Hi Jeroen,
These enterprises apparently don't want/require/need global reachability for their hosts. Otherwise they would not NAT.
That depends on what you mean by "global reachability". I am writing to you from behind a NAT right now. From here, I can reach web sites on the global Internet, etc. I can't run servers here, so I need to depend on my friends to do that for me.
There is a big difference between IPv6 site-local addresses (whether "full", "moderate" or "exlusive") and the use of private addressing behind IPv4 NATs. Without NAT, nodes that only have an IPv6 site-local address will not be able to communicate with the global Internet _at all_.
If you add a globally routed address to an IPv6 node (whether or not it already has a site-local address) it will be able to reach the global Internet, and nodes on the global Internet will be able to reach it.
The one-way reachability (outbound, but not inbound) that is experienced by users of IPv4 NAT is a side-effect of NAT. So, if we are successful in avoiding NAT in IPv6, the "security" models that depend on this one-way reachability won't apply in IPv6.
IMHO the real solution to this and some other problems we are currently seeing in IPv6 is really one thing which must be solved before anything else: IPv6 Multihoming
I'm not sure how IPv6 Multihoming applies here. Could you explain?
> So, if we don't come up with a way to allow > provider-independent address > allocation in IPv6, we will probably get IPv6<->IPv6 NAT.
We don't want PI because that would also imply a routingtable explosion. PI thus is not the answer.
The simplest ways to provide PI addresses imply routing table explosion. There are people (in the IETF, IRTF and elsewhere) working on mechanisms for provider-independent addressing that avoid routing table explosion. I certainly hope that they will be successful, as that would solve a lot of problems.
Taking a, imho, good application like [loadbalancers] in view NAT should not be forbidden...
(Then again, the loadbalancer could just also have all the backends configured with the global IP and just forward the packets to the correct box... hmmm ;)
I don't have any interest in eliminating load balancers, but are you sure that this is how they work? What happens when the server passes its IP addresses in FTP, SCTP or SIP packets (or any other application-layer protocol)? Does the loadbalancer also translate those addresses to point to the loadbalancer, or is it assumed that the client node can (and should) reach the server directly in those cases?
Margaret
-------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
