IETF Logo Mail Archive

Re: [v6ops] Are we competitive?

Fernando Gont <fgont@si6networks.com> Mon, 15 August 2022 14:52 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA90AC1524B8 for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 07:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6KzX2fbZHHb for <v6ops@ietfa.amsl.com>; Mon, 15 Aug 2022 07:52:21 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57E66C1524B7 for <v6ops@ietf.org>; Mon, 15 Aug 2022 07:52:20 -0700 (PDT)
Received: from [IPV6:2800:810:464:f13:6623:ffb1:f7bf:cc40] (unknown [IPv6:2800:810:464:f13:6623:ffb1:f7bf:cc40]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id B3E202800BA; Mon, 15 Aug 2022 14:52:11 +0000 (UTC)
Message-ID: <4acb6a05-3e2f-2917-2507-e2091c471ab2@si6networks.com>
Date: Mon, 15 Aug 2022 11:52:08 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: Clark Gaylord <cgaylord@vt.edu>, Gert Doering <gert@space.net>
Cc: Vasilenko Eduard <vasilenko.eduard@huawei.com>, IPv6 Operations <v6ops@ietf.org>
References: <CAM5+tA8UF-3ZHkE0npZ0r5sDQ+FudTSPhpWns1BsPCk=NecX+Q@mail.gmail.com> <7e4606c4534c49a593863bda870b6e63@huawei.com> <3f138b03-940a-e83a-6c6e-6039506b6e4b@gont.com.ar> <10f89b7cbe784881bd22b4af81577aa6@huawei.com> <CAN-Dau0nz0TouDnz5pei0MCmTzSbP8q+gHLx1m0sxX0hsuPX3w@mail.gmail.com> <b9f33aa499b043bb90ff926731db9739@huawei.com> <b885bdd4-d837-1eda-9614-36c76190d920@gont.com.ar> <a6975472445f49018abab153fa61b399@huawei.com> <YvoaJ+IJdl/VXYLj@Space.Net> <1cdf7569a11d43e2b4fdd8675b657e42@huawei.com> <YvoilaQfj40uYI5X@Space.Net> <CADzU5g6w4=W8mAwpaCDQM0D=HVEN-OaWpVAwguKpL_kTELMMsw@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <CADzU5g6w4=W8mAwpaCDQM0D=HVEN-OaWpVAwguKpL_kTELMMsw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/umzJ2sMcxGlgWsFpxeO8SicllLA>
Subject: Re: [v6ops] Are we competitive?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 14:52:23 -0000

Hi, Clark,

On 15/8/22 08:58, Clark Gaylord wrote:
> I would century that the vast majority that say they are 
> tracking/logging NAT tables today are lying.

Possibly.

Although that part applies when performing network activity correlation 
with external entities.

When it comes to internal communications, you only need the 
local/private/internal_real addresses.


> Tracking all temporary 
> addresses from the ipv6NetToMediaTable is more transparent, more 
> scalable, and (comparatively) blindingly easy. Yes your netdisco (or 
> equivalent) table will be bigger; it's still completely manageable(*). 
> Reasserting the end-to-end principle should be a major objective, not 
> replicating legacy antipatterns.

There's no such a thing as "e2e principle" in most modern networks.

And it is extremely unlikely (and probably even undesirable) that we go 
back there.

Again, I'm just the messenger here.



> There's plenty of room for those who want to do NAT66 etc; it should not 
> be the recommended best practice.

I don't think anybody has argued that. The argument has been, for the 
most part, that "whether you like it or not, there's a number of 
scenarios where people might want to do NAT66. The more we accept and 
try to understand the reasons, the closer we'll probably be to reality."



> (*) I recognize most shops don't have full logging 
> of ipv6NetToMediaTable etc, either, but that is generally more tractable 
> and more important from a security perspective IMO.

Please define "tractable".

 From a security standpoint, "well understood" is usually your friend. 
"Unfortunately", the more you can solve the problem "the ipv4 way", the 
more attractive the solution is, for obvious reasons.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

v2.23.0 | Report a Bug | By Email