Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 13 August 2013 15:29 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1AF21F8411 for <v6ops@ietfa.amsl.com>; Tue, 13 Aug 2013 08:29:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpUJYZ29m8dN for <v6ops@ietfa.amsl.com>; Tue, 13 Aug 2013 08:29:05 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 624AD11E810B for <v6ops@ietf.org>; Tue, 13 Aug 2013 08:29:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8742; q=dns/txt; s=iport; t=1376407744; x=1377617344; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=9WLsSrOgXn9JCPQzbiQdh3vGSxAacObCM475RoyCLgU=; b=TIrr39356jSWtopkVFnc1kqZyl/jElg866ieYciLn8EyzrY8Ejq6QAWV HdwFMCGpYYVmNAgO9PvbD1+98lkx2cFjIZ2nb9WmcuMD9iN+v6afuGRm3 aEHb/oq3wiTWh4OkjqSp5h34tnFvRraJ2HbolFmIVJ5hu5l/O6IeQbFYZ A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AioFAJdQClKtJV2b/2dsb2JhbABbgkJEgQW+XIEiFnSCJAEBAQQtTBACAQgRBAEBCx0HMhQJCAIEAQ0FCIgIuA2QCzEGAYMbdgOIdaBAgxuCKg
X-IronPort-AV: E=Sophos; i="4.89,870,1367971200"; d="scan'208,217"; a="246798484"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-3.cisco.com with ESMTP; 13 Aug 2013 15:28:39 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r7DFSdIk016395 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 13 Aug 2013 15:28:39 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.110]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.02.0318.004; Tue, 13 Aug 2013 10:28:39 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Lorenzo Colitti <lorenzo@google.com>, "Arie Vayner (avayner)" <avayner@cisco.com>
Thread-Topic: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC
Thread-Index: AQHOkTyDDMSxdUYJukeaGavK35KXPJmGm1kAgACKQoCAAF43gIAAFCCAgAArgQCAAkwdAIACTLxQgAUQVYCAAeQZ0A==
Date: Tue, 13 Aug 2013 15:28:38 +0000
Message-ID: <97EB7536A2B2C549846804BBF3FD47E113130B0A@xmb-aln-x02.cisco.com>
References: <201308041800.r74I03pC023049@irp-view13.cisco.com> <3374_1375690984_51FF60E8_3374_427_1_983A1D8DA0DA5F4EB747BF34CBEE5CD15C5041E1E5@PUEXCB1C.nanterre.francetelecom.fr> <8C48B86A895913448548E6D15DA7553B96E2C5@xmb-rcd-x09.cisco.com> <CAKD1Yr13GK_cuvkt2LpJ1qJo2NR8eUnY-xfwMF_zWfe0P1mm9g@mail.gmail.com> <8C48B86A895913448548E6D15DA7553B96EAE7@xmb-rcd-x09.cisco.com> <CAKD1Yr2_d=4uD1W4WcQ82rupjVJ4UmmQAQmtSY+aQgTXmscNUw@mail.gmail.com> <97EB7536A2B2C549846804BBF3FD47E113128FA2@xmb-aln-x02.cisco.com> <CA6D42D0F8A41948AEB3864480C554F104AE7A3F@xmb-rcd-x10.cisco.com> <CAKD1Yr2T4qhkwn+owX-VvfcgfxrCRZASHh6YeVZ+CjehhDMJVw@mail.gmail.com>
In-Reply-To: <CAKD1Yr2T4qhkwn+owX-VvfcgfxrCRZASHh6YeVZ+CjehhDMJVw@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.185.71]
Content-Type: multipart/alternative; boundary="_000_97EB7536A2B2C549846804BBF3FD47E113130B0Axmbalnx02ciscoc_"
MIME-Version: 1.0
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 15:29:14 -0000

Lorenzo

I agree that source+destination routing solves it in an elegant way... but how many implementations are there beside the demo at the IETF?

This enterprise guidance should be practical. But, you are right we should mention at least that more work is currently being done at the IETF on this front.

-éric

From: Lorenzo Colitti [mailto:lorenzo@google.com]
Sent: lundi 12 août 2013 07:35
To: Arie Vayner (avayner)
Cc: Eric Vyncke (evyncke); Fred Baker (fred); v6ops@ietf.org
Subject: Re: [v6ops] draft-ietf-v6ops-enterprise-incremental-ipv6 WGLC

On Fri, Aug 9, 2013 at 2:21 PM, Arie Vayner (avayner) <avayner@cisco.com<mailto:avayner@cisco.com>> wrote:
Many enterprises rely on NAT on the Internet edge as their multi-homing/traffic engineering mechanism with IPv4.

If we recommend against ULA+NPTv6 (or just NPTv6 for traffic engineering), then we need to highlight the symmetry requirement due to stateful security layers.
Traffic leaving from an Internet gateway site to the Internet has to come back through the same site, or the stateful firewalls would break the flow (well, has to hit the same stateful security layer)

By itself, NPTv6 doesn't protect against this problem because it's not stateful. It only protects against this problem if each egress point is only reachable using one prefix (which is not a requirement for doing NPTv6 - you could just as well do it by configuring all multiple exit points to use the same prefix, or to use all prefixes from all exit points).

What does protect you against this is using source+destination routing, which is what this draft should recommend instead of recommending NPTv6.