Looking for comments

• Previous message (by thread): Looking for comments
• Next message (by thread): Looking for comments
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bill,

On 2010-07-22 19:49, William Herrin wrote:
> On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <owen at delong.com> wrote:
>>>> http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines
>>> There is a third major challenge to dual-stack that isn't addressed in
>>> the document: differing network security models that must deliver the
>>> same result for the same collection of hosts regardless of whether
>>> Ipv4 or v6 is selected. I can throw a COTS d-link box with
>>> address-overloaded NAT on a connection and have reasonably effective
>>> network security and anonymity in IPv4. Achieving comparable results
>>> in the IPv6 portion of the dual stack on each of those hosts is
>>> complicated at best.
>>>
>> Actually, it isn't particularly hard at all... Turn on privacy addressing
>> on each of the hosts (if it isn't on by default) and then put a linux
>> firewall in front of them with a relatively simple ip6tables configuration
>> for outbound only.
> 
>>From the lack of dispute, can I infer agreement with the remainder of
> my comments wrt mitigations for the "one of my addresses doesn't work"
> problem and the impracticality of the document's section 4.3 and 4.4
> for wide scale Ipv6 deployment?

As for those two scenarios (IPv6-only ISPs and IPv6-only clients, to simplify
them), the document doesn't place them as first preference solutions.
However, the fact is that various *extremely* large operators find themselves
more or less forced into these scenarios by IPv4 exhaustion. I think it's
more reasonable to describe solutions for them than to rule their
problem out of order.

   Brian

• Previous message (by thread): Looking for comments
• Next message (by thread): Looking for comments
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]