Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scenario-00.txt
"Fred L. Templin" <ftemplin@iprg.nokia.com> Thu, 27 June 2002 19:56 UTC
Received: from nwkea-mail-2.sun.com (nwkea-mail-2.sun.com [192.18.42.14]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA12694 for <ngtrans-archive@odin.ietf.org>; Thu, 27 Jun 2002 15:56:47 -0400 (EDT)
Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by nwkea-mail-2.sun.com (8.9.3+Sun/8.9.3) with ESMTP id MAA04346; Thu, 27 Jun 2002 12:54:39 -0700 (PDT)
Received: from sunroof.eng.sun.com (sunroof.Eng.Sun.COM [129.146.168.88]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id MAA12246; Thu, 27 Jun 2002 12:54:31 -0700 (PDT)
Received: from sunroof.eng.sun.com (localhost [127.0.0.1]) by sunroof.eng.sun.com (8.12.4/8.12.4) with ESMTP id g5RJrHk7007100 for <ngtrans-dist@sunroof.eng.sun.com>; Thu, 27 Jun 2002 12:53:17 -0700 (PDT)
Received: (from majordomo@localhost) by sunroof.eng.sun.com (8.12.4/8.12.4/Submit) id g5RJrGs4007099 for ngtrans-dist; Thu, 27 Jun 2002 12:53:16 -0700 (PDT)
X-Authentication-Warning: sunroof.eng.sun.com: majordomo set sender to owner-ngtrans@sunroof.eng.sun.com using -f
Received: from engmail4.Eng.Sun.COM (engmail4 [129.144.134.6]) by sunroof.eng.sun.com (8.12.4/8.12.4) with ESMTP id g5RJrEk7007092 for <ngtrans@sunroof.eng.sun.com>; Thu, 27 Jun 2002 12:53:14 -0700 (PDT)
Received: from patan.sun.com (patan.Central.Sun.COM [129.147.5.43]) by engmail4.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL, v2.1p1) with ESMTP id MAA05153 for <ngtrans@sunroof.eng.sun.com>; Thu, 27 Jun 2002 12:53:19 -0700 (PDT)
Received: from mailhost.iprg.nokia.com (mailhost.iprg.nokia.com [205.226.5.12]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id NAA14956 for <ngtrans@sunroof.eng.sun.com>; Thu, 27 Jun 2002 13:53:19 -0600 (MDT)
Received: from darkstar.iprg.nokia.com (darkstar.iprg.nokia.com [205.226.5.69]) by mailhost.iprg.nokia.com (8.9.3/8.9.3-GLGS) with ESMTP id MAA13322; Thu, 27 Jun 2002 12:53:18 -0700 (PDT)
Received: (from root@localhost) by darkstar.iprg.nokia.com (8.11.0/8.11.0-DARKSTAR) id g5RJrHf19277; Thu, 27 Jun 2002 12:53:17 -0700
X-mProtect: <200206271953> Nokia Silicon Valley Messaging Protection
Received: from UNKNOWN (205.226.2.67, claiming to be "iprg.nokia.com") by darkstar.iprg.nokia.com smtpdWJ5qeJ; Thu, 27 Jun 2002 12:53:15 PDT
Message-ID: <3D1B6EA7.2050504@iprg.nokia.com>
Date: Thu, 27 Jun 2002 12:59:35 -0700
From: "Fred L. Templin" <ftemplin@iprg.nokia.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a) Gecko/20020610
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Pekka Savola <pekkas@netcore.fi>
CC: ngtrans@sunroof.eng.sun.com
Subject: Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scenario-00.txt
References: <Pine.LNX.4.44.0206271403180.24634-100000@netcore.fi>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ngtrans@sunroof.eng.sun.com
Precedence: bulk
Reply-To: "Fred L. Templin" <ftemplin@iprg.nokia.com>
Content-Transfer-Encoding: 7bit
Pekka, Below are my responses to the technical points you raised. Again, the comments are appreciated: Pekka Savola wrote: > Second, there are a few security considerations that may be relevant in > this Enterprise/Managed networks problem space. For some organizations, > embedding a private address (if NAT is used) in IPv6 address may be > unacceptable. Especially in Enterprise/Manged environments, there are > often security compartments also inside the organization, that is, > internal firewalls. Basically with ISATAP, every firewall must be > configured to accept any ip-protocol-41 packet from any internal node to > any internal node. Agreed regarding the potential for security compartments within an organization, but it is not clear that internal firewalls would need to accept all ip-protocol-41 packets. For example, if each security compartment is treated as a distinct ISATAP site, only those ip-protocol-41 packets sourced by the ISATAP router(s) within each compartment would need to be accepted by firewalls. This scenario clearly requires more study, however. > And on one chapter of the draft: > > 4.2. Enables incremental deployment of IPv6 hosts within IPv4 sites > with no aggregation scaling issues at border gateways > > Additional hosts can be added with no need for manual configuration > (though this is possible, if wanted). Such hosts will (when using the > recommended mechanism) discover the set of ISATAP routers via a > lookup of DNS resource record. These routers are polled (using ISATAP > encapsulation) and auto-configuration can be performed, resulting in > aggregation efficiency when many hosts configure addresses from pre- > fixes advertised by the routers. > > ==> I feel unconfortable with this 'no aggregation scaling issues' > statement. IMO Isatap is mostly useful for a) automatic the tunneling to > to a border IPv6 router, and b) optimizing the direct tunneling between > two ISATAP nodes in a site. Yes, these are clearly two benefits provided by ISATAP but I believe you may be misinterpreting what is meant by "aggregation scaling" here. We are referring here to the fact that a single, fine-grained IPv6 prefix (e.g., a /64) can be used to autoconfigure IPv6 addresses for up to 2^32 nodes. (Actually, only that portion of 2^32 that constitutes legitimate IPv4 unicast addresses of course.) > The only real way I see ISATAP addresses this scaling issue is by not > putting the internal traffic to this border router. This perhaps sheds some light on the misinterpretation. The fact that internal traffic is tunneled directly peer-to-peer w/o going thru the ISATAP router (as in triangle routing) provides clear benefits for reducing message traffic as you observed. But the claim in question relates to prefix aggregation scaling; not scaling in terms of message traffic. Perhaps you could suggest some alternate text to clear up the potential for misinterpretation? > If RPL initialization returns more than one address, though, I guess an > ISATAP node should round-robin (like with NDISC) between those that send > router advertisements. But really, I don't see how this makes the scaling > issues go away; assuming manual configuration, the nodes could very well > just be configured to use another router. If the PRL contains multiple addresses, the situation is just like any other IPv6 link with multiple advertising routers. That is, the node will receive RA's from multiple routers and act on them exactly as specifed in RFC 2461. (The "scaling" question is addressed in the earlier discussion.) Thanks, Fred ftemplin@iprg.nokia.com
- (ngtrans) Re: draft-ietf-ngtrans-isatap-scenario-… Pekka Savola
- Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scena… Fred L. Templin
- Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scena… Fred L. Templin
- Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scena… Pekka Savola
- Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scena… Pekka Savola
- Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scena… Fred L. Templin
- Re: (ngtrans) Re: draft-ietf-ngtrans-isatap-scena… Pekka Savola