[128005] in North American Network Operators' Group
Re: Looking for comments
daemon@ATHENA.MIT.EDU (Brian E Carpenter)
Thu Jul 22 17:38:40 2010
Date: Fri, 23 Jul 2010 09:38:23 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
To: William Herrin <bill@herrin.us>
In-Reply-To: <AANLkTikV8eDzJdgnbQZi647283a7Ixlzj1zibN8GX2kK@mail.gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Bill,
On 2010-07-22 19:49, William Herrin wrote:
> On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <owen@delong.com> wrote:
>>>> http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines
>>> There is a third major challenge to dual-stack that isn't addressed in
>>> the document: differing network security models that must deliver the
>>> same result for the same collection of hosts regardless of whether
>>> Ipv4 or v6 is selected. I can throw a COTS d-link box with
>>> address-overloaded NAT on a connection and have reasonably effective
>>> network security and anonymity in IPv4. Achieving comparable results
>>> in the IPv6 portion of the dual stack on each of those hosts is
>>> complicated at best.
>>>
>> Actually, it isn't particularly hard at all... Turn on privacy addressing
>> on each of the hosts (if it isn't on by default) and then put a linux
>> firewall in front of them with a relatively simple ip6tables configuration
>> for outbound only.
>
>>From the lack of dispute, can I infer agreement with the remainder of
> my comments wrt mitigations for the "one of my addresses doesn't work"
> problem and the impracticality of the document's section 4.3 and 4.4
> for wide scale Ipv6 deployment?
As for those two scenarios (IPv6-only ISPs and IPv6-only clients, to simplify
them), the document doesn't place them as first preference solutions.
However, the fact is that various *extremely* large operators find themselves
more or less forced into these scenarios by IPv4 exhaustion. I think it's
more reasonable to describe solutions for them than to rule their
problem out of order.
Brian
