IETF Logo Mail Archive

Re: [v6ops] Operational Guidance for IPv6 Deployment inPredominantly IPv4 Sites - (pre-draft)

"Templin, Fred L" <Fred.L.Templin@boeing.com> Wed, 13 April 2011 00:07 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfc.amsl.com
Delivered-To: v6ops@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 4F555E0708 for <v6ops@ietfc.amsl.com>; Tue, 12 Apr 2011 17:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.485
X-Spam-Level:
X-Spam-Status: No, score=-6.485 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tX-p1gce41W5 for <v6ops@ietfc.amsl.com>; Tue, 12 Apr 2011 17:07:05 -0700 (PDT)
Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by ietfc.amsl.com (Postfix) with ESMTP id 581F3E096C for <v6ops@ietf.org>; Tue, 12 Apr 2011 17:07:02 -0700 (PDT)
Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by blv-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id p3D06qOU029982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 12 Apr 2011 17:06:53 -0700 (PDT)
Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id p3D06q2X009332; Tue, 12 Apr 2011 17:06:52 -0700 (PDT)
Received: from XCH-NWHT-09.nw.nos.boeing.com (xch-nwht-09.nw.nos.boeing.com [130.247.25.115]) by slb-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id p3D06p79009321 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Tue, 12 Apr 2011 17:06:52 -0700 (PDT)
Received: from XCH-NW-01V.nw.nos.boeing.com ([130.247.64.120]) by XCH-NWHT-09.nw.nos.boeing.com ([130.247.25.115]) with mapi; Tue, 12 Apr 2011 17:06:51 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Tue, 12 Apr 2011 17:06:49 -0700
Thread-Topic: [v6ops] Operational Guidance for IPv6 Deployment inPredominantly IPv4 Sites - (pre-draft)
Thread-Index: Acv5ZZs8gsZF0yjcS9qrbW1HJxN2mgACBkUw
Message-ID: <E1829B60731D1740BB7A0626B4FAF0A65C699E77B5@XCH-NW-01V.nw.nos.boeing.com>
References: <7B64C6B4-23DB-44AE-8941-ACE9964A3578@cisco.com><E1829B60731D174 0BB7A0626B4FAF0A65C699E721E@XCH-NW-01V.nw.nos.boeing.com><20110413071247.2b efa661@opy.nosense.org><E1829B60731D1740BB7A0626B4FAF0A65C699E7756@XCH-NW-01V.nw.nos.boeing.com> <20110413083142.1400c381@opy.nosense.org>
In-Reply-To: <20110413083142.1400c381@opy.nosense.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Operational Guidance for IPv6 Deployment inPredominantly IPv4 Sites - (pre-draft)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2011 00:07:06 -0000

Hi Mark,

It sounds like what you'd prefer would be DHCPv6
over ISATAP interfaces. In that case, the routing
system matches up the (non-ISATAP) DHCPv6-delegated
IPv6 addresses with an ISATAP link-local address of
the host to which the address has been delegated.
We talk about how to do exactly that in Section
3.2.4 of 'draft-ietf-v6ops-tunnel-loops'.

So, this has come down to a DHCPv6 vs SLAAC bakeoff
on ISATAP links, I guess? I was told by an employee
of a major host implementation vendor that their
ISATAP host implementation does not do DHCPv6. But,
you list a number of reasons why DHCPv6 would be
beneficial.

This sounds like a recipe for a food-fight. Can I
run off to catch that train with you??

Fred
fred.l.templin@boeing.com 

> -----Original Message-----
> From: Mark Smith 
> [mailto:ipng@69706e6720323030352d30312d31340a.nosense.org] 
> Sent: Tuesday, April 12, 2011 4:02 PM
> To: Templin, Fred L
> Cc: v6ops@ietf.org
> Subject: Re: [v6ops] Operational Guidance for IPv6 Deployment 
> inPredominantly IPv4 Sites - (pre-draft)
> 
> Hi Fred,
> 
> On Tue, 12 Apr 2011 15:07:24 -0700
> "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:
> 
> > Hi Mark, 
> > 
> > > -----Original Message-----
> > > From: Mark Smith 
> > > [mailto:ipng@69706e6720323030352d30312d31340a.nosense.org] 
> > > Sent: Tuesday, April 12, 2011 2:43 PM
> > > To: Templin, Fred L
> > > Cc: v6ops@ietf.org
> > > Subject: Re: [v6ops] Operational Guidance for IPv6 Deployment 
> > > inPredominantly IPv4 Sites - (pre-draft)
> > > 
> > > Hi Fred,
> > > 
> > > On Mon, 11 Apr 2011 11:18:14 -0700
> > > "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:
> > > 
> > > > Hello,
> > > > 
> > > > The following should not be construed as a draft, but
> > > > rather just a set of ideas that might be considered
> > > > for inclusion in a new or existing draft. Any
> > > > comments or suggestions?
> > > > 
> > > 
> > > I don't know if it has been though of before, however one 
> alternative
> > > use of ISATAP I've thought of is to facilitate IPv6 topology
> > > hiding. The underlying IPv4 addresses probably would expose 
> > > the network
> > > typology, however if they're RFC1918 ones, they'd be unreachable
> > > externally.
> > 
> > There is probably a discussion point here, but I'll
> > note that other IPv4-embedding mechanisms like 6to4
> > and 6rd are not shy about exposing IPv4 addresses
> > externally. Especially with 6rd, the IPv4 addresses
> > may be from the private internal IPv4 addressing realm
> > of the ISP, so there would seem to be precendence for
> > just letting the IPv4 addresses leak out.
> > 
> 
> I think people who're using those sorts of mechanisms probably aren't
> concerned about using topology hiding so much, or are aware that only
> one or a small number of public IPv4 addresses are exposed.
> 
> I'm imagining a conversation with people who like the topology
> hiding that IPv4 NAPT provides, and think they need IPv6 NAPT for the
> same reason. I think you could rebut that by saying that ISATAP could
> be used to make all IPv6 hosts appear to be attached to a single /64,
> also pointing out that ISATAP implementations are commonly available.
> However, when they find out that underlying IPv4 addresses 
> are embedded
> in the ISATAP addresses, they'll then say that thats still exposing
> IPv4 topology information that isn't exposed with IPv4 NAPT, and
> therefore ISATAP isn't adequate, and therefore they need IPv6 NAPT.
> 
> So I think ISATAP is nearly capable of providing IPv6 and underlying
> IPv4 topology hiding, as long as the exterior devices don't see the
> underlying IPv4 addresses. It has just occurred to me that ISATAP +
> stateful DHCPv6 addressing might achieve that. Do you know if that
> would work or has been implemented anywhere?
> 
> 
> > > Possibly this could be resolved by having only the ISATAP
> > > domain link-local addresses use IPv4 addresses, and then have 
> > > global ->
> > > link local IPv6 translation tables which are then used to 
> resolve a
> > > global IPv6 ISATAP host address which doesn't include an 
> interior IPv4
> > > host address into a ISATAP link local and then interior IPv4 
> > > address. As
> > > external parties would only use externally visible IPv6 
> addresses, the
> > > IPv4 topology would then be hidden as well.
> > 
> > I'm almost on-board with this, however I would not
> > want to see the site number all of its ISATAP host
> > interfaces with only link-local IPv6 addresses. Or,
> > maybe that's not what you were saying?
> > 
> 
> No, it was that the underlying IPv4 addresses were only 
> embedded in the
> link local addresses used within the ISATAP domain, and the 
> global IPv6
> addresses used within the ISATAP domain were generic (non-IPv4
> embedded) IPv6 addresses (e.g. SLAAC using some other non-IPv4 IID, or
> privacy addresses, or stateful DHCPv6 addresses).
> 
> To resolve the underlying IPv4 address for inbound packets, with these
> generic global IPv6 addresses, the look up mechanism would be -
> 
> 1. Match up the global IPv6 address to an ISATAP domain link-local
> address with the embedded IPv4 address.
> 2. Extract the IPv4 address from the link local address and use that
> for the encapsulating packet IPv4 destination.
> 
> > What I *could* see happening is for the ISATAP
> > router to maintain a translation table whereby
> > it translates the IPv6 address 2001:db8::[ISATAP]
> > coming from a host within the site to the IPv6
> > address 2001:db8::[EUI64] for communications with
> > hosts outside the site.
> 
> I think the drawback of that is that it is IPv6-to-IPv6 address
> translation with all the related issues of NAT.
> 
> > 
> > Even moreso, ISATAP hosts inside an enterprise
> > network are likely to need to go through an
> > enterprise-border proxy in order to talk to IPv6
> > servers out on the Internet, so the proxy itself
> > could do the translation as I suspect many IPv4
> > proxies currently do today.
> > 
> > Is that what you had in mind?
> > 
> > Thanks - Fred
> > fred.l.templin@boeing.com
> > 
> 
> (got to rush off to catch my train!)
> 
> Regards,
> Mark.
>

v2.23.0 | Report a Bug | By Email