IETF Logo Mail Archive

Re: [nat66] Comments on draft-mrw-nat66-12

james woodyatt <jhw@apple.com> Tue, 15 March 2011 20:15 UTC

Return-Path: <jhw@apple.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 518D43A6F03 for <nat66@core3.amsl.com>; Tue, 15 Mar 2011 13:15:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.549
X-Spam-Level:
X-Spam-Status: No, score=-106.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feCOImVpnKxd for <nat66@core3.amsl.com>; Tue, 15 Mar 2011 13:15:36 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id A298D3A6B82 for <nat66@ietf.org>; Tue, 15 Mar 2011 13:15:36 -0700 (PDT)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out3.apple.com (Postfix) with ESMTP id 2FF0ED6FB69C for <nat66@ietf.org>; Tue, 15 Mar 2011 13:17:02 -0700 (PDT)
X-AuditID: 11807134-b7c8cae000005108-fa-4d7fc93d56be
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay14.apple.com (Apple SCV relay) with SMTP id BF.D0.20744.D39CF7D4; Tue, 15 Mar 2011 13:17:02 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Received: from [17.193.13.64] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LI400C418CDSH70@gertie.apple.com> for nat66@ietf.org; Tue, 15 Mar 2011 13:17:01 -0700 (PDT)
From: james woodyatt <jhw@apple.com>
In-reply-to: <CF8367A6-F303-43D7-99C6-D40D1DD5D5D9@free.fr>
Date: Tue, 15 Mar 2011 13:17:01 -0700
Content-transfer-encoding: quoted-printable
Message-id: <125BC580-ED43-40EE-B6B9-FD88557C35B9@apple.com>
References: <20110314063002.28048.29694.idtracker@localhost> <19F3A4CD-F39C-4F17-A6E9-7AA8AFBC6B3B@cisco.com> <CF8367A6-F303-43D7-99C6-D40D1DD5D5D9@free.fr>
To: NAT66 HappyFunBall <nat66@ietf.org>
X-Mailer: Apple Mail (2.1084)
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [nat66] Comments on draft-mrw-nat66-12
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 20:15:38 -0000

On Mar 15, 2011, at 10:28 , Rémi Després wrote:

> 2.4
> In case of multihoming with PA's, a limitation of NPTv6 that should be noted is that some incoming connections can fail:
> - In a site having global prefixes PA1 and PA2, an internal server has two global IPv6 addresses S1 and S2. 
> - If its default exit route goes to the PA1-CPE, incoming connections addressed to S2 will fail due to ingress filtering in the PA1-CPE.

I don't think this hits the mark.  From section 5:

                     [...] Also, an NPTv6 Translator does not aggregate
   traffic for several hosts/interfaces behind a lesser number of
   external addresses, so there is no inherent expectation for an NPTv6
   Translator to block new inbound flows from external hosts, and no
   issue with a filter or blacklist associated with one prefix within
   the domain affecting another. [...]

I'm not sure that NPTv6 introduces any new site-multihoming problems for firewalls beyond those they already have, but I suspect it might.  Without NPTv6 involved to unify multiple external prefixes into a single local prefix, hosts on traditionally site-multihomed networks will discover each external prefix and their attributes separately.  With NPTv6 unifying the external prefixes into a single local prefix, they discover only one prefix and its unified attributes.  I suspect that NPTv6 might add a burden on firewalls related to the unification of external prefix attributes so that routers advertising the local prefix have unified attributes to advertise that prevent communications failures associated with attribute renewal.


--
james woodyatt <jhw@apple.com>
member of technical staff, core os networking

v2.23.0 | Report a Bug | By Email