[v6ops] Disadvantages of MAP protocols -- Re: Is 464XLAT really inferior to all other IPv6 transition technologies? -- Re: updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas
Lencse Gábor <lencse@hit.bme.hu> Wed, 13 June 2018 17:01 UTC
Return-Path: <lencse@hit.bme.hu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE27130ED7 for <v6ops@ietfa.amsl.com>; Wed, 13 Jun 2018 10:01:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rs8_1Bsc7C7q for <v6ops@ietfa.amsl.com>; Wed, 13 Jun 2018 10:01:03 -0700 (PDT)
Received: from frogstar.hit.bme.hu (frogstar.hit.bme.hu [IPv6:2001:738:2001:4020::2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E781B130E6C for <v6ops@ietf.org>; Wed, 13 Jun 2018 10:01:02 -0700 (PDT)
Received: from [192.168.1.114] (host-79-121-41-164.kabelnet.hu [79.121.41.164]) (authenticated bits=0) by frogstar.hit.bme.hu (8.15.2/8.15.2) with ESMTPSA id w5DH0lAk092941 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <v6ops@ietf.org>; Wed, 13 Jun 2018 19:00:54 +0200 (CEST) (envelope-from lencse@hit.bme.hu)
X-Authentication-Warning: frogstar.hit.bme.hu: Host host-79-121-41-164.kabelnet.hu [79.121.41.164] claimed to be [192.168.1.114]
References: <FEACFE5A-F2E6-4533-8602-C05F8A1FB59A@consulintel.es> <28C9E7B4-1D2F-4C65-A121-90E9AFB470AD@gmail.com> <CAHL_VyDc1iF7T4k3J1uQvDYUpxaRg7_eOqK6poV_cZ-NAFAEDQ@mail.gmail.com> <7B87AAA7-E5C5-498E-A41E-8927BC554F29@consulintel.es> <CAKD1Yr2HpJFvW3=CQQV6HVr6tOGSW=Kj5mpO-rLLrEEuPZ4vmg@mail.gmail.com> <966D347E-0A4F-4F51-90AB-03D178EF4CEB@consulintel.es> <CAKD1Yr3uSr-KJCOhTJvaf1xh4g7hOqwzxZSv7TNH5fB5Z1VigQ@mail.gmail.com> <C48F6BAD-84CE-4121-B862-218004A417D3@consulintel.es> <CAKD1Yr1_NeLyAmdAJitd=jUKeY0kW8qxV_9FWGCbNf1__ppecw@mail.gmail.com> <018DD24B-DD2F-4B31-A939-328173891F3E@consulintel.es> <CAKD1Yr1ohmb9BUV+KO2Ff+LJ1+pNwQ+-UJ6t7MmwY6PV3MLhyA@mail.gmail.com> <0F82C180-CE02-4DC1-88EE-5BB6CEC46F3C@consulintel.es> <CAKD1Yr1FVdWt446zq9mDec4fsCmN6K=M1MkK4FUWv=RBMQMrbQ@mail.gmail.com> <da095b32-3bb9-d2ec-dd41-e6e526cff83f@hit.bme.hu> <CAKD1Yr3ZbOLbsXFmZqa78ZJ9aaiFnCxAPUVOX26=VoqChA1g-A@mail.gmail.com>
From: Lencse Gábor <lencse@hit.bme.hu>
To: "v6ops@ietf.org WG" <v6ops@ietf.org>
Message-ID: <7eb46aa1-699a-7397-d0d9-51d1160b4148@hit.bme.hu>
Date: Wed, 13 Jun 2018 19:00:43 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAKD1Yr3ZbOLbsXFmZqa78ZJ9aaiFnCxAPUVOX26=VoqChA1g-A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------05ED525C9D61393CB696F96D"
X-Virus-Scanned: clamav-milter 0.100.0 at frogstar.hit.bme.hu
X-Virus-Status: Clean
Received-SPF: pass (frogstar.hit.bme.hu: authenticated connection) receiver=frogstar.hit.bme.hu; client-ip=79.121.41.164; helo=[192.168.1.114]; envelope-from=lencse@hit.bme.hu; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.10;
X-DCC--Metrics: frogstar.hit.bme.hu; whitelist
X-Scanned-By: MIMEDefang 2.79 on 152.66.248.44
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/-H_yQvrhYOJEywny9ET6I-9t3Mg>
Subject: [v6ops] Disadvantages of MAP protocols -- Re: Is 464XLAT really inferior to all other IPv6 transition technologies? -- Re: updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 17:01:07 -0000
Dear Lorenzo, Thank you very much for your answer. For a balanced view, I think it is useful to point out that the MAP protocols have their disadvantages, too. _1. Port numbers_ As Jordi has already pointed it out, one needs to dedicate a fix number of ports per CPE. Some advice that a few hundred will do for this value, but I think that it is not so simple: - The lack of port situation may cause serious problems in the operation of certain programs, for more information see [1]. - The port number consumption of different applications is highly varying and e.g. in the case of web browsing it depends on several factors [2]. - There may be several users behind a CPE, especially in the wired case (e.g. Internet is used by different members of a family simultaneously), thus sometimes even a few thousands may not be enough. Stateful NAT64 (used by 464XLAT) can use port numbers (and thus public IP addresses) much more economically. _2. Complexity and security_ The operation of the MAP solution is rather complex, now I give only some highlights. Let us consider MAP-T. (MAP-E works similarly, but it uses encapsulation.) "First, the MAP-T CE (Customer Edge) device performs a NAT44 operation to restrict the available TCP/UDP port numbers for the user. Then the CE device performs a special stateless translation from IPv4 to IPv6, where the source IPv4 address and the selected port bits are encoded into the source IPv6 address according to the MAP-T rules. The IPv6 packets can be destined to other users, where similar CEs perform the necessary transformations, or to the outside IPv4 Internet, in which case the MAP-T Border Relay performs the necessary transformations." [3] This complexity has performance and security implications: - Whereas the IPv6 backbone traffic of 464XLAT is normal IPv6 traffic, which can be inspected e.g. by firewalls, the IPv6 backbone traffic of MAP-T (as well as that of MAP-E) needs to be first "decoded", which causes further costs (both CAPEX and OPEX). - Complex code may contain more bugs and thus also security holes. (In the simplest model, the number of bugs is proportional to the number of code lines.) _3. MAP-T and MAP-E are different_ On the one hand, if double translation may cause the loss of some IPv4 fields (BTW: What exactly did you mean?), then it is also applies for MAP-T. On the other hand, MAP-E uses encapsulation, which results in an overhead. An IPv6 header is at least 40 bytes, which may be a significant overhead in the case of small packets, e.g. TCP acknowledgments. _4. What other IPv6 transition solutions did you also consider?_ As you have now mentioned only MAP, I wonder what other solutions you could consider better than 464XLAT? Best regards, Gábor Lencse References: [1] S. Miyakawa, "IPv4 to IPv6 transformation schemes", IEICE Trans. Commun., vol.E93-B, no.5, pp.1078-1084, May 2010. DOI:10.1587/transcom.E93.B.1078 [2] S. Répás, T. Hajas, and G. Lencse, "Port number consumption of the NAT64 IPv6 transition technology", Proc. 37th Internat. Conf. on Telecommunications and Signal Processing (TSP 2014), Berlin, Germany, pp.66-72, Jul. 1-3, 2014. DOI: 10.1109/TSP.2015.7296411 [3] G. Lencse, Y. Kadobayashi, "Comprehensive survey of IPv6 transition technologies for security analysis", unpublished 6/13/2018 12:55 PM keltezéssel, Lorenzo Colitti írta: > Here are a few disadvantages of 464xlat: > > * It consumes lots of state on the NAT64 (one state table entry for > every connection). MAP is much better since it uses port ranges. > * It doesn't allow any inbound connections unless the NAT > cooperates. MAP is better in the sense that you can at least > receive connections within your port range. > * The transformation is lossy because there are IPv4 header fields > that cannot be translated. MAP-E is better because the > encapsulation preserves the original packet header. > > > On Wed, Jun 13, 2018 at 6:12 PM Lencse Gábor <lencse@hit.bme.hu > <mailto:lencse@hit.bme.hu>> wrote: > > Dear Lorenzo, > > I think it is a rather strong statement that "464XLAT is pretty > much the worse of the transition mechanisms from a technical > perspective." > > We have listed 26+ IPv6 transition technologies in our workshop > paper [1], but there are even more solutions exist. > > Which of them do you mean to be better than 464XLAT? > > What technical points do you consider when stating that 464XLAT is > worse than the others? (E.g. resource consumption, scalability, > security, ease of implementation, etc.) > > I think it is important for network operators