Re: Looking for comments

[Brian E Carpenter <brian.e.carpenter () gmail com>]

Bill,

On 2010-07-22 19:49, William Herrin wrote:
> On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <owen () delong com> wrote:
> > > > http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines
> > > There is a third major challenge to dual-stack that isn't addressed in
> > > the document: differing network security models that must deliver the
> > > same result for the same collection of hosts regardless of whether
> > > Ipv4 or v6 is selected. I can throw a COTS d-link box with
> > > address-overloaded NAT on a connection and have reasonably effective
> > > network security and anonymity in IPv4. Achieving comparable results
> > > in the IPv6 portion of the dual stack on each of those hosts is
> > > complicated at best.
> > Actually, it isn't particularly hard at all... Turn on privacy addressing
> > on each of the hosts (if it isn't on by default) and then put a linux
> > firewall in front of them with a relatively simple ip6tables configuration
> > for outbound only.
>
> > From the lack of dispute, can I infer agreement with the remainder of
> my comments wrt mitigations for the "one of my addresses doesn't work"
> problem and the impracticality of the document's section 4.3 and 4.4
> for wide scale Ipv6 deployment?

As for those two scenarios (IPv6-only ISPs and IPv6-only clients, to simplify
them), the document doesn't place them as first preference solutions.
However, the fact is that various *extremely* large operators find themselves
more or less forced into these scenarios by IPv4 exhaustion. I think it's
more reasonable to describe solutions for them than to rule their
problem out of order.

   Brian