[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)

To: "'james woodyatt'" <jhw@apple.com>, "'IPv6 Operations'" <v6ops@ops.ietf.org>
Subject: RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
From: "Dan Wing" <dwing@cisco.com>
Date: Wed, 27 Aug 2008 18:19:51 -0700
In-reply-to: <F0E4B018-AA5E-4344-A40B-3F6D974B7EA1@apple.com>
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com> <48B33430.40704@gmail.com> <A31EB889-2BD9-4283-A408-AB6DCC1D568A@suspicious.org> <08be01c90712$d876cd40$c2f0200a@cisco.com> <20080827194713.23271bd1.ipng@69706e6720323030352d30312d31340a.nosense.org> <CD947C45-58F7-47F1-807F-A276490B1E39@apple.com> <0e6001c908a2$b8fcf700$c2f0200a@cisco.com> <F0E4B018-AA5E-4344-A40B-3F6D974B7EA1@apple.com>

 

> -----Original Message-----
> From: james woodyatt [mailto:jhw@apple.com] 
> Sent: Wednesday, August 27, 2008 5:54 PM
> To: IPv6 Operations
> Cc: Dan Wing
> Subject: Re: But are we talking IPv6 only? That's how I read 
> the draft. (Re: Some suggestions for 
> draft-ietf-v6ops-cpe-simple-security-03)
> 
> On Aug 27, 2008, at 17:12, Dan Wing wrote:
> > [I wrote:]
> >> On Aug 27, 2008, at 03:17, Mark Smith wrote:
> >>> * Native IPv6 CPE security, plus IPv4 security/functionality
> >>> requirements to support IPv6 transition via IPv4 tunnelling
> >>
> >> It was my understanding that this is the proper scope, not the
> >> alternatives you mentioned.
> >
> > If the scope includes IPv6-over-IPv4 tunnels, then there are two
> > network topologies:
> >
> >  1.  CPE gets a single IPv4 address and is an IPv4 NAPT, or
> >  2.  the residential user gets one IPv4 address for each
> >      device in their home that wants to do a IPv6-over-IPv4
> >      tunnel.
> >
> > If (1), I don't see how unsolicited incoming packets can be
> > directed to the correct host behind the IPv4 NAPT.
> >
> > If (2), we are outside the realm of simple residential networks --  
> > they only
> > have one IPv4 address.  We can't plan for more to become common as  
> > we approach
> > IPv4 exhaustion.
> >
> > Is there another network topology that I am missing?
> 
> Ah.   I see the confusion.  In the scope of the whole draft, we are  
> talking about CPE that can include dual-stack transition 
> mechanisms.   
> In the specific scope of R23, the words "upper layer protocol" are  
> intended to imply only IPv6 as the outer layer (which may itself be  
> tunneled in an IPv4 transition mechanism, but the filtering  
> recommendations in this draft are intended for use in 
> applying filters  
> inside the tunnel, not to the outside).
> 
> We are not trying to make recommendations about IPv4 simple security  
> in this draft.  This could be made more clear.

I was not expecting the draft to discuss IPv4 simple security.

My confusion -- which persists even after reading your email -- is
what this home network (with a dual-stack CPE) looks like:  which 
device(s) terminate IPv6-over-IPv4 tunnels (the CPE itself?  Or a 
host behind the CPE?), which devices get IPv4 addresses (only the 
CPE itself, or also devices behind the CPE?), and so on.

Network diagrams would go a long ways towards my understanding.
If you could whiteboard such a network diagram and send me a JPG
of the whiteboard, I would be happy to build some ASCII art.

-d

Follow-Ups:
- RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>

References:
- Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Truman Boyes <truman@suspicious.org>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
  - From: james woodyatt <jhw@apple.com>
- RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
  - From: "Dan Wing" <dwing@cisco.com>
- Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Next by Date: Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Previous by thread: Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Next by thread: RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Index(es):
- Date
- Thread