[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPE equipments and stateful filters

To: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
Subject: Re: CPE equipments and stateful filters
From: james woodyatt <jhw@apple.com>
Date: Mon, 30 Jul 2007 11:30:40 -0700
In-reply-to: <A2BF01DC-B9DE-47FD-B6E1-9E95B14458E7@cisco.com>
References: <20070723193610.70736233CB@coconut.itojun.org> <319C5A3B-939C-48BD-AF65-93E41F09406B@cisco.com> <200707241931.19400.rdenis@simphalempin.com> <884C56D2-F80F-43F4-91D9-B04A0DD7D484@cisco.com> <20070727180131.GA69215@Space.Net> <A2BF01DC-B9DE-47FD-B6E1-9E95B14458E7@cisco.com>

[ Added BEHAVE working group. ]

On Jul 27, 2007, at 19:44, Fred Baker wrote:

[...] Alain's comment in the plenary Thursday evening that Jamesdocument and my comments on this list advocate NAT are, in the bestpossible case, incorrect - nobody is talking about NAT in IPv6,although I do believe that there will be places that networkoperators choose to use that class of capability. In the worstcase, it constitutes a deliberate misstatement calculated to causeconfusion and troll for a flame war in this venue. I choose tobelieve the former, although I ask myself the question. [...]

I wasn't present for the plenary, so I don't know what M. Durandsaid, but let me clarify my position, which I believe is bestcharacterized as a "warning that we have not quite succeeded inmaking NAT obsolete" with IPv6.

The need to implement what I am now calling "application transparencyhelpers," which function like ALG modules in an IPv4/NAT firewall,but which only help control transport filtering state in response toapplication protocol content without actually coordinating any UNSAFfunction like an ALG does, is a vector by which NAT implementationsmay worm their way back into the IPv6 architecture.

I'm currently looking at source code in OpenBSD PF that appearsdesigned to use IPv6-NAT to redirect application flows to userlandproxies for exactly this purpose. IPv6 support for an FTP"transparency helper" is on my list of things I expect to need, andusing an IPv6 NAT to redirect FTP control flows in and out of myexisting IPv4 FTP proxy looks like the obvious shortest path toworking code. (Similar things will need to be done with all theother major application protocols.)

If IPv6 NAT were truly obsolete, this wouldn't be the case, but itis. Hence, my warning.

Coming away from IETF 69 in Chicago, I'm now convinced that IETF willnot be revisiting its consensus that the public IPv6 internet isintended to be clients behind multiple layers of firewallscommunicating mainly through mediation services in data centers. I'mcertain my employers will have no trouble adapting to this reality.

I'm no longer certain that IPv6 will ever be a suitable replacementfor IPv4/NAT in residential settings, but I see reasons to be hopefulthat all is not lost on that account.



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: CPE equipments and stateful filters
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- RE: [BEHAVE] Re: CPE equipments and stateful filters
  - From: "Dan Wing" <dwing@cisco.com>

References:
- CPE equipments and stateful filters
  - From: itojun@itojun.org (Jun-ichiro itojun Hagino)
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>
- Re: CPE equipments and stateful filters
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>
- Re: CPE equipments and stateful filters
  - From: Gert Doering <gert@space.net>
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>

Prev by Date: I-D ACTION:draft-ietf-v6ops-teredo-security-concerns-00.txt
Next by Date: Re: I-D ACTION:draft-ietf-v6ops-teredo-security-concerns-00.txt
Previous by thread: RE: CPE equipments and stateful filters
Next by thread: RE: [BEHAVE] Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread