Re: Important IPv6 Policy Issue -- Your Input Requested

[Jeroen Massar <jeroen () unfix org>]

On Tue, 2004-11-09 at 11:09 -0500, Leo Bicknell wrote:
> In a message written on Tue, Nov 09, 2004 at 08:55:51AM +0100, Jeroen Massar wrote:
> > http://www.ietf.org/internet-drafts/draft-vandevelde-v6ops-nap-00.txt
> >
> > That contains most of the answers to your questions ;)
>
> Not really.  It explains to me what a group of people would like
> to see happen.

It should also be the way you should want to see things happen, that is:
no more NAT.

> Major vendors already have NAT for IPv6:
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_c/sa_natpt.htm
>
> Indeed, NAT is being pushed by some vendors as a migration tool
> from IPv4 to IPv6.  I have to believe if the code can do IPv4-IPv6
> NAT, then doing IPv6 NAT to IPv6 NAT would be trivial.

NAT-PT is a transition mechanism from IPv4 towards IPv6.
To quote the first paragraph of the above url:
8<--------------
Network Address Translation - Protocol Translation (NAT-PT) is an IPv6-
IPv4 translation mechanism, as defined in RFC 2765 and RFC 2766,
allowing IPv6-only devices to communicate with IPv4-only devices and
vice versa.
--------------->8
Where does this mention IPv6-IPv6 NAT ? It contains pictures too ;)

It is fortunately not IPv6-IPv6 NAT, thus please don't say "major
vendors are pushing it" and that "they already have it" and I hope
nobody will come up with it either. The entity that does, should stay
with IPv4 and not even take the trouble thinking of IPv6.

Btw check the authors list of the draft and the companies they work for
and guess which companies will not be doing anything in that order.
There goes your 'major vendor' argument.

> While I would hope we move away from NAT with IPv6, I realize there
> are brain dead people today with internal policies that read "All
> network segments must be protected by NAT."  I know NAT != security.
> You know NAT != security.  However, the vendors know they can charge
> these people for a box that does IPv6-IPv6 NAT, these people (in
> ignorance) want IPv6-IPv6 NAT.  Therefor it will exist, and people
> will use it.

That is why the above draft exists, to get the ties aligned and in
order. They have to get an understanding that NAT is not the way.

> So, while you can talk until you're blue in the face about why it
> may not be needed, good planning dictates you have to realize it
> will exist, and as such consider what the impact will be on the
> network.  Good product design means designing for people who do
> stupid stuff with your product, to a certain degree.

I fortunately type, not talk about this, unless it starts freezing here
(hmm it is already going that direction but we have climate control
here), my fingers won't become blue either ;)

Greets,
 Jeroen

Attachment: signature.asc
Description: This is a digitally signed message part