>> Dual-stacking hosts is a non-problem. For the majority of >> deployed hosts, it is already done. > > That depends on the definition you're using. Many hosts are > v6-capable, though I'd still debate whether it's the majority. Very, > very few of those hosts have working v6 connectivity because there's > some device(s) or provider(s) between the host and the DFZ that are > v4-only. agreed, but you were talking about hosts. > It's humans and software, not hardware, that is generally the problem > getting v6 deployed. agreed about humans - mindshare is the hardest thing to overcome. the software/hardware question is a distinction without a significant difference. if the products (you think) you need to secure your network aren't shipping, it doesn't matter much whether what you need is new hardware or a software upgrade. often, that's just a matter of packaging. >> On the other hand, adapting existing security policies, traffic >> filters, network intrusion detection systems, explicit and >> interception proxies is much harder. In some cases the >> products or upgrades don't even exist for IPv6, and when they >> do, they're not mature. > So put the NAT-PT device on the outside of those security boxes. and then you end up with a crippled network that will impair a lot of the functionality you would have gained by using IPv6, and one which pollutes DNS besides. > There's a lot of focus on NAT-PT for v6 sites to access remote v4-only > sites; I'm focusing on the case of v4-only sites using NAT-PT to > access remote v6-only sites. that's certainly an important case, but there are better ways than NAT-PT for v6-only sites to provide services to v4-only users. >> There are basically two incentives to support IPv6: one is >> more addresses, the other is a better behaved network that >> is capable of supporting a wider range of applications at >> lower cost. If NAT-PT is widely deployed, the second >> incentive is removed. > > No, the second incentive remains. Fully deploying v6 is still a good > idea because it removes the problems inherent to NAT-PT, which I've > already acknowledged. yes, but everyone else's NAT-PT boxes still keep you from getting most of the benefit from your upgrade to full IPv6. > And, as Phillip says, it's a moot point because vendors are shipping > NAT-PT anyways. BS. that's equivalent to the argument that because everyone else is evil, we might as well be evil too. IETF is useless if it doesn't try to describe what will work well in the long term. Keith _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf