IETF Logo Mail Archive

Re: [v6ops] Operational Consensus on deployment

Philip Homburg <pch-v6ops-3@u-1.phicoh.com> Tue, 05 August 2014 19:22 UTC

Return-Path: <pch-bBB316E3E@u-1.phicoh.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415631A01FA for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 12:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.2
X-Spam-Level:
X-Spam-Status: No, score=-6.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BoowXL0N706m for <v6ops@ietfa.amsl.com>; Tue, 5 Aug 2014 12:22:17 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [130.37.15.35]) by ietfa.amsl.com (Postfix) with ESMTP id DC44D1A0167 for <v6ops@ietf.org>; Tue, 5 Aug 2014 12:22:16 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #91) id m1XEkJJ-0000BuC; Tue, 5 Aug 2014 21:22:13 +0200
Message-Id: <m1XEkJJ-0000BuC@stereo.hq.phicoh.net>
To: Tore Anderson <tore@fud.no>
From: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
References: <256EAE0B-5C11-42C7-BCA1-CEC7EE6713A7@cisco.com> <53DFD634.4020304@fud.no> <DE860EBC-171E-46E7-A3B6-5E8B79A453CC@cisco.com> <53DFEC6C.3010707@gmail.com> <CAD6AjGRUWxT5XiNxMi_S5VgYtGMLb_FVHXN-ZfGpcY=geix15g@mail.gmail.com> <53E06AC9.9010908@fud.no> <4F7D76F6-BD81-453B-94DC-A3C3DFF68505@delong.com> <8600C096-37D0-4651-92C1-BCFDBA674433@nominum.com> <CAD6AjGTBfyT-zNDJtBKCNtRxd=Hi07678Sr_-HgSGYbjAiF3Tg@mail.gmail.com> <C5281716-DC04-42E6-AC82-0D53E5DA0284@nominum.com> <53E1236A.605@fud.no>
In-reply-to: Your message of "Tue, 05 Aug 2014 20:33:14 +0200 ." <53E1236A.605@fud.no>
Date: Tue, 05 Aug 2014 21:22:10 +0200
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/RPxvFYIkz0vaCvPmZj4rzVKx-t0
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Operational Consensus on deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 19:22:20 -0000

In your letter dated Tue, 05 Aug 2014 20:33:14 +0200 you wrote:
>The dual stack transition has indeed already failed. If you're located
>in Europe, Asia, or Latin America, chances are that you simply cannot
>obtain the IPv4 addresses you need to run dual stack. North America
>should be in the same situation shortly.

If dual stack implies no NAT anywhere what is then the correct term for
NAT44 or NAT444 along with native IPv6?

Just curious. I would call that dual stack. But you don't appearently.

>As for additional help needed, well, I'm trying to put my money where my
>mouth is and coming up with a solution to these problems - you could
>help by reviewing my drafts. :-) The solution works, there is already
>running open-source code, so rough consensus is all that's missing...

My gut feeling is that translating IPv4 packets to IPv6 or vise versa is
bad idea. Some thing will come up to make your life miserable. In some
sense it is very similar to tunneling.

I think it is safe to say that in your model you have enough public IPv4
address to run your services. What your proposal eliminates is the need
for internal IPv4 addresses.

The question is then, why not simply run on RFC-1918 addresses internally?
Afterall, usually the goal is to provide IPv4 services. 

Maybe our setup is unique, but we have quite a few servers in remote
data centers that need to access internal servers. What we do is have
ACLs in the firewalls to only allow the addresses we know about and keep
the rest of the Internet out.

In your model, any IPv4 address in a remote data center would either have to
translated to an IPv6 address (which of course nobody recognizes) or we
need an IPv4 firewall infront of the SIIT Gateway. Leaving the dual ACL
problem in place.

If I look at our system, if we would just drop IPv4 support for all internal
communication then we would probably see a similar reduction in complexity.
Leaving only the communication between the load balancer and the actual
web front-ends as something that could be moved to IPv6.

v2.23.0 | Report a Bug | By Email