IETF Logo Mail Archive

Re: [nat66] Comments on draft-mrw-nat66-12

james woodyatt <jhw@apple.com> Wed, 16 March 2011 15:18 UTC

Return-Path: <jhw@apple.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8F683A6966 for <nat66@core3.amsl.com>; Wed, 16 Mar 2011 08:18:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.299
X-Spam-Level:
X-Spam-Status: No, score=-104.299 tagged_above=-999 required=5 tests=[AWL=-1.700, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ooMrSF-8teG for <nat66@core3.amsl.com>; Wed, 16 Mar 2011 08:18:06 -0700 (PDT)
Received: from mail-out.apple.com (crispin.apple.com [17.151.62.50]) by core3.amsl.com (Postfix) with ESMTP id 0AA3D3A6911 for <nat66@ietf.org>; Wed, 16 Mar 2011 08:18:06 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from relay11.apple.com ([17.128.113.48]) by localhost.apple.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTP id <0LI500KGEP6GF130@localhost.apple.com> for nat66@ietf.org; Wed, 16 Mar 2011 08:19:32 -0700 (PDT)
X-AuditID: 11807130-b7b5eae000005ccb-ae-4d80d50432bb
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay11.apple.com (Apple SCV relay) with SMTP id B7.2E.23755.405D08D4; Wed, 16 Mar 2011 08:19:32 -0700 (PDT)
Received: from [10.6.173.36] (166-205-137-006.mobile.mymmode.com [166.205.137.6]) by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LI500D00P8DEV20@et.apple.com> for nat66@ietf.org; Wed, 16 Mar 2011 08:19:32 -0700 (PDT)
References: <19F3A4CD-F39C-4F17-A6E9-7AA8AFBC6B3B@cisco.com> <CF8367A6-F303-43D7-99C6-D40D1DD5D5D9@free.fr> <125BC580-ED43-40EE-B6B9-FD88557C35B9@apple.com> <758DD037-9DC2-4A1E-BEAE-7E99CBED6D3A@cisco.com> <5E3E1015-9750-4ADA-91D9-F10FFFDB2BD0@apple.com> <B4FD874E-1AC2-49DF-A7C0-D1D48B940292@cisco.com> <3B1E3A80-B4A8-4DF0-B345-168BAD532C6E@apple.com> <4C14147C-03C5-48BC-A182-55DB298F2113@cisco.com> <B647DC46-D255-407E-B67B-A3C630E8B0BA@apple.com> <47CC6E82-1B5E-47DE-86AE-954924A53BB4@cisco.com> <20110316074155.GF8465@serpens.de>
In-reply-to: <20110316074155.GF8465@serpens.de>
Message-id: <5A917AF1-EAAE-4090-854C-46AD23E3B6A2@apple.com>
X-Mailer: iPhone Mail (8F190)
From: james woodyatt <jhw@apple.com>
Date: Wed, 16 Mar 2011 08:18:48 -0700
To: "S.P.Zeidler" <spz@serpens.de>
X-Brightmail-Tracker: AAAAAA==
Cc: NAT66 HappyFunBall <nat66@ietf.org>
Subject: Re: [nat66] Comments on draft-mrw-nat66-12
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 15:18:06 -0000

Finally, *somebody* understands me. <sniff/>

--jhw (sent from my phone)

On Mar 16, 2011, at 0:41, "S.P.Zeidler" <spz@serpens.de> wrote:

> Hi,
> 
> Thus wrote Fred Baker (fred@cisco.com):
>> On Mar 15, 2011, at 6:42 PM, james woodyatt wrote:
>> 
>>> I am talking about the implications for firewalls and PCP-capable hosts deployed behind site multi-homing NPTv6 systems as described in section 2.4 of your draft.
>> 
>> They will be exactly the same as any other firewall. Since the feature doesn't change the ports, PCP will turn them on or off, exactly as it does with any other firewall. 
> 
> If I understand correctly, the intended use for the pinhole control
> protocol is that you can tell an upstream firewall "hey, I'm
> 2001:db8:a:b:c:d:e:f and I want to accept incoming connections on port 12345"
> whereupon the firewall goes from "deny all inbound" to "deny all inbound
> except to 2001:db8:a:b:c:d:e:f port 12345".
> 
> Since it'll be for incoming connections, you'll want all possible paths
> opened, and of course for the addresses apparent on the "outside"
> interface of the firewall.
> 
> I think the "you may need a proxy if your translator is between you and
> the firewall" is better situated in the PCP draft, since it will not only
> apply to one kind of translation.
> 
> Other need to mention it in the NPTv6 document does not exist: Since the
> address translation itself is utterly deterministic in the NPTv6 case,
> you do not need to build hooks into the NPTv6 translator, the PCP proxy
> can calculate them itself given inside and outside prefixes.
> 
> regards,
>    spz
> -- 
> spz@serpens.de (S.P.Zeidler)

v2.23.0 | Report a Bug | By Email