to have a balanced > view of the advantages and disadvantages of the different IPv6 > transition mechanisms, this is why I am asking these questions. > > Best regards, > > Gábor Lencse > > > [1] G. Lencse and Y. Kadobayashi, "Survey of IPv6 Transition > Technologies for Security Analysis", IEICE Communications Society > Internet Architecture Workshop, Tokyo, Japan, Aug. 28, 2017, > /IEICE Tech. Rep./, vol. 117, no. 187, pp. 19-24. Available > online: > http://www.hit.bme.hu/~lencse/publications/IEICE-IA-2017-survey.pdf > <http://www.hit.bme.hu/%7Elencse/publications/IEICE-IA-2017-survey.pdf> > > > 6/13/2018 9:38 AM keltezéssel, Lorenzo Colitti írta: >> That goes back to my earlier point of that from a technical >> perspective 464xlat is pretty much the worst of the transition >> mechanisms.. I don't think we should be recommending running it >> on wireline at all, let alone prioritizing it over something else >> .:-) >> >> On Wed, Jun 13, 2018 at 3:50 PM JORDI PALET MARTINEZ >> <jordi.palet=40consulintel.es@dmarc.ietf.org >> <mailto:40consulintel.es@dmarc.ietf.org>> wrote: >> >> Lorenzo, you’re missing the key aspect: Being able to >> prioritize, when an ISP supports several transition mechanisms. >> >> RFC8026 key aspect is priority. If we don’t add an option >> code for 464XLAT, then it can’t be managed the same way. >> >> >> Regards, >> >> Jordi >> >> *De: *v6ops <v6ops-bounces@ietf.org >> <mailto:v6ops-bounces@ietf.org>> en nombre de Lorenzo Colitti >> <lorenzo=40google.com@dmarc.ietf.org >> <mailto:40google.com@dmarc.ietf.org>> >> *Fecha: *miércoles, 13 de junio de 2018, 4:45 >> *Para: *<jordi.palet=40consulintel.es@dmarc.ietf.org >> <mailto:40consulintel.es@dmarc.ietf.org>> >> *CC: *"v6ops@ietf.org <mailto:v6ops@ietf.org> WG" >> <v6ops@ietf.org <mailto:v6ops@ietf.org>> >> *Asunto: *Re: [v6ops] updating RFC8026 to support 464XLAT in >> draft-ietf-v6ops-transition-ipv4aas >> >> On Tue, Jun 12, 2018 at 7:40 PM JORDI PALET MARTINEZ >> <jordi.palet=40consulintel..es@dmarc.ietf.org >> <mailto:40consulintel.es@dmarc.ietf.org>> wrote: >> >> You don’t need RFC7050 neither DNS64, you can use PCP >> (RFC7225) to tell the CLAT the NAT64 prefix. It also >> provides additional advantages to the operator to control >> many related aspects (see section 3 of RFC7225). >> >> 1.If the operator wants to enable 464xlat: they should >> hand out a DNS64 to the CPE. >> >> 2.If the operator wants to disable 464xlat: they should >> NOT hand out a DNS64 to the CPE. >> >> This doesn’t work, because the operator may be using >> RFC7225 instead of RFC7050. You need to try both in that >> case, and you aren’t providing a “priority” to a possible >> list of mechanisms, which is what RFC8026 does. >> >> But it's the same problem again: what's the use case for this >> DHCPv6 option? An operator that's using RFC7225 has an easy >> way to tell the CPE not to do 464xlat: don't hand out the >> prefix64 to those CPEs. So this is already possible today. >> >> 3.If the operator uses 464xlat, they should not allow the >> user to change the DNS server. >> >> Let’s be realistic. You can’t “force” the customer to >> avoid changing the DNS … >> >> On an operator-managed CPE, you can. On a user-managed CPE, >> you can't. But on such a CPE you probably shouldn't be >> disabling 464xlat. If the user wants to use it, it's their >> CPE, right? >> >> _______________________________________________ v6ops mailing >> list v6ops@ietf.org <mailto:v6ops@ietf.org> >> https://www.ietf.org/mailman/listinfo/v6ops >> >> >> ********************************************** >> IPv4 is over >> Are you ready for the new Internet ? >> http://www.consulintel.es >> The IPv6 Company >> >> This electronic message contains information which may be >> privileged or confidential. The information is intended to be >> for the exclusive use of the