[136761] in North American Network Operators' Group
Re: quietly....
daemon@ATHENA.MIT.EDU (Mark Andrews)
Fri Feb 4 17:44:21 2011
To: Jared Mauch <jared@puck.nether.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Fri, 04 Feb 2011 16:36:20 CDT."
<FE7943DF-6A3A-478F-AF40-DE4D3592FB1D@puck.nether.net>
Date: Sat, 05 Feb 2011 09:44:00 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <FE7943DF-6A3A-478F-AF40-DE4D3592FB1D@puck.nether.net>, Jared Mauch
writes:
>
> On Feb 4, 2011, at 4:32 PM, Mark Andrews wrote:
>
> >=20
> > In message <201102041140.42719.lowen@pari.edu>, Lamar Owen writes:
> >> On Friday, February 04, 2011 09:05:09 am Derek J. Balling wrote:
> >>> I think they'll eventually notice a difference. How will an =
> IPv4-only inter
> >> nal host know what to do with an IPv6 AAAA record it gets from a DNS =
> lookup?
> >>=20
> >> If the CPE is doing DNS proxy (most do) then it can map the AAAA =
> record to an
> >> A record it passes to the internal client, with an internal address =
> for the=20
> >> record chosen from RFC1918 space, and perform IPv4-IPv6 1:1 NAT from =
> the assi
> >> gned RFC1918 address to the external IPv6 address from the AAAA =
> record (since
> >> you have at least a /64 at your CPE, you can even use the RFC1918 =
> address in
> >> the lower 32 bits.... :-P). =20
> >>=20
> >> This may already be a standard, or a draft, or implemented somewhere; =
> I don't
> >> know. But that is how I would do it, just thinking off the top of my =
> head.
> >>=20
> >=20
> > DS-lite delivers a IPv4 softwire over a IPv6 upstream. It also
> > introduces less problems than NAT64 as it works with DNSSEC and
> > with IPv4 literal. Along with DS-lite there is a UPNP replacement
> > designed to work with distributed NATs (DS-Lite (AFTR+B4) and NAT444
> > (LSN + CPE NAT)) so that holes can be punched threw multiple devices
> > if needed.
>
> I've yet to see a version of ALG that isn't buggy (eg: Cisco SIP-ALG, =
> 2Wire/ATT uverse sip-alg is seriously broken, same for either dlink or =
> netgear... we have to turn it off otherwise it does bad things).
And you reported the bugs.
> I'm sure that LSN activity is going to work "great" for the carriers.
Yes it is a worry which is why we want people to move to IPv6 and
not use NAT. Less things to go wrong. A firewall only has to react
to the traffic not re-write it. One lesa thing to go wrong.
> - jared=
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
