Thus spake "Keith Moore" <moore@xxxxxxxxxx>
Stephen Sprunk wrote:
Thus spake "Keith Moore" <moore@xxxxxxxxxx>
NAT-PT really needs to be wiped off the face of the earth. It
provides all of the disadvantages of IPv4+NAT with all of the
transition costs of IPv6.
Indeed it does. However, it has significant benefits as well:
[arguments about NAT-PT avoiding the need to dual-stack
hosts deleted]
Dual-stacking hosts is a non-problem. For the majority of
deployed hosts, it is already done.
That depends on the definition you're using. Many hosts are v6-capable,
though I'd still debate whether it's the majority. Very, very few of those
hosts have working v6 connectivity because there's some device(s) or
provider(s) between the host and the DFZ that are v4-only.
Even with Vista supporting v6 by default, the vast majority of Vista
machines are behind NAT boxes that only support v4. In the case of
enterprise networks, the internal network is also v4 only, limited by one or
more of hardware, software, and motivation. Many ISPs, particularly
consumer ones, don't offer v6 service at all, though that's improving daily
and one can work around it with 6to4.
Dual-stacking a network, even a home network, is _not_ a non-problem.
Adapting existing networks to IPv6 is somewhat painful, but
most of the deployed hardware supports it.
It's humans and software, not hardware, that is generally the problem
getting v6 deployed.
On the other hand, adapting existing security policies, traffic
filters, network intrusion detection systems, explicit and
interception proxies is much harder. In some cases the
products or upgrades don't even exist for IPv6, and when they
do, they're not mature.
So put the NAT-PT device on the outside of those security boxes. Presto,
instant access from your v4 network to every v6-only host out there and vice
versa, without any compromise of security. There is a compromise of
functionality, but it's no worse than what you've got for v4 connectivity
because you're behind a NAT for that too...
There's a lot of focus on NAT-PT for v6 sites to access remote v4-only
sites; I'm focusing on the case of v4-only sites using NAT-PT to access
remote v6-only sites. That is the case that's going to go critical in 2-4
years when exhaustion hits. After that, folks can deploy real v6 internally
(or even flash cut) when they see that a significant fraction of their
outbound traffic is v6 -- or when the slower vendors finally get around to
fixing their products.
If there is ever any significant penetration of NAT-PT, then
the pseudo-IPv6 network will not be able to support any
more kinds of applications than the NATted IPv4 does today.
In the beginning stages, yes. However, unlike v4 NAT, if one
has a problem with NAT-PT and how it affects applications,
all one has to do is deploy v6 and they go away.
That's like saying that if you are a IPv4 software developer and
your applications won't work at your customers' sites because
they have NATs, all you have to do is get rid of your own NAT
and your customers' problems will go away.
That's not the same thing at all.
It simply doesn't work that way. NATs create problems even
for people who don't use them.
Besides, nearly everyone is behind a v4 NAT today, so things
aren't going to get any worse for v4 traffic, and they'll gradually
improve for v6 traffic as folks deploy it and start to bypass
their NAT-PT devices.
I must have ESP (and not the IPsec kind), because I already responded to
that point...
There are basically two incentives to support IPv6: one is
more addresses, the other is a better behaved network that
is capable of supporting a wider range of applications at
lower cost. If NAT-PT is widely deployed, the second
incentive is removed.
No, the second incentive remains. Fully deploying v6 is still a good idea
because it removes the problems inherent to NAT-PT, which I've already
acknowledged. However, the alternative is worse. If you're still stuck on
v4 because your vendors and/or management won't allow you to deploy v6, and
v6-only sites start appearing, you can't contact those folks _at all_.
Connectivity to those sites via NAT is better than no connectivity at all.
Do _you_ want to be the first v6-only site on the Internet, unable to talk
to 99% of other hosts out there?
And, as Phillip says, it's a moot point because vendors are shipping NAT-PT
anyways. The IETF can deprecate whatever it wants, but the market will
provide what is needed. The IETF hasn't been very successful at eliminating
v4 NAT either...
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf