IETF Logo Mail Archive

Re: [v6ops] Is 464XLAT really inferior to all other IPv6 transition technologies? -- Re: updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Wed, 13 June 2018 12:10 UTC

Return-Path: <prvs=17023f6860=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00A9312F1A5 for <v6ops@ietfa.amsl.com>; Wed, 13 Jun 2018 05:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oP9ThdbB5Ekq for <v6ops@ietfa.amsl.com>; Wed, 13 Jun 2018 05:10:01 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DCBF130DEF for <v6ops@ietf.org>; Wed, 13 Jun 2018 05:10:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1528891797; x=1529496597; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:CC:Message-ID:Thread-Topic:References: In-Reply-To:Mime-version:Content-type; bh=x+iRO+NBZxFbInhJJX4o42 jLeVKSfLzXe9ryoDAwYqY=; b=Hm0kHz9lrlXX+ocGx6IU3r+TLZGV9fLlxIxXlA HdWur1Zo2f0NfSHf9p1WyCDyuV7fQ4paedsMiz/yurSf+fNgZtGDVmLApDL4r5o3 dohSh7j45a1pYxVGh/Dw8Kb5VILMDAfh+NMeiSP25FMSFqTTZ7zEDCxiWd0MKyzH ZrK7E=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Wed, 13 Jun 2018 14:09:57 +0200
X-Spam-Processed: mail.consulintel.es, Wed, 13 Jun 2018 14:09:55 +0200
Received: from [10.10.10.129] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50005788743.msg for <v6ops@ietf.org>; Wed, 13 Jun 2018 14:09:52 +0200
X-MDRemoteIP: 2001:470:1f09:495:c981:3ff8:ebcd:b22f
X-MDHelo: [10.10.10.129]
X-MDArrival-Date: Wed, 13 Jun 2018 14:09:52 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=17023f6860=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/10.e.0.180610
Date: Wed, 13 Jun 2018 14:09:50 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, lencse@hit.bme.hu
CC: "v6ops@ietf.org WG" <v6ops@ietf.org>
Message-ID: <F39A8644-3950-4D01-92A0-A45A327A008B@consulintel.es>
Thread-Topic: [v6ops] Is 464XLAT really inferior to all other IPv6 transition technologies? -- Re: updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas
References: <FEACFE5A-F2E6-4533-8602-C05F8A1FB59A@consulintel.es> <28C9E7B4-1D2F-4C65-A121-90E9AFB470AD@gmail.com> <CAHL_VyDc1iF7T4k3J1uQvDYUpxaRg7_eOqK6poV_cZ-NAFAEDQ@mail.gmail.com> <7B87AAA7-E5C5-498E-A41E-8927BC554F29@consulintel.es> <CAKD1Yr2HpJFvW3=CQQV6HVr6tOGSW=Kj5mpO-rLLrEEuPZ4vmg@mail.gmail.com> <966D347E-0A4F-4F51-90AB-03D178EF4CEB@consulintel.es> <CAKD1Yr3uSr-KJCOhTJvaf1xh4g7hOqwzxZSv7TNH5fB5Z1VigQ@mail.gmail.com> <C48F6BAD-84CE-4121-B862-218004A417D3@consulintel.es> <CAKD1Yr1_NeLyAmdAJitd=jUKeY0kW8qxV_9FWGCbNf1__ppecw@mail.gmail.com> <018DD24B-DD2F-4B31-A939-328173891F3E@consulintel.es> <CAKD1Yr1ohmb9BUV+KO2Ff+LJ1+pNwQ+-UJ6t7MmwY6PV3MLhyA@mail.gmail.com> <0F82C180-CE02-4DC1-88EE-5BB6CEC46F3C@consulintel.es> <CAKD1Yr1FVdWt446zq9mDec4fsCmN6K=M1MkK4FUWv=RBMQMrbQ@mail.gmail.com> <da095b32-3bb9-d2ec-dd41-e6e526cff83f@hit.bme.hu> <CAKD1Yr3ZbOLbsXFmZqa78ZJ9aaiFnCxAPUVOX26=VoqChA1g-A@mail.gmail.com>
In-Reply-To: <CAKD1Yr3ZbOLbsXFmZqa78ZJ9aaiFnCxAPUVOX26=VoqChA1g-A@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3611743790_1727464455"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/5EH90QrF4q4c_Yx_KK8YCnQ_i7U>
Subject: Re: [v6ops] Is 464XLAT really inferior to all other IPv6 transition technologies? -- Re: updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 12:10:12 -0000

This always depends on your perspective, network, user requirements, etc. Different operators have different requirements.

 

Here are a few disadvantages of 464xlat:

·         It consumes lots of state on the NAT64 (one state table entry for every connection). MAP is much better since it uses port ranges.

Some ISPs care less about state and care more about having a better usage of each IPv4 address and providing as many ports as the users need automatically.

With NAT64, you have for each user as many ports as they need, nothing “extra” to configure for each user. With MAP you pre-define a number of ports per user.

·         It doesn't allow any inbound connections unless the NAT cooperates. MAP is better in the sense that you can at least receive connections within your port range.

Some ISPs don’t want inbound connections to be statically managed by users, they offer different services with different prices, etc. I’m not saying I agree with that. Even do, you have ways to cooperate with the NAT64, PCP, etc., to do that. Even for corporate users you can mix that with SIIT-DC or alike functions.