individual(s) named above and >> further non-explicilty authorized disclosure, copying, >> distribution or use of the contents of this information, even >> if partially, including attached files, is strictly >> prohibited and will be considered a criminal offense. If you >> are not the intended recipient be aware that any disclosure, >> copying, distribution or use of the contents of this >> information, even if partially, including attached files, is >> strictly prohibited, will be considered a criminal offense, >> so you must reply to the original sender to inform about this >> communication and delete it. >> >> >> >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org <mailto:v6ops@ietf.org> >> https://www.ietf.org/mailman/listinfo/v6ops > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org <mailto:v6ops@ietf.org> > https://www.ietf.org/mailman/listinfo/v6ops >
- Re: [v6ops] Is 464XLAT really inferior to all oth… JORDI PALET MARTINEZ
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Ca By
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Hans Liu
- Re: [v6ops] Is 464XLAT really inferior to all oth… Lee Howard
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… JORDI PALET MARTINEZ
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Lee Howard
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… nick.heatley
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… JORDI PALET MARTINEZ
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Lorenzo Colitti
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… JORDI PALET MARTINEZ
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Lee Howard
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… JORDI PALET MARTINEZ
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Lee Howard
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Ca By
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Lorenzo Colitti
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… nick.heatley
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Lorenzo Colitti
- Re: [v6ops] Is 464XLAT really inferior to all oth… Lorenzo Colitti
- Re: [v6ops] Disadvantages of MAP protocols -- Re:… Ole Troan
- [v6ops] Disadvantages of MAP protocols -- Re: Is … Lencse Gábor
- Re: [v6ops] Is 464XLAT really inferior to all oth… Alejandro D'Egidio
- Re: [v6ops] Is 464XLAT really inferior to all oth… JORDI PALET MARTINEZ
- Re: [v6ops] Is 464XLAT really inferior to all oth… JORDI PALET MARTINEZ
- Re: [v6ops] Is 464XLAT really inferior to all oth… Philip Homburg
- Re: [v6ops] Is 464XLAT really inferior to all oth… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Lorenzo Colitti
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Lorenzo Colitti
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Philip Homburg
- [v6ops] Is 464XLAT really inferior to all other I… Lencse Gábor
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Mark Andrews
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Lorenzo Colitti
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Lorenzo Colitti
- [v6ops] updating RFC8026 to support 464XLAT in dr… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Fred Baker
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Fred Baker
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Alejandro Acosta
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Lorenzo Colitti
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Richard Patterson
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Philip Homburg
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Philip Homburg
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Lorenzo Colitti
- Re: [v6ops] updating RFC8026 to support 464XLAT i… JORDI PALET MARTINEZ
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Philip Homburg
- Re: [v6ops] updating RFC8026 to support 464XLAT i… Alejandro D'Egidio