Re: [v6ops] draft-ietf-v6ops-ula-usage-recommendations - work or abandon?

Fernando Gont <fgont@si6networks.com> Wed, 11 November 2015 00:25 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2E721AC409 for <v6ops@ietfa.amsl.com>; Tue, 10 Nov 2015 16:25:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.359
X-Spam-Level:
X-Spam-Status: No, score=-0.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2IZYm9rtQ6W6 for <v6ops@ietfa.amsl.com>; Tue, 10 Nov 2015 16:25:53 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C26091AC3FD for <v6ops@ietf.org>; Tue, 10 Nov 2015 16:25:52 -0800 (PST)
Received: from p59224-ipngn200301daianjibetu.nara.ocn.ne.jp ([58.92.78.224] helo=[192.168.1.197]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZwJEQ-0006n6-I7; Wed, 11 Nov 2015 01:25:46 +0100
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Lorenzo Colitti <lorenzo@google.com>
References: <D25D5920.C914E%Lee.Howard@twcable.com> <563B9D1E.4030606@umn.edu> <D261FE8E.CA1FB%Lee.Howard@twcable.com> <CAKD1Yr3jip0NBkDxg=MvgZXg0LMS+PtREDw2jSRx0xJLqHwhGQ@mail.gmail.com> <563C7C01.6010703@foobar.org> <CAKD1Yr1rKjkDhhuD9L=R_MJ+ofOAZ2Nt+5mszZKQxCh-kH4vqw@mail.gmail.com> <563FA84C.7030601@si6networks.com> <CAKD1Yr0F888Aw0opSigtC8HV6esUrE1JECKQ4gT737s+43ayfw@mail.gmail.com> <CAG6TeAs8ie=c0F8RMioBpemCw949Bf9c7ZTNvqgaZP=10rmNcQ@mail.gmail.com> <CAKD1Yr1EqbiGJ8EZo8E909zujUt49skcz1SNe8stEWfHnbUsTw@mail.gmail.com> <CAG6TeAsHMTyhbRrOenb1kA9XEDdOCBBbuN3ZGF3LJ=8ToyGtiQ@mail.gmail.com> <CAKD1Yr3RUc9FEw7VyJ=ENH_sJY85m1BESo77v_maShPvCkj6rA@mail.gmail.com> <CAG6TeAv9DPYUCsNG_vHCTOpwwJ8KdhjWeGE=-s6dEuMgaVHf1g@mail.gmail.com> <CAKD1Yr2VXVFareTk-J_+pcr_UW9Do-zf_uYcyjNW-MTPts6hRQ@mail.gmail.com> <CAG6TeAt2JJJmALy=pJFaojbnZrQRE0e0i-D=XtTce=rmbf08tQ@mail.gmail.com> <CAKD1Yr1H2HgxBNOZBrx-ttoB6z6caLAck3csF=ti6CDUzW57ng@mail.gmail.com> <D267B9E3.5DB8C%evyncke@cisco.com>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56421508.10400@si6networks.com>
Date: Wed, 11 Nov 2015 01:02:16 +0900
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <D267B9E3.5DB8C%evyncke@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/Ak3-Gmpq2AFADNWADLaaGBRUCbg>
Cc: IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-ula-usage-recommendations - work or abandon?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 00:25:55 -0000

On 11/10/2015 11:13 PM, Eric Vyncke (evyncke) wrote:
> 
>         What you refer to has to do with the diode-firewall thing (which
>         is a side effect in nat, and that folks are replicating in ipv6
>         by deploying a diode firewall where you currently have a nat
>         box). Obviously, if your policy is that you don't want incoming
>         connections, and i have the same policy then, unfortunately, we
>         have to talk to a third party.
> 
>     Nope. It is much easier to establish a connection across a diode
>     firewall than to establish one across a NAT. In the former case, all
>     the endpoints need to do is send each other packets at about the
>     same time. In the latter, they need to implement NAT traversal via
>     relays.
> 
> It is only 'slightly' easier... Because guessing the TCP sequence number
> of the other party... Well good luck :-)

I guess that, at the very least, you need be able to guess the ephemeral
ports? And, if you're able to do that, there's a flaw in there (see rfc
6056).

Bottom line is...wh're talking about which pain is less pain :-)... and
truth is that in most of such "pain" scenarios the aforementioned pain
reflects policy of "I don't want to talk with anybody, unless it's me
the one starting the conversation" -- i.e., you shouldn't be ding it,
anyway.

Thanks!

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492