Re: [v4tov6transition] [Softwires] ISP support of Native IPv6 across NAT44 CPEs -Proposed 6a44 Specification

[Ole Troan <otroan@employees.org>]

Remi,

>> ...
>> issues I have with host tunneling:
>> - how to communicate with native IPv6 nodes on the same network?
> 
> The 6a44-S decapsulates IPv6 packets coming from a 6a44 host and, if not destined to another 6a44 host of its network, forwards them in IPv6, in this case on the same network.

I was thinking of another native IPv6 node in the same home. as 6a44 doesn't enable IPv6 support in the home network I don't see how this would work.

>> - how to communicate to another 6a44 host on a different link in the same home?
> 
> 6a44 is only for hosts on a LAN behind a NAT44 attached to a 6a44-capable ISP network.
> If the LAN has several bridged links, it does apply.
> Links that are behind extra NATs in the site are out of scope.
> 
> As I said to Olivier Vautrin in a previous mail on this thread, these extra NATs should be configured so that hosts behind them never receive 6a44 IPv6-Address-Indication messages. (e;g. with the 6a44 well-known port bound to an unassigned internal address.
> This point isn't in the draft yet but, if co-authors agree, should be in the next version.

I was thinking of the case of a routed home. no additional NATS. I don't see how the mechanism would work across routers. since you don't get a prefix for the site. the homegate/homenet WG proposal was rejected by the IESG, but it would have been useful to have the home network architecture document as background for this discussion...

>> - do you need non-congruent topology multi-homing policy?
>>  http://tools.ietf.org/html/draft-troan-multihoming-without-nat66-01
>>  how do you distribute that policy when you don't have a on-link router?
> 
> Not sure to understand the question.
> The answer should be NO: 6a44 only needs classical topologies.

if a 6a44 node is multi-homed to 3 networks, the 6a44 network the IPV4 network and possibly a native IPv6 network (e.g. ULA in the home), would you need to distribute SAS/NH/DNS policy?

>> - a general unease that now every host is supposed to have a "VPN" connection?
>>  how do I configure my own firewall and other network border policy?
> 
> If the NAT binds the 6a44 well-known port to an unassigned internal address, no host will be able to receive a 6a44 IPv6 address. 
> Besides, a firewall could filter all packets having this port, source or destination.

that doesn't give me ability to filter on IPv6 applications on the network border... not specific to 6a44, this is just an artifact of host tunneling.

>> how much would a new CPE cost the customer? 80USD? that's only 5 pints of beer (if bought in Norway.)
>> I really liked the dongle idea by the way. perhaps with a L2TP LAC.
> 
> The dongle idea of 6rd-UDP, if without a stateful NAT66 in the dongle, needs an assigned /16 to the function. (The /64 subnet prefix has to contain the site IPv4 address plus the port of the tunnel).
> This is in general not realistic.

my suggestion is to use L2TP, which has none of those particular shortcomings.

> Now, if there is a NAT66 in the dongle, it can work with a 6a44 external address.
> 
> 
> I hope it helps to understand that 6a44 isn't just one more design for the pleasure to make one, but a pragmatic solution to a real problem, specified after an in depth study. 

is the in-depth study available?

cheers,
Ole