A thought provoking discussion.
I don't think the specific transition technology matters so much as the
"family" it falls into.
What matters is whether IETF wishes to showcase IPv6-only down to the customer
client devices (and then to harvest the expected client issues, IPsec
failing?), or whether it wishes to showcase "local dualstack on the
small-stub-network, with an IPv6-only provider connection" to show how
small-stub-networks could be connected in the future.
Let me explain (longer answer).
In a number of years' time, as providers run out of IPv4 publics, edge
"networks" will be brought on with only global IPv6 addressing available as the
persistent identifier for connected endpoints. (I am assuming in Sunset4 we can
agree on that).
But what addressing is within the edge network?
1. For large edge networks where private addressing numbers are not sufficient
to meet the number of connected devices, they will need to go IPv6-only, as we
have seen with large mobile operators, and learnt with Microsoft Enterprise,
Facebook etc. These networks all say private IPv4 addressing is not sufficient.
2. For smaller enterprise edge networks then they may well be sitting and
waiting, or following the above, time will tell.
3. For "small-stub-networks" (SSN), where the number of connected devices is
manageable then clearly IPv4 private addressing is sufficient. Public Wifi
access being a perfect example of SSN, or any model using a consumer CPE I
suppose. So this is the question for sunset4:
(A) Do we wish to advocate IPv6-only in this SSN scenario? in which case all
current and future client issues must be resolved (IPv4 literals) such that the
clients work in the absence of an IPv4 address? This case is typified by
NAT64/DNS64, other transition mechanisms are available.
(B) Do we wish to advocate dualstack networking to the client in this SSN
scenario? Avoid client issues by providing them with a GUA and a IPv4 private?
In which case the transition technology (held within the CPE) needs to enable
dualstack on the access side but on the provider side, cope with only an
IPv6-only provider connection. 464xlat in the CPE (like 464xlat based tethering
from a cellular handset) is an example of a transition technology in this
family, others are available.
Both of these SSN approaches assume that within the core of the internet their
remains the legacy IPv4-only content, which seems valid for "consumer
electronics networking" in general.
They differ on how we expect consumer electronics networking to evolve (or how
we *want* it to evolve). We could advocate both for sure, but not sure if that
helps move sunset4 forward!
My opinion, take it or leave it, is that pragmatically, a SSN vision based on
(B) is less problematic. It is less dependent on moving a whole collection of
Consumer Electronics away from today's deficient state, because (A) essential
demands they work in absence of IPv4. This requires concerted effort to remove
the "IPv6-only" mode bugs that we know exist.
The biggest problem with (A) is that you cannot make the network model the
compulsory model, until the majority of Consumer Electronics is fully ready,
which creates another network provider chicken-egg problem. You can do OS by OS
(something that a popular smartphone and PC vendor is attempting with
IPv6-only, NAT64) but network providers don't wish to create individual network
paradigms for each OS.
Then we look back at 2., above. Enterprises moving to IPv6-only - do we have
some need and obligation within Sunset4 to push (A) to avoid Enterprises being
trapped in an IPv4 world? To leave dualstack in one part of the edge (SSN) -
does it undermine the benefits we are telling enterprises on IPv6-only e.g.
removal of dual address complexity. Personally I believe this is only really an
issue in practice where the enterprise is so large that the 20M private
addresses are not sufficient for their organisation - and I think such
enterprises are big enough to progress this issue themselves if they wish
IPv6-only to work for them. But if (A) is consensus then Sunset4 should start
to define the client requirements for absence of IPv4 in a SSN. And unlike
provider networks, enterprise networks own and manage the end to end network
use case themselves.
The other concern for me about (A) is that I have already oversimplified
devices as "consumer electronics" as though they only fall into the hands of
consumers in consumer usecases.
One of the big issues I foresee with the IPv6-only approach of certain OS
vendor(s) is that something like a smartphone can be an end device with its
network interface servicing "on board Apps" (typical mobile connectivity), but
it can also be a network gateway when used for tethering or "internet sharing".
