Rémi Després wrote:
Jeroen Massar wrote : > Yes, IPv4-mapped/compat was a good idea, and using it correctlyinternally in an application is probably a good move.Yes. IMHO a nice and clean design.But using it on the wire or when presenting it to users is definitely not.Why ???
Because ::x.x.x.x and ::ffff:x.x.x.x are IPv4, it is not IPv6.
Consider in particular a dual stack site with a private IPv4 space. Its CPE, which has a NATv4-v4, may also have a NATv6-v4.If it has one, and if it uses it for outgoing packets that have 0::/64
::/96 you mean I guess ;)
destinations, IPv6-only hosts on the LAN can establish connections with IPv6 *AND* IPv4 remote hosts.
Why are you trying to translate IPv4 -> IPv6 to IPv4 and introduce state at the two translators, not even thinking of the mess it has to create for NATting these packets? You can simply do IPv4 -> IPv4.
IMHO this is nice and clean.
That is very dirty in my opinion.
On the other hand, reasons for such a definite statement as "never a mapped address on any wire" have to be presented.
How do you write your firewall? The user has IPv4 enabled, they have a working IPv4 firewall. IPv6 gets enabled, and suddenly the IPv4 firewall is completely moot as it can be bypassed by sending those packets as IPv6 in the ::/96 range. Ouch.
The reference I know on the subject isfile:///Users/Pro/Documents/_%20TECHNIQUE%20/IPv6-IPv4/MSG%20Itojun%20Hagino%20-%20Mapped%20addresses%20Considered%20Harmful00301.html
I am pretty sure I can't reach that location. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature