Re: [nat66] Comments on draft-mrw-nat66-12
james woodyatt <jhw@apple.com> Tue, 15 March 2011 20:15 UTC
Return-Path: <jhw@apple.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 518D43A6F03 for <nat66@core3.amsl.com>; Tue, 15 Mar 2011 13:15:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.549
X-Spam-Level:
X-Spam-Status: No, score=-106.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feCOImVpnKxd for <nat66@core3.amsl.com>; Tue, 15 Mar 2011 13:15:36 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id A298D3A6B82 for <nat66@ietf.org>; Tue, 15 Mar 2011 13:15:36 -0700 (PDT)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id 2FF0ED6FB69C for <nat66@ietf.org>; Tue, 15 Mar 2011 13:17:02 -0700 (PDT)
X-AuditID: 11807134-b7c8cae000005108-fa-4d7fc93d56be
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay14.apple.com (Apple SCV relay) with SMTP id BF.D0.20744.D39CF7D4; Tue, 15 Mar 2011 13:17:02 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Received: from [17.193.13.64] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LI400C418CDSH70@gertie.apple.com> for nat66@ietf.org; Tue, 15 Mar 2011 13:17:01 -0700 (PDT)
From: james woodyatt <jhw@apple.com>
In-reply-to: <CF8367A6-F303-43D7-99C6-D40D1DD5D5D9@free.fr>
Date: Tue, 15 Mar 2011 13:17:01 -0700
Content-transfer-encoding: quoted-printable
Message-id: <125BC580-ED43-40EE-B6B9-FD88557C35B9@apple.com>
References: <20110314063002.28048.29694.idtracker@localhost> <19F3A4CD-F39C-4F17-A6E9-7AA8AFBC6B3B@cisco.com> <CF8367A6-F303-43D7-99C6-D40D1DD5D5D9@free.fr>
To: NAT66 HappyFunBall <nat66@ietf.org>
X-Mailer: Apple Mail (2.1084)
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [nat66] Comments on draft-mrw-nat66-12
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 20:15:38 -0000
On Mar 15, 2011, at 10:28 , Rémi Després wrote: > 2.4 > In case of multihoming with PA's, a limitation of NPTv6 that should be noted is that some incoming connections can fail: > - In a site having global prefixes PA1 and PA2, an internal server has two global IPv6 addresses S1 and S2. > - If its default exit route goes to the PA1-CPE, incoming connections addressed to S2 will fail due to ingress filtering in the PA1-CPE. I don't think this hits the mark. From section 5: [...] Also, an NPTv6 Translator does not aggregate traffic for several hosts/interfaces behind a lesser number of external addresses, so there is no inherent expectation for an NPTv6 Translator to block new inbound flows from external hosts, and no issue with a filter or blacklist associated with one prefix within the domain affecting another. [...] I'm not sure that NPTv6 introduces any new site-multihoming problems for firewalls beyond those they already have, but I suspect it might. Without NPTv6 involved to unify multiple external prefixes into a single local prefix, hosts on traditionally site-multihomed networks will discover each external prefix and their attributes separately. With NPTv6 unifying the external prefixes into a single local prefix, they discover only one prefix and its unified attributes. I suspect that NPTv6 might add a burden on firewalls related to the unification of external prefix attributes so that routers advertising the local prefix have unified attributes to advertise that prevent communications failures associated with attribute renewal. -- james woodyatt <jhw@apple.com> member of technical staff, core os networking
- [nat66] Fwd: New Version Notification - draft-mrw… Fred Baker
- Re: [nat66] Fwd: New Version Notification - draft… Dan Wing
- [nat66] Comments on draft-mrw-nat66-12 Rémi Després
- Re: [nat66] Comments on draft-mrw-nat66-12 james woodyatt
- Re: [nat66] Comments on draft-mrw-nat66-12 Fred Baker
- Re: [nat66] Comments on draft-mrw-nat66-12 james woodyatt
- Re: [nat66] Comments on draft-mrw-nat66-12 Fred Baker
- Re: [nat66] Comments on draft-mrw-nat66-12 Brian E Carpenter
- Re: [nat66] Comments on draft-mrw-nat66-12 Fred Baker
- Re: [nat66] Comments on draft-mrw-nat66-12 james woodyatt
- Re: [nat66] Comments on draft-mrw-nat66-12 Fred Baker
- Re: [nat66] Comments on draft-mrw-nat66-12 james woodyatt
- Re: [nat66] Comments on draft-mrw-nat66-12 Fred Baker
- Re: [nat66] Comments on draft-mrw-nat66-12 S.P.Zeidler
- Re: [nat66] Comments on draft-mrw-nat66-12 S.P.Zeidler
- Re: [nat66] Comments on draft-mrw-nat66-12 JFC Morfin
- Re: [nat66] Comments on draft-mrw-nat66-12 james woodyatt
- Re: [nat66] Comments on draft-mrw-nat66-12 james woodyatt
- Re: [nat66] Comments on draft-mrw-nat66-12 JFC Morfin
- Re: [nat66] Comments on draft-mrw-nat66-12 Rémi Després
- Re: [nat66] Comments on draft-mrw-nat66-12 Fred Baker
- Re: [nat66] Comments on draft-mrw-nat66-12 Brian E Carpenter
- Re: [nat66] Comments on draft-mrw-nat66-12 Brian E Carpenter
- Re: [nat66] NPTv6 deals with "packets", not with … Fred Baker
- Re: [nat66] NPTv6 deals with "packets", not with … Fred Baker
- Re: [nat66] NPTv6 deals with "packets", not with … JFC Morfin
- Re: [nat66] NPTv6 deals with "packets", not with … Dave Thaler
- Re: [nat66] NPTv6 deals with "packets", not with … Fred Baker
- Re: [nat66] NPTv6 deals with "packets", not with … Scott Brim
- Re: [nat66] NPTv6 deals with "packets", not with … Fred Baker