Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
Adrian Chadd
adrian at creative.net.au
Tue Oct 2 13:05:50 UTC 2007
On Tue, Oct 02, 2007, Iljitsch van Beijnum wrote:
> Yes, but it's the IPv4 NAT we all know and love (to hate). So this
> means all the ALGs you can think of already exist and we get to leave
> that problem behind when we turn off IPv4. Also, not unimportant: it
> allows IPv4-only applications to work trivially. Another advantage is
> that hosts with different needs can get different classes of tunneled
> IPv4 connectivity even though they happen to live on the same subnet,
> something that's hard to do with native IPv4.
Please explain how you plan on getting rid of those protocol-aware plugins
when IPv6 is widely deployed in environments with -stateful firewalls-.
Please don't say I'm the only one who thinks this will be a problem.
End-to-end-ness is and has been "busted" in the corporate world AFAICT
for a number of years. IPv6 "people" seem to think that simply providing
globally unique addressing to all endpoints will remove NAT and all
associated trouble. Guess what - it probably won't. Plenty of places run
a locked down firewall with a tight security policy that requires PERMITs
in the firewall policy before access out is needed. These are going
to need similar ALGs to NAT, even if they're not "fiddling" with
end-points addresses.
Could someone explain how I'm wrong so I can worry about other things?
Adrian
More information about the NANOG
mailing list