[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

comments on draft-ipv6-v6ops-nat64-pb-statement-req-00

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: comments on draft-ipv6-v6ops-nat64-pb-statement-req-00
From: Ed Jankiewicz <edward.jankiewicz@sri.com>
Date: Fri, 18 Jul 2008 15:22:34 -0400
User-agent: Thunderbird 2.0.0.14 (Windows/20080421)

in addition to some editorial comments I sent to Marcelo, I have a fewsubstantive comments (some admittedly half-baked) and discussion pointsto raise on the draft. I'm assuming there will be discussion at IETF 72?

1. transition versus coexistence: recognizing that the period ofcoexistence is likely to be longer, I would rather see consistent use ofthe term coexistence rather than transition throughout the document,e.g. coexistence scenarios, coexistence tools, etc.

2. add a sentence in front of the Problem Statement to explicitly statethis motivation, e.g. "Settled opinion on the transition from anIPv4-dominant network to an IPv6-dominant network was that the period ofcoexistence would be brief, and could be accommodated by dual-stack andtunneling. Operationally, we now expect..."

3. Deemphasize dual stack. In para 2.1.1 the statement "the IETFstrongly prefers and recommends [dual stack] as the operational mattersare simplest" begs for a citation. RFC 4213 says dual stack is the moststraightforward but does not include language recommending or preferringthis solution. Also the impetus of this draft is that dual stack solvesonly the simplest part of the problem, and becomes very problematic whenIPv4 addresses really get scarce (approaching rather than reachingexhaustion). Some have already stated (Alain Durand I recall sayingsomething like) "a plan that requires all new end-nodes to be dual-stackand to have global IPv4 addresses is a non-starter." Also an emphasison dual stack creates a "must carry" situation where the core networkcontinues to route IPv4 indefinitely. While we say in para 2.2 thatturning off IPv4 will be a business decision, the ISP can't make thatchoice without alienating customers that rely on dual stack. I canstill plug in a 50 year old rotary dial phone and expect the local telco(in the USA at least) to make it work, even though DTMF has been thedominant method for nearly that long.

4. tunnel versus dual NAT: in para 2.1.2 the statement that IETFrecommends tunnels rather than dual NAT - that also would need acitation, unless this document is making the statement for the firsttime. Also, I believe if the two NATs know they are in a reflexiverelationship, they can avoid at least some of the general NAT problems -i.e. they should not attempt to translate addresses in application data.

5. translation network architecture: this may be beyond scope, but itseems to me that in para 2.1.3 there could be several sub-scenariosdepending on the location of the translatora. translator coupled to IPv6 end-nodes (IPv6 on the LAN side, IPv4on the WAN side)b. translator coupled to IPv4 end-nodes (IPv4 on the LAN side, IPv6on the WAN side)

   c.  in-network translation gateway (most like NAT-PT)

There are some commercial products in development that fit thesesub-scenarios, and each has its own strengths and weaknesses. Pullingthe translator into an IPv6-only or IPv4-only edge network (a or b)avoids some issues and those developers made the choice to restrictdeployment architecture to simplify their job. The different deploymentarchitectures also have impact on the addressing concerns (para 3.3) andnamespace (para 3.4).

6. para 3.5 on market timing seems out of place as animplementation/deployment statement in a requirements draft

7. Requirement R3 would be better stated in the negative: Translationmechanism MUST NOT interfere with native connectivity...depending wherethe NAT64 is in the network it may be a pass-through, or it may not beinvolved at all in the native flow and thus do nothing but non-interference.

8. Requirement R4 is very broad. the essence of translating DNS insupport of NAT64 is to map a query on one side to the equivalent queryon the other, and do the same with the response. Of course that mappingof names and addresses is non-trivial. It might help to illustrate thismapping process as well as some of the bad behavior that must be avoided.

9. Requirement R5 seems to forbid any routing table update, but don'tthe addresses that the NAT64 is mapping have to be routable?

10. Requirement R6 lists a few protocols, but I'm sure others might beseen as highly desirable too. Are we avoiding ALG issues by notmentioning higher level protocols like FTP?

11. where does the interpretation in Requirement R7 that sees the IPv6side being like the private side of an IPv4 NAT come from? theopposite could be reasonable too - i.e. if there is no NAT between theNAT64 and the v4-only nodes the v4-only nodes might be using privateaddresses, and the IPv6 side of the NAT64 is the public side. The wayit is described in R7, the IPv6 addresses are like IPv4 privateaddresses, mapped to the global addresses on the public side.

12. Requirement R9 is a noble statement but hardly a "testable"requirement; at least we should cite RFC 4942 as guidance, and analyzesome of the security issues that arise in the different scenarios andarchitectures discussed in the draft.




--
Ed Jankiewicz - SRI International

Fort Monmouth Branch Office - IPv6 ResearchSupporting DISA Standards Engineering Branch732-389-1003 or ed.jankiewicz@sri.com

Follow-Ups:
- Re: comments on draft-ipv6-v6ops-nat64-pb-statement-req-00
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: comments on draft-ipv6-v6ops-nat64-pb-statement-req-00
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: RE: New (-02) version of IPv6 CPE Router draft is available for review
Next by Date: RE: New (-02) version of IPv6 CPE Router draft is available for review
Previous by thread: changes to draft-ietf-v6ops-nat64-pb-statement-req-00.txt
Next by thread: Re: comments on draft-ipv6-v6ops-nat64-pb-statement-req-00
Index(es):
- Date
- Thread