Inbound connections in your port range is useless for most of the users, or apps or devices, because they don’t allow other ports, and yes, you can sometimes play tricks with the CPE port forwarding, etc., etc.

·         The transformation is lossy because there are IPv4 header fields that cannot be translated. MAP-E is better because the encapsulation preserves the original packet header.

None of the transition mechanisms can be perfect, except probably dual-stack, but we know we can’t do dual-stack for every possible network, because we don’t have sufficient addresses, right?

Now, this has been said many times, and I don’t necessarily agree initially, but I’ve started to change my mind in the last few years. ***We DON’T WANT a perfect transition mechanism.***

We want some apps to fail, so indirectly it forces to developers and content providers to move them to IPv6.

So, all them are imperfect in one way or another, but having a single one, is much better, from all the perspectives that having many. Developers will fix easier anything for a single mechanism than for many, everything will happen faster, and of course, since 464XLAT is the one with has more users worldwide, it makes sense to push for that one everywhere, because the problems that the app developers find in the cellular world, will be sorted out, so those apps will be fixed for both, cellular and non-cellular.

Also, an operator with both, cellular and non-cellular networks, is very interested to support a single mechanism instead of two or more. Even an operator without a cellular network, many times need to provide backup by means of LTE and that means hybrid routers with both wired and LTE interfaces. It is much simpler to have a single mechanism for both, because even the cellular network is not its own network, it can use the same NAT64 (or the same outsourced one for both kind of connections).

I was not a fan of 464XLAT initially when it was developed, but market make me change my mind.

In summary, it all depends on your perspective, but if our goal is to push as much as possible for a higher % of IPv6-only traffic, I’m convinced cellular networks, which are the ones with higher % of penetration and growth, clearly defined the path that we must follow. 

 

On Wed, Jun 13, 2018 at 6:12 PM Lencse Gábor <lencse@hit.bme.hu> wrote:

Dear Lorenzo,

I think it is a rather strong statement that "464XLAT is pretty much the worse of the transition mechanisms from a technical perspective."

We have listed 26+ IPv6 transition technologies in our workshop paper [1], but there are even more solutions exist. 

Which of them do you mean to be better than 464XLAT?

What technical points do you consider when stating that 464XLAT is worse than the others? (E.g. resource consumption, scalability, security, ease of implementation, etc.)

I think it is important for network operators to have a balanced view of the advantages and disadvantages of the different IPv6 transition mechanisms, this is why I am asking these questions.

Best regards,

Gábor Lencse


[1] G. Lencse and Y. Kadobayashi, "Survey of IPv6 Transition Technologies for Security Analysis", IEICE Communications Society Internet Architecture Workshop, Tokyo, Japan, Aug. 28, 2017, IEICE Tech. Rep., vol. 117, no. 187, pp. 19-24. Available online: http://www.hit.bme.hu/~lencse/publications/IEICE-IA-2017-survey.pdf

6/13/2018 9:38 AM keltezéssel, Lorenzo Colitti írta:

That goes back to my earlier point of that from a technical perspective 464xlat is pretty much the worst of the transition mechanisms.. I don't think we should be recommending running it on wireline at all, let alone prioritizing it over something else .:-)

 

On Wed, Jun 13, 2018 at 3:50 PM JORDI PALET MARTINEZ <jordi.palet=40consulintel.es@dmarc.ietf.org> wrote:

Lorenzo, you’re missing the key aspect: Being able to prioritize, when an ISP supports several transition mechanisms.

 

RFC8026 key aspect is priority. If we don’t add an option code for 464XLAT, then it can’t be managed the same way.


Regards,

Jordi

 

 

 

De: v6ops <v6ops-bounces@ietf.org> en nombre de Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Fecha: miércoles, 13 de junio de 2018, 4:45
Para: <jordi.palet=40consulintel.es@dmarc.ietf.org>
CC: "v6ops@ietf.org WG" <v6ops@ietf.org>
Asunto: Re: [v6ops] updating RFC8026 to support 464XLAT in draft-ietf-v6ops-transition-ipv4aas

 

On Tue, Jun 12, 2018 at 7:40 PM JORDI PALET MARTINEZ <jordi.palet=40consulintel..es@dmarc.ietf.org> wrote:

You don’t need RFC7050 neither DNS64, you can use PCP (RFC7225) to tell the CLAT the NAT64 prefix. It also provides additional advantages to the operator to control many related aspects (see section 3 of RFC7225).

 

1.       If the operator wants to enable 464xlat: they should hand out a DNS64 to the CPE.

2.       If the operator wants to disable 464xlat: they should NOT hand out a DNS64 to the CPE.

This doesn’t work, because the operator may be using RFC7225 instead of RFC7050. You need to try both in that case, and you aren’t providing a “priority” to a possible list of mechanisms, which is what RFC8026 does.

 

But it's the same problem again: what's the use case for this DHCPv6 option? An operator that's using RFC7225 has an easy way to tell the CPE not to do 464xlat: don't hand out the prefix64 to those CPEs. So this is already possible today.

  

3.       If the operator uses 464xlat, they should not allow the user to change the DNS server.

 

 

Let’s be realistic. You can’t “force” the customer to avoid changing the DNS …

 

On an operator-managed CPE, you can. On a user-managed CPE, you can't. But on such a CPE you probably shouldn't be disabling 464xlat. If the user wants to use it, it's their CPE, right?

_______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops 


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.



_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops
 

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

_______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops 



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email