IETF Logo Mail Archive

Re: [nat66] Comments on draft-mrw-nat66-12

james woodyatt <jhw@apple.com> Wed, 16 March 2011 01:10 UTC

Return-Path: <jhw@apple.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 839C23A6B4F for <nat66@core3.amsl.com>; Tue, 15 Mar 2011 18:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.476
X-Spam-Level:
X-Spam-Status: No, score=-106.476 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2+DrGj5llLu for <nat66@core3.amsl.com>; Tue, 15 Mar 2011 18:10:51 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 703C63A6BA1 for <nat66@ietf.org>; Tue, 15 Mar 2011 18:10:51 -0700 (PDT)
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 62B14D709E46 for <nat66@ietf.org>; Tue, 15 Mar 2011 18:12:17 -0700 (PDT)
X-AuditID: 11807130-b7b5eae000005ccb-d6-4d800e71bf10
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay11.apple.com (Apple SCV relay) with SMTP id 98.0F.23755.17E008D4; Tue, 15 Mar 2011 18:12:17 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.193.15.152] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LI4001C0M0HAX10@et.apple.com> for nat66@ietf.org; Tue, 15 Mar 2011 18:12:17 -0700 (PDT)
From: james woodyatt <jhw@apple.com>
In-reply-to: <B4FD874E-1AC2-49DF-A7C0-D1D48B940292@cisco.com>
Date: Tue, 15 Mar 2011 18:12:16 -0700
Message-id: <3B1E3A80-B4A8-4DF0-B345-168BAD532C6E@apple.com>
References: <20110314063002.28048.29694.idtracker@localhost> <19F3A4CD-F39C-4F17-A6E9-7AA8AFBC6B3B@cisco.com> <CF8367A6-F303-43D7-99C6-D40D1DD5D5D9@free.fr> <125BC580-ED43-40EE-B6B9-FD88557C35B9@apple.com> <758DD037-9DC2-4A1E-BEAE-7E99CBED6D3A@cisco.com> <5E3E1015-9750-4ADA-91D9-F10FFFDB2BD0@apple.com> <B4FD874E-1AC2-49DF-A7C0-D1D48B940292@cisco.com>
To: Fred Baker <fred@cisco.com>
X-Mailer: Apple Mail (2.1082)
X-Brightmail-Tracker: AAAAAA==
Cc: NAT66 HappyFunBall <nat66@ietf.org>
Subject: Re: [nat66] Comments on draft-mrw-nat66-12
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 01:10:52 -0000

On Mar 15, 2011, at 4:37 PM, Fred Baker wrote:
> 
> The PCP conversation is with the firewall functionality, which is COMPLETELY AND 100% SEPARATE FROM THE NPTv6 TRANSLATOR FUNCTIONALITY.

Not true entirely true.

Using NPTv6 to facilitate site multi-homing as described in section 2.4 means that hosts may have multiple external addresses and PCP servers with which to communicate their port control needs to IPv6 firewalls (c.f. REC-48 in RFC 6092) for ports bound to their single locally prefixed interface identifiers.

PCP assumes deployment only in single-homed sites, and hosts deployed behind NPTv6 translators have no systematic way to determine that they *aren't* in a single-homed site.  Indeed, that's the point of NPTv6: to present an approximation of a single-homed network when in fact the network is multi-homed with provider-aggregated addresses.  Support for PCP will entail a proxy server that handles port control requests from internal addresses and proxies them to the PCP servers for each of the external firewalls.

Moreover, there is an open problem, which the PCP working group will eventually discover in the fullness of time, dealing with external address discovery.  Hosts deployed behind NPTv6 that expect to use PCP to obtain the external addresses mapped to their internal addresses will need to cope with the fact that multiple addresses may be in the list.  Indeed they may get IPv4 addresses too, from NAT64 boxen.  When NPTv6 is used for site multi-homing, then each of the external addresses will need to be returned by the PCP proxy server.  Possibly, each with their own lifetimes.  Not sure what the PCP people will do when they come fact to face with this problem.

Look, you don't have to design a PCP proxy server in this draft.  You just need to point out that PCP will need one.  Either that or you need to point out that site multi-homing with NPTv6 isn't compatible with PCP.  Pick one, but please don't just ignore the issue.


--
james woodyatt <jhw@apple.com>
member of technical staff, core os networking

v2.23.0 | Report a Bug | By Email