Re: [BEHAVE] [v6ops] protocols without need for ALG ?

Toerless Eckert <> Sat, 01 August 2015 09:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 67C021B2C8E; Sat, 1 Aug 2015 02:33:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -13.511
X-Spam-Status: No, score=-13.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_BACKHAIR_44=1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nog6FqVETm5b; Sat, 1 Aug 2015 02:33:05 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8B5F01A002A; Sat, 1 Aug 2015 02:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2922; q=dns/txt; s=iport; t=1438421585; x=1439631185; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=cCWEUVpOr1hzipzqO37Hixb+FO300IRjweHZNqcCYY0=; b=jrrKPJlDtVcNwaEnF9/mqRCC+dglmdRRXkCZvQ1F2NNQyOQ+7FzJooXP IPW1PTLlPz6DpQ9SQHh4i2JzB8wLOvqmNkaztc+x88ljD/7BIZPd1VDsR RSZVijSJ1KyC/GswtmdnYUhLvq6MCaBob3ILn6bxdZtv72phf9y/GpawF g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.15,591,1432598400"; d="scan'208";a="174442543"
Received: from ([]) by with ESMTP; 01 Aug 2015 09:33:04 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id t719X4kA025682 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 1 Aug 2015 09:33:04 GMT
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id t719X3hG005688; Sat, 1 Aug 2015 02:33:03 -0700
Received: (from eckert@localhost) by (8.13.8/8.13.8/Submit) id t719X3ei005687; Sat, 1 Aug 2015 02:33:03 -0700
Date: Sat, 1 Aug 2015 02:33:03 -0700
From: Toerless Eckert <>
To: Tore Anderson <>
Message-ID: <>
References: <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Archived-At: <>
Cc: "" <>, "" <>
Subject: Re: [BEHAVE] [v6ops] protocols without need for ALG ?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 01 Aug 2015 09:33:07 -0000

On Fri, Jul 31, 2015 at 10:17:16PM +0200, Tore Anderson wrote:
> Yep, but be aware that with SIIT you will need to identify all
> the IPv6 endpoints you want the IPv4-only NOC folks to be able to
> access. These endpoints need either to be provisioned with an
> IPv4-translatable IPv6 address (traditional SIIT), or get an IPv4
> mapping provisioned on the protocol translator (SIIT-DC style
> deployment with EAMs).

The autonomic addressing plan proposed so far is that we'd have
very few eg; /112 prefixes (eg: one per so-called registrar),
and then eg: 16 bit of serial number. So you can see how easy this
would map with siit-eam. 

> You could also use Stateful NAT64 (RFC6146)
> with statically configured BIB entries to accomplish pretty much the
> same thing as the SIIT-DC approach, but you do get a lot of superfluous
> baggage that way (all the stateful connection/session tracking stuff).

Is there a Yang model for 4146 so i can beter understand what the
intended operator experience is ? ;-))

Yes, it does mention "static configured mapping" in three places in the
text, and i see in Cisco IOS implementation also the ability to
configure 1:1 IPv4<->IPv6 mappings, and i therefore guess that these
are the "static configured mappings" of 4146, but what i can't find
is any explanation why the operations of such entries would have
to be stateful at all. What would those 4146 entries do different than
stateless siit-eam /32 <-> /128 entries, and whats the "benefit" ? 

But obviously, in a network with 50,000 IPv6 nodes with ULAs,
i wouldn't want to set up an orchestration to configure 50,000
1:1 entries, even stateless, but rather a single /16 <-> /112
(or a few similar slightly longer prefixes). 

> BTW you asked about traceroute, and I don't think anyone answered, so:
> ICMPv6 packets originated by IPv6 hops behind the translator (that are
> not provisioned with an IPv4-translatable IPv6 address) will appear as
> originating from a "random" IPv4 address (which could repeat multiple
> times in the path).


> That could possibly be confusing to NOC staff, so
> I'd suggest giving the RFC6791 addresses descriptive PTR records in DNS
> ("").

Yepp. Haven't gotten around to all DNS recommendations, but given how
i am trying to see that full stateless mapping will suffice i hopefully
won't run intot hese problems.

> Let me know if you want some help or pointers on how to set up a
> stateless translator for testing purposes. Or you could use one of
> mine, as it works just as well over the public internet too (as long as
> the IPv6 endpoints you want to manage are numbered with globally
> reachable addresses). I'd be happy to assist.

Sure, please send me pointers offline, i'll take a look!