IETF Logo Mail Archive

Re: [v6ops] The need for local-ipv4 socket transition solutions -- NAT64/DNS64 remains insufficient

"Fred Baker (fred)" <fred@cisco.com> Sat, 28 March 2015 13:34 UTC

Return-Path: <fred@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A73C81A8794 for <v6ops@ietfa.amsl.com>; Sat, 28 Mar 2015 06:34:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -112.61
X-Spam-Level:
X-Spam-Status: No, score=-112.61 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m5pcYm1CNO1Z for <v6ops@ietfa.amsl.com>; Sat, 28 Mar 2015 06:34:40 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9FCF1A878B for <v6ops@ietf.org>; Sat, 28 Mar 2015 06:34:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8133; q=dns/txt; s=iport; t=1427549679; x=1428759279; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=S0x1I2WjKx9+Z5hUtc4WoaiPh/UijtBSMCe4pDINTDo=; b=HEKEFwVzY0Br8H5WK6H817YUJsKKb4pItI9x0NikzMUtdxsRaU/bPTSW Bh3kSNWAy/kt4yid+9eanMQQEQpzGKiFrj0XyTDwDigcYIJV9QpEOiviY A2P4vfsw5t+yPmBZcTohAc5C4uGgMixqm/JZKBUTn9oFzfx7EmjeWHoRM Y=;
X-Files: signature.asc : 487
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ANBQDAqxZV/4sNJK1cgkNDgS4Egw/ILQKBKUwBAQEBAQF9hBQBAQEDASNWBQsCAQgYIwcCAjIlAgQOBQ4NiAwIsjOZWQEBAQEBAQEBAQEBAQEBAQEBAQEBAReLKYR4B4JoL4EWBZBcgWuBMoJ6g12BHI9Rg0giggIcFIE8b4FEfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,484,1422921600"; d="asc'?scan'208,217";a="136232745"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-5.cisco.com with ESMTP; 28 Mar 2015 13:27:37 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t2SDRb3D009839 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 28 Mar 2015 13:27:37 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.149]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.03.0195.001; Sat, 28 Mar 2015 08:27:36 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: Lorenzo Colitti <lorenzo@google.com>
Thread-Topic: [v6ops] The need for local-ipv4 socket transition solutions -- NAT64/DNS64 remains insufficient
Thread-Index: AQHQaVr0o1LCFyMFfEeH4Ad9ZBE/xg==
Date: Sat, 28 Mar 2015 13:27:36 +0000
Message-ID: <25CE7ECC-A27E-47F7-9DA0-9A11F4DC543E@cisco.com>
References: <CAD6AjGT-hG-uvRQvRosrZtfrf0Nb8ne9jy=tD9oh=5zNM42Xsg@mail.gmail.com> <alpine.DEB.2.02.1503200639340.20507@uplift.swm.pp.se> <20150320134204.32af9c67@echo.ms.redpill-linpro.com> <A0BB7AD89EA705449C486BDB5FDCBC7B28518DD8@OPE10MB06.tp.gk.corp.tepenet> <550F1F1F.3060703@cernet.edu.cn> <CAD6AjGSxk-Hrf_NBOjpV-jvraG+xSA4p1j-AO+FQFcVGzuf1Lg@mail.gmail.com> <CAKD1Yr3ywVy_00GYuw4Eq6cW_ZeL16bxpquaWWDMgSz44LagAg@mail.gmail.com> <CAD6AjGS-QMi+3oVGWDxnSMhEJH=VymwcF=PwKLdwFRxwHpp_-Q@mail.gmail.com> <CAKD1Yr3Fhnx3XaXouK57gupGOzodKGb0quhQxaf76NjWxSp3WA@mail.gmail.com> <CADhXe51MUB-czeCtpc63E0cHPpb_39Vv0o2Y57EVU2w_makP5Q@mail.gmail.com> <CAKD1Yr2vvYe+=s2CFsVHMer96UNO_deOc2Na2F9CrXr1jbAj6A@mail.gmail.com>
In-Reply-To: <CAKD1Yr2vvYe+=s2CFsVHMer96UNO_deOc2Na2F9CrXr1jbAj6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.89.0.121]
Content-Type: multipart/signed; boundary="Apple-Mail=_8A615676-60B6-4A45-96C1-74E4CB584F5A"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/mJUWtJ6bzqSn-B4n99PMmGe63FM>
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] The need for local-ipv4 socket transition solutions -- NAT64/DNS64 remains insufficient
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Mar 2015 13:34:41 -0000

> On Mar 24, 2015, at 10:26 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
> 
> I'm not sure that's true. We have four scenarios, in order of decreasing incentives (from 100% to 0%) to write IPv4-only code:
> IPv4-only device
> Dual-stack device (native IPv6 and NAT44 or NAT444)
> IPv6-only device with "compatibility quality" IPv4 (e.g., 464xlat).
> IPv6-only device
> Based on personal experience, I know that #3 provides less incentives to write IPv4-only code than #2. I've heard developers say multiple times, "Double NAT and 464xlat? (i.e., #3.) Man, that sounds pretty flaky, and high latency too. What do I need to do to fix my code to support IPv6?" In contrast, #2 is seen as, "well, we still have IPv4 right? So we can just continue to use it. You say IPv6 has no NAT? But we deal with NAT today, and it works fine..."
> I think the real discussion here is whether going from #2 to #4 without passing through #3 is possible at all. If you believe that it's possible, then #2 makes sense. If you believe it's not possible, then the only thing that makes sense is to do #3 ASAP.

From my perspective, I would agree. That said, when dual stack was proposed, I think your #2 and #3 would have both been called “dual stack”; I know Tony Hain saw it coming and commented (negatively) on it. But the choices, from the perspective then, were IPv4 (your #1), IPv4+IPv6 (#2+#3), and IPv6 (#4).

From an evangelistic perspective, I think we’re past the time that telling people NAT is bad. I have been telling people how much money it takes to deploy an application that has to traverse one. Client-Server applications aren’t too hard if the server is on the public side of the NAT, which most are. If you have to cross the NAT from the outside, you have to have one pf three things:
1) persistent presence on the outside that things on the inside can connect to and have their sessions co-opted by the incoming call,
2) something akin to RSIP, or
3) application-specific ALG support in the middleware.

The first takes money, the second takes a standard that ADM providers can find in open source software, and the third takes convincing ODM providers and/or your corporate IT department.

And having IPv6 on bypasses all that.

Yes, I think we have to get to a point in which people that authorize monetary expenditures believe that an IPv6 network works better. We’re going to have to go through a phase in which IPv4 works worse, as perceived by the person using it.

v2.23.0 | Report a Bug | By Email