Re: [nat66] I-D Action:draft-mrw-nat66-00.txt
Fred Baker <fred@cisco.com> Wed, 27 October 2010 12:12 UTC
Return-Path: <fred@cisco.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E7893A6910 for <nat66@core3.amsl.com>; Wed, 27 Oct 2010 05:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.314
X-Spam-Level:
X-Spam-Status: No, score=-110.314 tagged_above=-999 required=5 tests=[AWL=0.285, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mg59b2r60HDe for <nat66@core3.amsl.com>; Wed, 27 Oct 2010 05:12:47 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id E7B143A68A0 for <nat66@ietf.org>; Wed, 27 Oct 2010 05:12:46 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAN60x0yrRN+K/2dsb2JhbAChWHGgHJwRhUgEhFeFfIMI
X-IronPort-AV: E=Sophos;i="4.58,246,1286150400"; d="scan'208";a="207524656"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-4.cisco.com with ESMTP; 27 Oct 2010 12:14:36 +0000
Received: from stealth-10-32-244-222.cisco.com (stealth-10-32-244-222.cisco.com [10.32.244.222]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o9RCDTO6020101; Wed, 27 Oct 2010 12:14:31 GMT
Received: from [127.0.0.1] by stealth-10-32-244-222.cisco.com (PGP Universal service); Wed, 27 Oct 2010 05:14:36 -0700
X-PGP-Universal: processed; by stealth-10-32-244-222.cisco.com on Wed, 27 Oct 2010 05:14:36 -0700
Mime-Version: 1.0 (Apple Message framework v1081)
From: Fred Baker <fred@cisco.com>
In-Reply-To: <4CC793D2.5050209@gmail.com>
Date: Wed, 27 Oct 2010 05:14:31 -0700
Message-Id: <6B81F4BD-19BF-4C0A-B525-B746641A9136@cisco.com>
References: <20101018190002.323803A6D0B@core3.amsl.com> <4CC793D2.5050209@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.1081)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: nat66@ietf.org
Subject: Re: [nat66] I-D Action:draft-mrw-nat66-00.txt
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 12:12:49 -0000
Thanks for the review. On Oct 26, 2010, at 7:52 PM, Brian E Carpenter wrote: >> Abstract >> >> This document describes a stateless, transport-agnostic IPv6-to-IPv6 >> Network Address Translation (NAT66) function that provides the >> address independence benefit associated with IPv4-to-IPv4 NAT (NAT44) >> while minimizing, but not completely eliminating, the problems >> associated with NAT44. > > I think "minimizing" is a bit strong, How about "mitigating"? > (Same comment in the Introduction.) > >> 3. What is Address Independence? > ... >> The use of IPv6 Provider Independent (PI) addresses has also been >> suggested as a means to fulfill the address independence requirement. >> However, this solution requires that an enterprise qualify to receive >> a PI assignment and persuade their ISP to install specific routes for >> the enterprise's PI addresses. There are a number of practical >> issues with this approach, especially if there is a desire to route >> to a number of geographically and topologically diverse set of sites, >> which can sometimes involve coordinating with several ISPs to route >> portions of a single PI prefix. These problems have caused numerous >> enterprises with plenty of IPv4 swamp space to choose to use IPv4 NAT >> for part, or substantially all, of their internal network instead of >> using their provider-independent address space. > > Somehow you get through this without mentioning that generalised use > of PI prefixes will explode the BGP4 routing system in its present form. > I think that deserves mention (perhaps with a reference to > draft-irtf-rrg-recommendation). > >> 4. NAT66 Applicability > ... > > After the discussion of DNS issues, can you add something about > the impact on 3rd party referral issues? We don't actually discuss > NAT66 as part of the problem in draft-carpenter-referral-ps, but > maybe we should. > >> Prefix = 2001:0DB8:0001:/48 > > Everywhere you have a prefix, it ends :/48 instead of ::/48 > >> 9. Address Mapping for Longer Prefixes >> >> In some cases, it may desireable to use NAT66 with global prefixes >> longer than /48. > > I think it would be better to say "unavoidable" instead of "desirable". > And maybe add: > > longer than /48, but at the longest /64. > >> 13. Security Considerations > ... >> For this reason, it is >> RECOMMENDED that NAT66 devices include an IPv6 firewall function, and >> the firewall function SHOULD be configured by default to block all >> incoming connections. Administrators could then enable inbound >> connectivity for specific ports by reconfiguring the firewall. > > A reference to draft-ietf-v6ops-cpe-simple-security would be > appropriate here. Strictly, if any of the default recommendations > in that spec are inappropriate for NAT66, it would be good to > override them explicitly. > > Regards > Brian Carpenter > _______________________________________________ > nat66 mailing list > nat66@ietf.org > https://www.ietf.org/mailman/listinfo/nat66
- Re: [nat66] I-D Action:draft-mrw-nat66-00.txt Brian E Carpenter
- Re: [nat66] I-D Action:draft-mrw-nat66-00.txt Margaret Wasserman
- Re: [nat66] I-D Action:draft-mrw-nat66-00.txt Fred Baker