Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)
Ca By <cb.list6@gmail.com> Thu, 16 November 2017 12:42 UTC
Return-Path: <cb.list6@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 439F71294E2 for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 04:42:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJpQxX3amJJt for <ipv6@ietfa.amsl.com>; Thu, 16 Nov 2017 04:42:14 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13BA51294E1 for <ipv6@ietf.org>; Thu, 16 Nov 2017 04:42:13 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id g204so7586402ywa.6 for <ipv6@ietf.org>; Thu, 16 Nov 2017 04:42:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bhr6HANefIL2t8mz/eckFt+PiySaibeQiHvL1BBdY0o=; b=fN8B4FYT+6E1AXOQwHa2fvUmLxxh4z8eEsI6YYnA1oLGWOmPX4DObz82Wv9zO6ZqNx U6+VnyN5R+dOa0zvQyGag0xuReGLaYg7Lw8J6h7fJD4froP8511gwqTteXdUjM88/PkI VEWx51yGNI/dAuV4dulql8fEDz1WQhOtSJWfV4UKtSZk4NOab6q3cHkkC9Hc60N/A3L3 2+4Tmzr9Czb0ChFp90XXsthnamBzts+FP7NHXs7O30tPilra2YAJt2ZlDV/g7V56tgKh fYMTleQkoGfW+lKI/lXI4J5DboQPE3vzDJ8VzjJ+lt0Eys+a9WkIf8HrJA35EMAE2uq3 l9SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bhr6HANefIL2t8mz/eckFt+PiySaibeQiHvL1BBdY0o=; b=bM51orvM/Vpeje21qVNVLkDsP5PShaUNpFQFuOYgsl5ktK/8qzsSFla5spQaXfATbs SNu3eMJjc+vH26EiVwIc4cd4QVdAq8uqIfrPXaHj2/C3t2SlEF9o9ekduB4hYz959IZh 3ET67hdLu94wPImlZrPCJuvWJpjIQ0FI88SCe7kmVLPYOGctJXc9RmxTNjBlFs6UeVIT bN4KzlOsiI3yNiKArEhNOGyQ3N019Bxlq88e+4xm+7wmrUiy6KYYVBm2yun7bxj1U3Km YdZtfWTix9IIcCgDSOe2LIkY/4CzF5vVBtRZDrSDILqO9SimRLr5SFe0qtH83e1O5Z3o o4mA==
X-Gm-Message-State: AJaThX6CvBk/cdXuFoFquntyy3AP6ZygcQS2FnLhvCna+/oeGjQOP3vN Ri4vuyaBRqfUIMao5Oz2hiKqjITJWaTteCwiS8M=
X-Google-Smtp-Source: AGs4zMacnOnBz3WEA6a1kqh0g2izfxGwT9qPSUO4oJdUnwUXJ0QDPbjS8pVcXpuiKERtDzL6p167dEFb2CMabtyDIPE=
X-Received: by 10.37.130.11 with SMTP id q11mr757321ybk.50.1510836132335; Thu, 16 Nov 2017 04:42:12 -0800 (PST)
MIME-Version: 1.0
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <183A8772-6FEF-43BD-97F9-DD4A2E21DB90@google.com> <5D9D33A8-88F0-4758-84FA-BCB364E8013F@employees.org> <16B61573-E233-40ED-8A22-CD145EBB8F98@google.com> <A89E7192-0FD4-4750-8745-147AFCC364DC@jisc.ac.uk>
In-Reply-To: <A89E7192-0FD4-4750-8745-147AFCC364DC@jisc.ac.uk>
From: Ca By <cb.list6@gmail.com>
Date: Thu, 16 Nov 2017 12:42:01 +0000
Message-ID: <CAD6AjGQcF=+FRFke1P0+vcmEEqWQ0NUsfprS6qBvfsG+3HMXhA@mail.gmail.com>
Subject: Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)
To: Tim Chown <Tim.Chown@jisc.ac.uk>
Cc: 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>, Ole Troan <otroan@employees.org>, james woodyatt <jhw@google.com>
Content-Type: multipart/alternative; boundary="089e0828c20cfb58de055e18f28e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/XQlURK7RI7vCNvMs3uu4Wyr6zmo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 12:42:16 -0000
On Thu, Nov 16, 2017 at 1:53 AM Tim Chown <Tim.Chown@jisc.ac.uk> wrote: > Hi, > > > On 15 Nov 2017, at 23:04, james woodyatt <jhw@google.com> wrote: > > > > On Nov 15, 2017, at 13:47, Ole Troan <otroan@employees.org> wrote: > >> > >>>> IMHO the optimal solution is: > >>>> - the network SHOULD provide a host with NAT64 prefix information in > RA; > >>> > >>> Disagree. If the network has NAT64, then it should deploy RFC 7225. Ye > gods, this is the very last thing that should be jammed into RA messages. > >> > >> Do we really want PCP in IPv6? > > > > If we have any kind of NAT, then we need PCP. Using NAT without PCP > considered harmful. That goes for NAT64 and NAT66. > > And PCP is still needed to negotiate firewall holes in a pure IPv6 > scenario, isn’t it? Assuming the host with PCP is behind Simple Security. > > A question: is this something we should conducer for RFC6434-bis, or > should we be silent on PCP? > No > >> Is PCP successful in IPv4? > > > > Well, there was this: < > https://www.ietf.org/proceedings/88/slides/slides-88-pcp-5.pdf> > > > >> Or does it even work well with A+P based solutions? > > > > Designed expressly for it. > > I assumed PCP was designed with an eye firmly on future routed home > networks where firewall holes need to be opened. What is the alternative? > The alternative is secure host and no firewall. There is no firewall at the ietf conference right now, right? Are you secure ? Is there a malware outbreak? The fatal flaw in PCP (aside from the name) is that it assumes the host needs protection yet it gives the host the power to control the firewall. Next gen malware will come via email (just like today), it will encrypt your hard drive, and then setup and c2 network on your pc via pcp controls. Sad! CB > Tim > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Tim Chown
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Rajiv Asati (rajiva)
- Re: IPv6 only host NAT64 requirements? Tim Chown
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Lorenzo Colitti
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- IPv4 only apps [was: IPv6 only host NAT64 require… Brian E Carpenter
- Re: IPv4 only apps [was: IPv6 only host NAT64 req… Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv4 only apps [was: IPv6 only host NAT64 req… Brian E Carpenter
- Re: IPv4 only apps [was: IPv6 only host NAT64 req… Ole Troan
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: IPv6 only host NAT64 requirements? Lorenzo Colitti
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? Erik Kline
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? james woodyatt
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- PCP, and 6434bis (was Re: IPv6 only host NAT64 re… Tim Chown
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Ca By
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Tim Chown
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Ca By
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… james woodyatt
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Michael Richardson
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… james woodyatt
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Mark Andrews
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? Fred Baker
- Re: IPv6 only host NAT64 requirements? Fred Baker
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Tim Chown
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Fernando Gont
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Simon Hobson
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Ole Troan
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: IPv6 only host NAT64 requirements? Alexandre Petrescu
- Re: IPv6 only host NAT64 requirements? Ole Troan
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- RE: IPv6 only host NAT64 requirements? Manfredi, Albert E
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- RE: IPv6 only host NAT64 requirements? Manfredi, Albert E
- Re: IPv6 only host NAT64 requirements? Lee Howard
- Re: IPv6 only host NAT64 requirements? Lee Howard
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- RE: IPv6 only host NAT64 requirements? Masanobu Kawashima
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Ola Thoresen
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Alexandre Petrescu
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter