[v6ops] comments on draft-ietf-v6ops-nat64-experience
Lee Howard <Lee@asgard.org> Fri, 01 November 2013 19:41 UTC
Return-Path: <Lee@asgard.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C22CA21E80DE for <v6ops@ietfa.amsl.com>; Fri, 1 Nov 2013 12:41:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.071
X-Spam-Level: *
X-Spam-Status: No, score=1.071 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DATE_IN_PAST_06_12=1.069, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gqk7rT7DkYyb for <v6ops@ietfa.amsl.com>; Fri, 1 Nov 2013 12:41:25 -0700 (PDT)
Received: from atl4mhob17.myregisteredsite.com (atl4mhob17.myregisteredsite.com [209.17.115.57]) by ietfa.amsl.com (Postfix) with ESMTP id 3C5CC11E817A for <v6ops@ietf.org>; Fri, 1 Nov 2013 12:41:20 -0700 (PDT)
Received: from mailpod.hostingplatform.com ([10.30.71.203]) by atl4mhob17.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id rA1JfHDS010596 for <v6ops@ietf.org>; Fri, 1 Nov 2013 15:41:17 -0400
Received: (qmail 28084 invoked by uid 0); 1 Nov 2013 19:41:17 -0000
X-TCPREMOTEIP: 65.114.90.17
X-Authenticated-UID: lee@asgard.org
Received: from unknown (HELO ?172.26.29.84?) (lee@asgard.org@65.114.90.17) by 0 with ESMTPA; 1 Nov 2013 19:41:15 -0000
User-Agent: Microsoft-MacOutlook/14.3.8.130913
Date: Fri, 01 Nov 2013 14:41:15 +0200
From: Lee Howard <Lee@asgard.org>
To: 'IPv6 Operations' <v6ops@ietf.org>
Message-ID: <CE996E0B.35417%Lee@asgard.org>
Thread-Topic: comments on draft-ietf-v6ops-nat64-experience
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3466161678_9595586"
Subject: [v6ops] comments on draft-ietf-v6ops-nat64-experience
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 19:41:29 -0000
Please define the acronym NAT64-FE. "Front End"? "Functional Equivalent"? "Fire Engine"? Clarify this sentence: Some failure cases may be occurred once NAT64 serves a IPv6 gateway while is configured only with IPv4 on WAN links. What is an "IPv6 gateway"? Is that "IPv4 on WAN links" on the gateway, or on the NAT64 server? I can't quite picture the topology being described in this example. I'm not sure you've made this point: It's desirable to find the solutions that will allow introducing IPv6/IPv4 translation service to IPv6-only hosts while keeping dual-stack hosts unaffected and IPv4 service unchanged. I think what you want to say is that it's preferable to have at least one address family accessible via native service, when possible. If you want to say that IPv4 service should remain unchanged, and that IPv6 hosts should use NAT64, I would not agree with that. I don't think that's consistent with the rest of the draft, either. Since this section is about the coexistence of NAT44 and NAT64, and the previous sentence is how hard it is to troubleshoot, maybe you want to say more about how to find the solutions that will facilitate the best network. That might mean having both, but upgrading hosts aggressively to support IPv6-only, and making sure native IPv6 was available. I'm not sure where you want to put it, but another NAT64-FE consideration is the use of x-forwarded-for header. A load balancer using an IPv4 VIP may be used to sending an IPv4 x-forwarded-for. A front-end server used to that has no problem, but the server, logs, or log parsing tools (rDNS looking, whois) may be affected by seeing an IPv6 address when they're used to seeing IPv4. This is related, but not the same, as the geo-location issue. I don't like the use of IPv6 subdomains beyond the testing phase. Nobody will ever see it; you might as well not have a AAAA if you're only going to public ipv6.example.com. It's fine to recommend it for testing, but when ready for production, the same name should be available over A and AAAA, and let the client choose the address family. Section 4.1 is an excellent discussion of the pros and cons of each mode, with supporting data. It would be good to have a sense of the scale of sync data for hot standby instances. Section 5.1 needs some paragraph breaks. Use of XFF header for geo-location would work if the server could parse the original address out of the XFF header. "Geo-location based on shared IPv4 address is rather inaccurate in that case." Depending on the geographic range of the NAT64. A NAT64-CGN covering a university or apartment complex, or even a small one covering a neighborhood, may provide as much detail as in the old days. I think the detail in Section 6.1 is pretty light. I would expect that the same things documented as problems in rfc7021 are also problematic in NAT64-CGN. These sentences: Operators may consider to add additional site-specific rows to the default table to steer traffic flows going through NAT64-CGN. However, it involves significant costs to change terminal's behavior. I think you mean that operators might consider making changes to host (client) behavior, but I wasn't clear on the first couple of readings whether we were talking about host address selection or routing somehow. Based on the above, I think this document needs another rewrite, but is good. Lee