Re: [nat66] I-D Action:draft-mrw-nat66-00.txt
Margaret Wasserman <margaretw42@gmail.com> Wed, 27 October 2010 11:00 UTC
Return-Path: <margaretw42@gmail.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B9C03A6842 for <nat66@core3.amsl.com>; Wed, 27 Oct 2010 04:00:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.243
X-Spam-Level:
X-Spam-Status: No, score=-2.243 tagged_above=-999 required=5 tests=[AWL=-0.244, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hIHqqtxxkrYU for <nat66@core3.amsl.com>; Wed, 27 Oct 2010 04:00:38 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 78DB23A691F for <nat66@ietf.org>; Wed, 27 Oct 2010 04:00:38 -0700 (PDT)
Received: by iwn40 with SMTP id 40so710157iwn.31 for <nat66@ietf.org>; Wed, 27 Oct 2010 04:02:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=ZzQEqNAIYIQkjSa1wxorR4+gFGpSbL9EuqJ6iaEipKs=; b=tC8Ux3TjOTau96OZDIA0+u5mC4IKVRxGkzdeTbrswiwtSXdjpl7s4ZxeNS1YpUVkN5 9z2EX7MqqBc6Gt7keiJI9nreo11lBmvKnVZGbFDnWlLHXdX5HXd8o/VbBQ6xMxbQczUg mH7KHPdD0KQ+0AIxRle5aTD1AVuKun4qIq/rM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=EfOZP6oYv6pax7KGGSQyFShSAFEpli9iWeW7RiJD1eh2KHx0uCU1qZEDo/sy6Q2O3B gt8m/XFIF0NfZW169GyVbNMDgW5XUNnBkF8r9bMstBe4pzlpK05/GS1jub+7Of/pVIv5 lc/wvFdDkWqzBMFtQBafFDZLCW1+Kd+nzU7oA=
Received: by 10.42.214.83 with SMTP id gz19mr7413426icb.277.1288177347886; Wed, 27 Oct 2010 04:02:27 -0700 (PDT)
Received: from [10.36.0.42] (pool-108-20-27-240.bstnma.fios.verizon.net [108.20.27.240]) by mx.google.com with ESMTPS id w5sm2461521vcr.6.2010.10.27.04.02.26 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 27 Oct 2010 04:02:27 -0700 (PDT)
Message-Id: <6210DB9A-E49E-4088-8FD0-39FC1E838238@lilacglade.org>
From: Margaret Wasserman <margaretw42@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <4CC793D2.5050209@gmail.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 27 Oct 2010 07:02:24 -0400
References: <20101018190002.323803A6D0B@core3.amsl.com> <4CC793D2.5050209@gmail.com>
X-Mailer: Apple Mail (2.936)
Cc: nat66@ietf.org
Subject: Re: [nat66] I-D Action:draft-mrw-nat66-00.txt
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 11:00:39 -0000
Thanks, Brian! I will make your suggested changes and look into the v6ops simple security spec. Margaret On Oct 26, 2010, at 10:52 PM, Brian E Carpenter wrote: >> Abstract >> >> This document describes a stateless, transport-agnostic IPv6-to- >> IPv6 >> Network Address Translation (NAT66) function that provides the >> address independence benefit associated with IPv4-to-IPv4 NAT >> (NAT44) >> while minimizing, but not completely eliminating, the problems >> associated with NAT44. > > I think "minimizing" is a bit strong, How about "mitigating"? > (Same comment in the Introduction.) > >> 3. What is Address Independence? > ... >> The use of IPv6 Provider Independent (PI) addresses has also been >> suggested as a means to fulfill the address independence >> requirement. >> However, this solution requires that an enterprise qualify to >> receive >> a PI assignment and persuade their ISP to install specific routes >> for >> the enterprise's PI addresses. There are a number of practical >> issues with this approach, especially if there is a desire to route >> to a number of geographically and topologically diverse set of >> sites, >> which can sometimes involve coordinating with several ISPs to route >> portions of a single PI prefix. These problems have caused >> numerous >> enterprises with plenty of IPv4 swamp space to choose to use IPv4 >> NAT >> for part, or substantially all, of their internal network instead >> of >> using their provider-independent address space. > > Somehow you get through this without mentioning that generalised use > of PI prefixes will explode the BGP4 routing system in its present > form. > I think that deserves mention (perhaps with a reference to > draft-irtf-rrg-recommendation). > >> 4. NAT66 Applicability > ... > > After the discussion of DNS issues, can you add something about > the impact on 3rd party referral issues? We don't actually discuss > NAT66 as part of the problem in draft-carpenter-referral-ps, but > maybe we should. > >> Prefix = 2001:0DB8:0001:/48 > > Everywhere you have a prefix, it ends :/48 instead of ::/48 > >> 9. Address Mapping for Longer Prefixes >> >> In some cases, it may desireable to use NAT66 with global prefixes >> longer than /48. > > I think it would be better to say "unavoidable" instead of > "desirable". > And maybe add: > > longer than /48, but at the longest /64. > >> 13. Security Considerations > ... >> For this reason, it is >> RECOMMENDED that NAT66 devices include an IPv6 firewall function, >> and >> the firewall function SHOULD be configured by default to block all >> incoming connections. Administrators could then enable inbound >> connectivity for specific ports by reconfiguring the firewall. > > A reference to draft-ietf-v6ops-cpe-simple-security would be > appropriate here. Strictly, if any of the default recommendations > in that spec are inappropriate for NAT66, it would be good to > override them explicitly. > > Regards > Brian Carpenter > _______________________________________________ > nat66 mailing list > nat66@ietf.org > https://www.ietf.org/mailman/listinfo/nat66
- Re: [nat66] I-D Action:draft-mrw-nat66-00.txt Brian E Carpenter
- Re: [nat66] I-D Action:draft-mrw-nat66-00.txt Margaret Wasserman
- Re: [nat66] I-D Action:draft-mrw-nat66-00.txt Fred Baker