Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)
Stephen Sprunk
stephen at sprunk.org
Tue Oct 2 17:31:27 UTC 2007
Thus spake "Iljitsch van Beijnum" <iljitsch at muada.com>
> On 2-okt-2007, at 11:36, John Curran wrote:
>> The proxy&tunnel vs NAT-PT differences of opinion are entirely
>> based on deployment model... proxy has the same drawbacks
>> as NAT-PT,
>
> The main issue with a proxy is that it's TCP-only. The main issue with
> NAT-PT is that the applications don't know what going on.
> Rather different drawbacks, I'd say.
There are several different mechanisms devices can use to discover they're
behind a NAT(-PT) if they care. Most do not, and those that do often can't
do anything about it even if they know.
>> only without the attention to ALG's that NAT-PT will receive,
>
> ALGs are not the solution. They turn the internet into a telco-like
> network where you only get to deploy new applications when the
> powers that be permit you to.
That's somewhat true if you rely on a NAT-PT upstream. However, you can run
your own NAT-PT box, decide what ALGs to run, and bypass the upstream NAT-PT
since you will _appear_ to be a natively dual-stacked site. Of course,
you're limited by the vendor writing the ALGs in the first place, but that's
just an argument for OSS. Or perhaps it's an argument for deploying real v6
support and getting rid of NAT-PT entirely.
The alternative to NAT-PT is multilayered v4 NAT, which has the same problem
you describe except there's no way out.
>> and tunnelling is still going to require NAT in the deployment
>> mode once IPv4 addresses are readily available.
>
> Yes, but it's the IPv4 NAT we all know and love (to hate). So this means
> all the ALGs you can think of already exist and we get to
> leave that problem behind when we turn off IPv4.
We'll still need all those ALGs for v6 stateful firewalls. Might as well
put them to use in NAT-PT during the transition between the ALG'd starting
phase (all v4) and the ALG'd ending phase (all v6).
> Also, not unimportant: it allows IPv4-only applications to work
> trivially.
Any applications that work "trivially" through v4 NAT will also work
"trivially" through NAT-PT and v6 stateful firewalls. The interesting apps
are the ones that don't work through NAT or firewalls without ALGs.
If you're making some silly argument about non-NAT v4 access, well, you're
over a decade out of touch with reality. The number of v4 hosts that are
_not_ behind a NAT is negligible today.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
More information about the NANOG
mailing list