Re: [v6ops] Incremental Deployment of IPv6-only Wi-Fi for IETF Meetings

[JORDI PALET MARTINEZ <jordi.palet@consulintel.es>]

Below in-line with [Jordi].
    
    On 7/17/17, 10:27 AM, "v6ops on behalf of JORDI PALET MARTINEZ"
    <v6ops-bounces@ietf.org on behalf of jordi.palet@consulintel.es> wrote:
    
    >
    >4) The result is the same, but people don’t need to spend time. We
    >configure the Jool so it reports EVERY usage, so we can then process that
    >file to detect WHAT was using the CLAT.
    
    Your proposal is to log the 5-tuple of every connection (using the CLAT)
    on the IETF network?
    Any privacy concerns?

[Jordi] I don’t have privacy concerns myself, but I understand that, and obviously whatever we do, I suggest to be anonymized.

After all if we do the other way, people will need to tell what apps and web sites or whatever are they visiting, so the issue is the same and we add the need for manual reporting.


    
    >5) The result is the same as the suggested experiment, but NOT breaking
    >anything, not asking the participants to report anything, but having
    >BETTER collection of data about what will be broken if the CLAT is not
    >there (anything that goes into the CLAT).
    
    I’m not sure that logging the 5-tuple (if that’s what you mean to log)
    gives you that information.
    For instance, if Outlook for Mac isn’t working, and we don’t know why,
    then you may not see anything; the DNS lookup may happen over IPv6, and
    OfM barfs without ever sending a packet. At most you’ll see a packet to an
    SMTP/POP/IMAP port, but it won’t tell you whether it was the client or the
    server that failed.

[Jordi] I don't think we need to identify “why” something is not working. We just need to tell the “app” or “server” owner (example Microsoft in case of Outlook), what is failing. I don’t think is our job, neither we have, even if voluntary, resources to do more than that. So yes, maybe we need to log some additional data, such as port/protocol failing. We may need even to capture a few packets at the beginning of each traffic flow. I think I mention in one of the earlier emails I’m not a software developer, but I believe that we may figure out a simple way to do that if Jool itself don’t provides all the tools/data that we need.



    I’m not sure how to know of VPN failures where the DNS goes through the
    VPN. 

[Jordi] Of course I was not suggesting to look into “VPN” traffic. My mention about OpenVPN was because first attempts it failed. So I was talking about OpenVPN as one app not surviving the NAT64, which now is sorted out.


    
    >
    >
    >Real world networks (end-users and corporate which are not related to
    >IETF), will not (in 3-5 years), be willing to replace all the apps and
    >devices that fail with just NAT64. They need a CLAT or similar support in
    >their LANs.
    
    I don’t know how many corporate apps/devices fail with IPv6 + NAT64. Maybe
    some legacy business systems, but that’s not the case for all, and won’t
    be in 3-5 years. Even if it is, it may well make more sense for an
    enterprise to use IPv6 on client networks, and surround legacy systems
    with NAT64.

[Jordi] There are many business with VoIP systems that will not work if they don’t have IPv4 (even with private addresses as they have today) in the LAN. Same for security systems (IP cameras), devices that check the time the people come in/out the office, office automation, lighting automation, and I can keep going like that. Same for apps, like business apps (older IBM systems still used very frequently here), banking apps, I’ve been in many situations of web sites with dual-stack (even for governments and banks) that don’t work with NAT64 (and of course, you can tell as many times you want to the bank or government, they will not sort out for you). So end of the history, we like it or not, we can’t have the corporate LANs with just NAT64 for a while, they need to keep private IPv4, even if they turn off IPv4 in the WAN.
    
    No, I don’t expect 90% of users will be doing IPv6-only in their homes or
    corporate LANs in 3 years, but I wouldn’t be surprised if it’s 10-20%.
    
    Lee
    
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.