Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

["Eric Vyncke (evyncke)" <evyncke@cisco.com>]

In short, the debate is not so much about ULA per se (we all know that there are obvious cases - even if rare - where ULA is the obvious choice) but about NPTv6 ;-O What a surprise...

I dislike NAT (especially the n:1 stateful one) even more when it is assumed to add security (cough cough).

But, during my day job I talk to enterprise customers (from small SMB with 3 people - friends and acquaintance - to 1000 people) and to be honest ULA (and I am ashamed to add NPT6 to the mix) is really what they want and I can understand why:

-       Having the internal network up when DHCP-PD is failing because WAN link is down (at least they keep ULA and loose only their GUA), this should be mentioned in our I-D

-       Having a simple and cheap way to do multi-homing, search about multi-homing, load-balancing, ... for SMB and those boxes uses RFC 1918 inside + NAT towards two ISP or two links (xDSL & 4G)... Not all SMB will get a PI space and will run BGP.

In short, I am probably the only co-author, that do not want to hide the topic under the carpet of another I-D. We could mention the above points (and others) without taking decisions but referring to the ULA use case I-D. But, we should mention that there are use case where ULA _APPEARS_ as appealing.

-éric (and YES I dislike NAPT for breaking apps, and making security worse)

From: v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf Of Lorenzo Colitti
Sent: mardi 6 août 2013 04:03
To: Fred Baker (fred)
Cc: v6ops@ietf.org
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

On Tue, Aug 6, 2013 at 8:27 AM, Fred Baker (fred) <fred@cisco.com<mailto:fred@cisco.com>> wrote:
> NAT creates problems for applications not only in the stateful case, but in the stateless case as well, because with NAT the client must be prepared for a situation where it does not know its own address. This complicates peer-to-peer networking applications such as video chat.
I'm not going to argue one way or the other. The substance of my comment related to an address that was not intended to be globally reachable. our thought there?

But if it's not indended to be globally reachable... then why is it behind a NPTv6 box? I'd argue is that it *does* need to be globally reachable, but "only for certain traffic". For example, "TCP/443 replies from the Windows Update server".

The point is that when people say, "X will never do Y" sometimes it turns out that "never" just means "in the next six months", and what ends up happening is that they need to deal with additional complexity once Y becomes a requirement.