Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)

• Previous message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Next message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2-okt-2007, at 15:56, Stephen Sprunk wrote:

> Second, the ALGs will have to be (re)written anyways to deal with  
> IPv6 stateful firewalls, whether or not NAT-PT happens.

That's one solution. I like the hole punching better because it's  
more general purpose and better adheres to the principle of least  
astonishment.

> That's the purpose of an ALG.  Requiring users to modify their home  
> router config or put in a change request with their IT department  
> for a firewall exception is a non-starter if you want your app to  
> be accepted.

Hence uPnP and NAT-PMP plus about half a dozen protocols the IETF is  
working on.

>> Huh? They both do, that's the point. (Although the former doesn't   
>> work for everything and the latter removes the "IPv6-only" status   
>> from the host if not from the network it connects to.)

> The former only handles outbound TCP traffic, which works through  
> pure NAT boxes as it is.

BitTorrent is TCP, but it sure doesn't like NAT because it gets in  
the way of incoming sessions.

> The latter "solution" ignores the problem space by telling people  
> to not be v4-only anymore.

Decoding IPv4 packets on a host is trivial, they already have all the  
necessary code on board. It's building an IPv4 network that's a burden.

>> Could you please explain what problems you see with the
>> proxy/tunnel approach and why you think NAT-PT doesn't have
>> these problems?

> NAT-PT works for more apps/protocols.

Disagree. Tunneling gives you actual IPv4 so obviously that will  
always be better than translation.

> One of the problems with a proxy is that you have to configure  
> hosts to use it, and all traffic flows through it whether it's  
> needed or not.  Obviously we could make the clients smarter, but  
> then you're back to the decade problem.  It's too late for that.

Automatic proxy configuration already exists. I agree that having  
IPv6 traffic go through a proxy is unnecessary but that can be fixed.

And there's no such thing as "too late" (if there were, the IETF  
would have been out of business long ago): problems stick around  
until you fix them.

>> There is a difference between the networks and the hosts.
>> Upgrading networks to dual stack isn't that hard, because it's
>> built of only a limited number of different devices.

> *giggle*  You mean like the 90% of hosts that will be running Vista  
> (which has v6 enabled by default) within a couple years?  Or the  
> other 10% of hosts that have had v6 enabled for years?

> The problem isn't the hosts.  It isn't even really the core  
> network.  It's all the middleboxes between the two that are v4-only  
> and come from dozens of different clue-impaired vendors.

You forget that the majority of applications need to be changed to  
work over IPv6. If I turn off IPv4 on my Mac and use some magic to go  
from v6 to v4, I can get to the web and do stuff like ssh and ftp,  
but most other applications don't work because they don't support  
IPv6 yet.

On 2-okt-2007, at 16:10, Stephen Sprunk wrote:

>> You just open up a hole in the firewall where appropriate.

> You obviously have no experience working in security.

Who wants those headaches?

> You can't trust the OS (Microsoft?  hah!), you can't trust the  
> application (malware), and you sure as heck can't trust the user  
> (industrial espionage and/or social engineering).  The only way  
> that address-embedding protocols can work through a firewall,  
> whether it's doing NAT or not, is to use an ALG.

You assume a model where some trusted party is in charge of a  
firewall that separates an untrustworthy outside and an untrustworthy  
inside. This isn't exactly the trust model for most consumer networks.

Also, why would you be able to trust what's inside the control  
protocol that the ALG looks at any better than anything else?

> The defense and healthcare industries will force vendors to write  
> those ALGs (actually, make minor changes to existing ones) if they  
> care about the protocols in question because they have no choice --  
> security is the law.

Seems to work well, that law.

But these people don't complain when their video streaming/chatting  
doesn't work out of the box. These are highly specialized setups that  
are really beyond what general purpose hard- and software can be  
expected to cope with.

> Even for home users, most have zero clue how to "open a hole" in  
> their home firewall.

Repeat after me: uPnP, NAT-PMP.

• Previous message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Next message (by thread): Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]