Re: [nat66] Comments on draft-mrw-nat66-12

james woodyatt <jhw@apple.com> Wed, 16 March 2011 15:42 UTC

Return-Path: <jhw@apple.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FCBE3A699E for <nat66@core3.amsl.com>; Wed, 16 Mar 2011 08:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.449
X-Spam-Level:
X-Spam-Status: No, score=-103.449 tagged_above=-999 required=5 tests=[AWL=-0.850, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4EanxsOImGru for <nat66@core3.amsl.com>; Wed, 16 Mar 2011 08:42:21 -0700 (PDT)
Received: from mail-out.apple.com (bramley.apple.com [17.151.62.49]) by core3.amsl.com (Postfix) with ESMTP id 6C7EC3A6937 for <nat66@ietf.org>; Wed, 16 Mar 2011 08:42:21 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; CHARSET="US-ASCII"
Received: from relay11.apple.com ([17.128.113.48]) by localhost.apple.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTP id <0LI500724QC5KZI0@localhost.apple.com> for nat66@ietf.org; Wed, 16 Mar 2011 08:43:48 -0700 (PDT)
X-AuditID: 11807130-b7b5eae000005ccb-bb-4d80dab44a4e
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay11.apple.com (Apple SCV relay) with SMTP id 05.05.23755.4BAD08D4; Wed, 16 Mar 2011 08:43:48 -0700 (PDT)
Received: from [10.6.173.36] (166-205-137-006.mobile.mymmode.com [166.205.137.6]) by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LI5005GLQCVML20@elliott.apple.com> for nat66@ietf.org; Wed, 16 Mar 2011 08:43:48 -0700 (PDT)
References: <19F3A4CD-F39C-4F17-A6E9-7AA8AFBC6B3B@cisco.com> <CF8367A6-F303-43D7-99C6-D40D1DD5D5D9@free.fr> <125BC580-ED43-40EE-B6B9-FD88557C35B9@apple.com> <758DD037-9DC2-4A1E-BEAE-7E99CBED6D3A@cisco.com> <5E3E1015-9750-4ADA-91D9-F10FFFDB2BD0@apple.com> <B4FD874E-1AC2-49DF-A7C0-D1D48B940292@cisco.com> <3B1E3A80-B4A8-4DF0-B345-168BAD532C6E@apple.com> <4C14147C-03C5-48BC-A182-55DB298F2113@cisco.com> <B647DC46-D255-407E-B67B-A3C630E8B0BA@apple.com> <47CC6E82-1B5E-47DE-86AE-954924A53BB4@cisco.com> <20110316074155.GF8465@serpens.de> <5A917AF1-EAAE-4090-854C-46AD23E3B6A2@apple.com>
From: james woodyatt <jhw@apple.com>
X-Mailer: iPhone Mail (8F190)
In-reply-to: <5A917AF1-EAAE-4090-854C-46AD23E3B6A2@apple.com>
Message-id: <E7C5115B-9852-4670-B0A7-431DD602C448@apple.com>
Date: Wed, 16 Mar 2011 08:43:35 -0700
To: NAT66 HappyFunBall <nat66@ietf.org>
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [nat66] Comments on draft-mrw-nat66-12
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 15:42:22 -0000

Grmf. WI-fi down on the shuttle today, so I need to compose this followup on my phone.

There is an additional point worth mentioning in the NPTv6 draft. If the firewall is instead positioned between the translators and the protected hosts, then a proxy is still required to support the external address discovery part of the PCP protocol.

Making NPTv6 and PCP play together requires mentioning the problems NPTv6 deployments pose for PCP implementors, or explicitly coming out and saying that PCP isn't expected to be compatible with NPTv6 and describing the reasons for it.

--jhw (sent from my phone)

On Mar 16, 2011, at 8:18, james woodyatt <jhw@apple.com> wrote:

> Finally, *somebody* understands me. <sniff/>
> 
> --jhw (sent from my phone)
> 
> On Mar 16, 2011, at 0:41, "S.P.Zeidler" <spz@serpens.de> wrote:
> 
>> Hi,
>> 
>> Thus wrote Fred Baker (fred@cisco.com):
>>> On Mar 15, 2011, at 6:42 PM, james woodyatt wrote:
>>> 
>>>> I am talking about the implications for firewalls and PCP-capable hosts deployed behind site multi-homing NPTv6 systems as described in section 2.4 of your draft.
>>> 
>>> They will be exactly the same as any other firewall. Since the feature doesn't change the ports, PCP will turn them on or off, exactly as it does with any other firewall. 
>> 
>> If I understand correctly, the intended use for the pinhole control
>> protocol is that you can tell an upstream firewall "hey, I'm
>> 2001:db8:a:b:c:d:e:f and I want to accept incoming connections on port 12345"
>> whereupon the firewall goes from "deny all inbound" to "deny all inbound
>> except to 2001:db8:a:b:c:d:e:f port 12345".
>> 
>> Since it'll be for incoming connections, you'll want all possible paths
>> opened, and of course for the addresses apparent on the "outside"
>> interface of the firewall.
>> 
>> I think the "you may need a proxy if your translator is between you and
>> the firewall" is better situated in the PCP draft, since it will not only
>> apply to one kind of translation.
>> 
>> Other need to mention it in the NPTv6 document does not exist: Since the
>> address translation itself is utterly deterministic in the NPTv6 case,
>> you do not need to build hooks into the NPTv6 translator, the PCP proxy
>> can calculate them itself given inside and outside prefixes.
>> 
>> regards,
>>   spz
>> -- 
>> spz@serpens.de (S.P.Zeidler)
> _______________________________________________
> nat66 mailing list
> nat66@ietf.org
> https://www.ietf.org/mailman/listinfo/nat66