On 10/22/2012 11:57 AM, james woodyatt wrote:
On Oct 22, 2012, at 11:28 , mike <[email protected]> wrote:
I'd say that until we have source address selection that actually works and is
widely
deployed, that taking anything off the table is premature. Source address
selection
applies just as much on a homenet as anyplace else.
Disagree. My opinion is that the potential for catastrophic damage to the
utility of the Internet by the ubiquitous deployment of NPT66 in residential
gateways poses too grave a risk for us to continue seriously entertaining it as
a viable approach to any of the problems in our ambit. I would say that it
MUST be deprecated by the arch document.
For anyone arguing in favor of using NPT66 in residential gateways, I think it's fair
to ask them for solutions to the problem statement in I-D.carpenter-referral-ps
<http://tools.ietf.org/html/draft-carpenter-referral-ps> in support of that
idea. Referral in IPv4 was badly broken by the introduction of NAT44, and the
ubiquitous deployment of NPT66 in residential gateways would repeat the error with
IPv6.
I would say HOMENET should not be seriously considering that as an option. Is
there any significant disagreement on that point? Are there people here who
might be willing to stand up and argue that the referral problem is secondary
to other objectives well served by deploying NPT66 in home network access
routers? If so, then what are those objectives? I'm having a hard time
understanding what they might be.
I'm not saying that I like NPT66. I'm saying that IETF has failed to deal with
source address selection such that we're now at the point of address exhaustion
with v4 with nothing working in real devices besides 3484 which is inadequate,
and a lead time of 5+ years before anything is likely to be widely deployed.
So we all know what happens when host devices don't do it: the network in
its own hacked way does it for them. So regardless of whether we like it or
not, NPT and other kinds of network hackery are just an expedient away.
NPT at least doesn't have some of the most egregious sins of NAT.
Probably even moreso when you consider corporate VPN's.
Actually, VPN is usually just a special case of MIF, i.e. individual hosts are
multihomed, not the whole homenet. This is a much simpler situation to manage,
and solutions for that space are already ubiquitous.
No, sorry. Corporate VPN's using v6 and the lack of a coherent source address
selection mechanism causes breakage in bizarre and unpredictable ways.
You are not going to get the results you hope for if your mac uses an ISP prefix
to get back inside the corpro firewall, uRPF if nothing else. SLAAC changes
a lot of things over v4.
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
