *off* the IPv6 firewall - otherwise I won't buy one. 
I have a firewall in my network, which is configured to let in those
packets I want to see there, and a zero-conf-everything-disallowed
firewall would break stuff)

Gert Doering
        -- NetMaster
--
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A.
Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279