Bill, On 2010-07-22 19:49, William Herrin wrote: > On Wed, Jul 21, 2010 at 5:37 PM, Owen DeLong <[email protected]> wrote: >>>> http://tools.ietf.org/html/draft-arkko-ipv6-transition-guidelines >>> There is a third major challenge to dual-stack that isn't addressed in >>> the document: differing network security models that must deliver the >>> same result for the same collection of hosts regardless of whether >>> Ipv4 or v6 is selected. I can throw a COTS d-link box with >>> address-overloaded NAT on a connection and have reasonably effective >>> network security and anonymity in IPv4. Achieving comparable results >>> in the IPv6 portion of the dual stack on each of those hosts is >>> complicated at best. >>> >> Actually, it isn't particularly hard at all... Turn on privacy addressing >> on each of the hosts (if it isn't on by default) and then put a linux >> firewall in front of them with a relatively simple ip6tables configuration >> for outbound only. > >>From the lack of dispute, can I infer agreement with the remainder of > my comments wrt mitigations for the "one of my addresses doesn't work" > problem and the impracticality of the document's section 4.3 and 4.4 > for wide scale Ipv6 deployment?
As for those two scenarios (IPv6-only ISPs and IPv6-only clients, to simplify them), the document doesn't place them as first preference solutions. However, the fact is that various *extremely* large operators find themselves more or less forced into these scenarios by IPv4 exhaustion. I think it's more reasonable to describe solutions for them than to rule their problem out of order. Brian
