Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

Lorenzo Colitti <lorenzo@google.com> Mon, 12 August 2013 05:42 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EE4F21F9CFB for <v6ops@ietfa.amsl.com>; Sun, 11 Aug 2013 22:42:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.963
X-Spam-Level:
X-Spam-Status: No, score=-1.963 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZe5MeVrQ-5f for <v6ops@ietfa.amsl.com>; Sun, 11 Aug 2013 22:42:49 -0700 (PDT)
Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 07D6C21E80A5 for <v6ops@ietf.org>; Sun, 11 Aug 2013 22:35:01 -0700 (PDT)
Received: by mail-ie0-f180.google.com with SMTP id aq17so7509921iec.39 for <v6ops@ietf.org>; Sun, 11 Aug 2013 22:35:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=R5x11hWaeNx2xrY5XycXiMxCHkcHaHJgUnRFnEXnRpI=; b=e92AlHXaR6Mj5bBz8W1SXwBXSIU6Ul135QIze6O9W9c7qUi5u8AZQwrR+thtKAAyn9 EzI6lbANRIhYMNOfy/ghpUQNppO+ugiV2YKVn7EygCY9nwiuOPg5usCCvNOx9Bj8+WHy 1RC/fc+s+c7CrCdxhDxos2/L2A15ZfrrZ8YmBVdgmDjJgTxlFuwjz/rIHtCMFZ/tD0gv FH2DciVgRuoK/WIV2FtEc2U8K6bX+uGGDZ2zCA5IwsX4KaOe2qHpEn1lfjZarhip51/9 tvDr6BEo7E6FqCYivD3KeRnps2876+Ua/pj2cLemLfOQILDdWS2qSfocrV6JC5spZQ+l WHzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=R5x11hWaeNx2xrY5XycXiMxCHkcHaHJgUnRFnEXnRpI=; b=VAwxaQ9xhSAWjvhS2bZHEyQQheLKtW27u1vjnSZROPDOOpaP1Cy335uLm8sV+McuIg e3mg/jGh9IMbFDh0JIl02AFzBdG7UMdbDAt1cK8n2qrFWjOg5SIPMiO6RxWaTAtXumA3 rukCe5bA1QgszouXQbPiLadg8a/ZzpSYNVPuragfi4ELC6kIkuxr/lnoOnSHqMtnH0fu 5Mx/KOOyY8AH7Xr80FhyMmRKXFWo8IOjmR10g6HIiS2SUux0rB9JXYrPqszlwOA7+KNX UbHV3pTckiY6OOZY1RnUVMFCJyP5MjLBONhaqEbpYmwSti1bs+5V1WfdFwrg6oUdk/UM mDfQ==
X-Gm-Message-State: ALoCoQn7nTI5ZVd5KYp97ZanICGSThonSULszNMNaG6POvUmdQCKbW9Nkwz9TsLebD9/nFasJhC71wyL4Phh3F5Xf+W0FX+XXYhM+j1fQqRMl7qr8lgkfKtwK47lX1UJsn/BZIdeI0t+Nk+P1gwdUGhgy1fFPNmDHD3xWSx8ybSthXyhYe+06ALdAs4qZv+zIKA0PhOZ1dCU
X-Received: by 10.43.148.69 with SMTP id kf5mr8501798icc.41.1376285701407; Sun, 11 Aug 2013 22:35:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.181.72 with HTTP; Sun, 11 Aug 2013 22:34:41 -0700 (PDT)
In-Reply-To: <CA6D42D0F8A41948AEB3864480C554F104AE7A3F@xmb-rcd-x10.cisco.com>
References: <201308041800.r74I03pC023049@irp-view13.cisco.com> <3374_1375690984_51FF60E8_3374_427_1_983A1D8DA0DA5F4EB747BF34CBEE5CD15C5041E1E5@PUEXCB1C.nanterre.francetelecom.fr> <8C48B86A895913448548E6D15DA7553B96E2C5@xmb-rcd-x09.cisco.com> <CAKD1Yr13GK_cuvkt2LpJ1qJo2NR8eUnY-xfwMF_zWfe0P1mm9g@mail.gmail.com> <8C48B86A895913448548E6D15DA7553B96EAE7@xmb-rcd-x09.cisco.com> <CAKD1Yr2_d=4uD1W4WcQ82rupjVJ4UmmQAQmtSY+aQgTXmscNUw@mail.gmail.com> <97EB7536A2B2C549846804BBF3FD47E113128FA2@xmb-aln-x02.cisco.com> <CA6D42D0F8A41948AEB3864480C554F104AE7A3F@xmb-rcd-x10.cisco.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Mon, 12 Aug 2013 14:34:41 +0900
Message-ID: <CAKD1Yr2T4qhkwn+owX-VvfcgfxrCRZASHh6YeVZ+CjehhDMJVw@mail.gmail.com>
To: "Arie Vayner (avayner)" <avayner@cisco.com>
Content-Type: multipart/alternative; boundary=001a11c2d21457b1ef04e3b97cf2
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 05:42:50 -0000

On Fri, Aug 9, 2013 at 2:21 PM, Arie Vayner (avayner) <avayner@cisco.com>wrote;wrote:

>  Many enterprises rely on NAT on the Internet edge as their
> multi-homing/traffic engineering mechanism with IPv4.
>
> ** **
>
> If we recommend against ULA+NPTv6 (or just NPTv6 for traffic engineering),
> then we need to highlight the symmetry requirement due to stateful security
> layers.****
>
> Traffic leaving from an Internet gateway site to the Internet has to come
> back through the same site, or the stateful firewalls would break the flow
> (well, has to hit the same stateful security layer)
>

By itself, NPTv6 doesn't protect against this problem because it's not
stateful. It only protects against this problem if each egress point is
only reachable using one prefix (which is not a requirement for doing NPTv6
- you could just as well do it by configuring all multiple exit points to
use the same prefix, or to use all prefixes from all exit points).

What does protect you against this is using source+destination routing,
which is what this draft should recommend instead of recommending NPTv6.