IETF Logo Mail Archive

Re: [v6ops] draft-palet-v6ops-nat64-deployment discussion

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Tue, 29 May 2018 20:27 UTC

Return-Path: <prvs=168717744b=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96FDE12FACA for <v6ops@ietfa.amsl.com>; Tue, 29 May 2018 13:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0tkobhc1bbl for <v6ops@ietfa.amsl.com>; Tue, 29 May 2018 13:27:12 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA89A12FACE for <v6ops@ietf.org>; Tue, 29 May 2018 13:27:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1527625629; x=1528230429; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type:Content-transfer-encoding; bh=b6wEnniL rHOVpm8Z03F5dudG2VqnqmOT+CzkQzWtZkY=; b=r8dZXdfJ8STHj2okqi3wxSCn mJRdfuccxlaYgQBw+WOGzGjeCLo9Ku8rRUDds1RKMdNJ+RRpgOalmkHPtyWKPLih mAx86s8PqWeZpoXqcLjvbIUTXj0rDySan7saLMn8JRUNfvxZcDICbxI5zxMjnlmQ G9YIB+hTwnCZMBGj7c0=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Tue, 29 May 2018 22:27:09 +0200
X-Spam-Processed: mail.consulintel.es, Tue, 29 May 2018 22:27:08 +0200
Received: from [10.10.10.129] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50005778974.msg for <v6ops@ietf.org>; Tue, 29 May 2018 22:27:07 +0200
X-MDRemoteIP: 2001:470:1f09:495:7d90:7c58:9f18:46a9
X-MDHelo: [10.10.10.129]
X-MDArrival-Date: Tue, 29 May 2018 22:27:07 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=168717744b=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/10.d.1.180523
Date: Tue, 29 May 2018 22:26:48 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Andrew Sullivan <ajs@anvilwalrusden.com>, v6ops@ietf.org
Message-ID: <DE14B100-4157-4670-AE8A-5FED67212D66@consulintel.es>
Thread-Topic: [v6ops] draft-palet-v6ops-nat64-deployment discussion
References: <C9183F53-FF89-4FA2-9787-B238A5BCA21F@gmail.com> <20180529175709.GI19425@mx4.yitter.info> <2D818599-B204-4F0E-9C49-CFCD9636654F@consulintel.es> <20180529193736.GA8084@mx4.yitter.info>
In-Reply-To: <20180529193736.GA8084@mx4.yitter.info>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/WuRTRDelkLkUZC0ZpmBdfWuivHs>
Subject: Re: [v6ops] draft-palet-v6ops-nat64-deployment discussion
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 20:27:27 -0000

Thanks again for your detailed responses. I will work in the next few days in a very in-depth review, this has been very helpful.

See below, in-line.

Regards,
Jordi
 
 

-----Mensaje original-----
De: v6ops <v6ops-bounces@ietf.org> en nombre de Andrew Sullivan <ajs@anvilwalrusden.com>
Fecha: martes, 29 de mayo de 2018, 21:38
Para: <v6ops@ietf.org>
Asunto: Re: [v6ops] draft-palet-v6ops-nat64-deployment discussion

    Hi,
    
    On Tue, May 29, 2018 at 08:27:29PM +0200, JORDI PALET MARTINEZ wrote:
    
    > I understand your point that NAT64 was meant to be "imperfect", but this is something that is not valid for operators. Operators need to support existing customers with existing devices and apps, that only have IPv4 support, and this is only possible with NAT64 + CLAT.
    > 
    
    Obviously, operators have customers and need to support whatever they
    need to support.  It appears that there are people who are using
    464XLAT with DNS64 where that works for them.  I certainly have no
    trouble with something that wants to outline (for instance) how one
    would make a determination about whether anyone downstream is doing
    their own validation.  What I think is wrong here is a generic claim
    that one or another approach is the only right answer, because the
    CLAT in many cases requires more translation (which means more
    overhead and more work that the operator has to do).

I see your point. The question is the operators want to avoid, at all means, user complains, so if you want to make it "perfect", you may prefer more translations, but not breaking DNSSEC. Anyway, I will try to find a way to suggest that you need to determine in your own case if DNSSEC is going to be a problem for your customers and possible alternatives such ACL for specific customers, etc.
    
    > Also, most of the actual usages of 464XLAT are still using DNS64 (except a few like Orange in Poland if I recall correctly), so the point is to explain that you can also solve the DNSSEC issue, when using CLAT (not using DNS64), etc.
    > 
    
    Well, you can indeed.  I think there is nothing wrong with making this
    point, but the document as it is appears to be suggesting that the
    trade-off is not clear in DNS64.  I think RFC 6147 is crystal clear
    about it, so I don't get why this document (which has a much less
    comprehensive treatment of what fails and why) is an improvement.
    
    > So, the goal of the document is to find what is the "best" possible
    > way to deploy NAT64, which in my opinion, in the real world is by
    > using it combined with CLAT.
     
    I don't observe that the document is called "Jordi's opinion on best
    NAT64 deployment scenarios".  If the WG is supposed to work on this,
    then I think it would be better to outline the various trade-offs and
    allow people to make their own choices, fully informed.

Your review is the first "complete" one. A couple of people provided inputs in specific sections ...

Definitively I'm going to work in a new version carefully observing all your inputs. Thanks again. I wish having so many inputs in every document that we have in v6ops, but unfortunately is not happening.
    
    > Of course, Section 3.1 (now 4.1 in v1) is not a credible case, but I
    > wanted to do the exercise of looking into all possible cases, just
    > to make sure that somebody using the document see what is possible
    > and what is not, instead of making the exercise by themselves.
    
    I see.  Such a section could be massively improved, then, by calling
    out the scenarios that are known not to work, that are broken on
    purpose, and so on.  At the moment, it reads as though these
    alternatives are all live possibilities, but some of them simply
    aren't, were never intended to be, and are not a real problem anyone
    should have.

Right, I will clasify them in different "sub-sections" to make it very clear. Probably will use some tables to make a summary.
    
    > What I disagree with you is in your comment that anyone who is willing to deploy (let's concentrate in) 464XLAT, will do DNS64 too. This is actually not needed in that case.
    > 
    
    I think what I said is that they're going to _be able_ to, not that
    they would.  I do not claim that DNS64 ought to be deployed by anyone.
    It's just a mechanism that is available if it happens to fit a need,
    and each network operator needs to evaluate that.  I claim that the
    I-D as written doesn't actually help people do such an evaluation, and
    that in fact it leaves out some of the necessary analysis.
    
    > Maybe if you see the point that an operator will not be able to provide services without the CLAT, you have a better understanding on the document now.
    > 
    
    It's simply false that an operator will not be able to provide service
    without the CLAT, but it is true that _some_ operators will find such
    a service inadequate.  I believe that's why 464XLAT was invented, in
    fact.  
    
    > Would you agree that if an operator deploying IPv6-only access want to make sure that the customers using some IPv4-only devices work fine, the only way is using NAT64+CLAT, and that using NAT64+DNS64 will not work?
    > 
    
    No.  But I believe that there are operators for whom that will be
    true.  I also believe there are operators for whom 464XLAT with DNS64
    is a viable and useful option in some scenarios, particularly having
    to do with the costs of double translation.  I'm not opposed to a
    document that attempts to lay out the trade-offs.  I am very much
    opposed to a document that attempts to say there's only one way that
    works, because it isn't true.  Indeed, for some values of "works",
    _none_ of this qualifies, and the only real answer is native ipv6.

I didn't write correctly the best example for you to answer this question. Basically, what I wanted to ask is NAT64+DNS64 vs NAT64+DNS64+CLAT.
    
    Best regards,
    
    A
    
    -- 
    Andrew Sullivan
    ajs@anvilwalrusden.com
    
    _______________________________________________
    v6ops mailing list
    v6ops@ietf.org
    https://www.ietf.org/mailman/listinfo/v6ops
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email