The end device (the device tethered on the end of the wifi link) may actually
be in an enterprise use case ("VPN into an office network" for example). By
making the SSN IPv6-only we may risk placing requirements on the enterprise
network (i.e. outside-in connectivity like the VPN concentrator, may need
certain functionality to terminate an IPv6 IPsec VPN etc.). We may need the
requirements for (A) not just be about end devices but also coordinating
requirements for various gateways in enterprise networks? If you believe that,
it is another serious chicken-egg problem; do we need enterprise networks
upgraded before we can move to a solution for SSNs? (See the IPsec comments in
https://tools.ietf.org/html/rfc7269#section-6.1 but in the general case IPsec
VPN is a fail, right?)
I am very much in favour of the family of transition technologies that enable
(B).
SO I inferred a definition of the term SSN to suit my needs in this mail. What
is really boils down to is that edge networks need some sort of CPE or Gateway
to the provider network. Do we want that CPE to provide dualstack locally or
IPv6-only when the provider addresses run out.
Back to the IETF SSID, what SSN vision do you wish to showcase? (I'd prefer a
choice for long term rather than "for next meeting" and I'd go for something
like Jordi's 464xlat in the CPE! Choose wisely :-)
If an IPv6-only SSID is just to showcase IPsec VPNs still failing, it is a bit
of a waste of people's time).
Regards,
Nick
-----Original Message-----
From: sunset4 [mailto:sunset4-boun...@ietf.org] On Behalf Of JORDI PALET
MARTINEZ
Sent: 07 October 2016 21:02
To:
Subject: Re: [sunset4] Sunset4 work
On 10/7/16, 6:27 AM, "sunset4 on behalf of JORDI PALET MARTINEZ"
<sunset4-boun...@ietf.org on behalf of jordi.pa...@consulintel.es> wrote:
>This is what I’m proposing. May be I miss explained it.
>
>NOT asking EVERY device in our network to HAVE 464XLAT client (CLAT), but
having ONLY our “CPE” to have it.
>
>Nodes will not notice anything.
>
>This is what is going to happen in the future in most of the networks
because they will not have IPv4 for every customer, so why not trying it
ourselves? Already happening in many cellular networks, like in US, which are
close to have 60% IPv6 traffic already.
You think 464xlat is what's going to happen in the future in most networks?
Mobile networks, yes, it's a primary transition mechanisms.
Wi-fi networks operated by ISPs or enterprises are more likely to use
NAT64, DS-Lite, or MAP, based on what I'm seeing people working on.
I disagree in several points:
1) 464XLAT is not only for cellular networks, just read the draft.
2) It has been implemented by some CPE vendors. It can be run in Virtual
Machines as well.
a. http://www.necat.co.jp/en/ipv6/index.html
b.
https://conference.apnic.net/__data/assets/pdf_file/0013/50701/34th_apnic_464xlat.pdf
3) I’ve tested it in several ISP network. Trials at the time being, but coming
into production.
4) NAT64 is WORST than 464XLAT. NAT64 doesn’t sort out the problems for apps
using literals. 464XLAT sort it out. Yes, NAT64 was developed first, but that’s
the reason 464XLAT was needed, because not everything was working in NAT64.
5) If you don’t trust 464XLAT, then you can’t trust in NAT64, because is just
an “incomplete” version of 464XLAT.
I agree with you that DS-Lite and MAP are other choices, comparable with
464XLAT. They will be a better test, for sure than just NAT64.
If you want something more lightweight than DS-Lite, probably will be better to
use lw4o6.
Just to make sure it has been understood: I’m not asking to implement anything
in the clients of our network. Nobody needs to install anything. We just need
to have a VM or a set of them if we don’t trust on the hardware performance, as
the “CPE router” of the IETF SSIDs that we want to run this. This VM need to
incorporate the CLAT client. Our network will behave as an enterprise network
which as only IPv6 native connectivity to Internet, and the ISP (in this case
our own network) will running the PLAT (NAT64/DNS64).
If you still want to try the NAT64 one more, you can have the NAT64 SSID, that
has been already tested in all the RIR meetings, etc. But this will not run any
apps that use literals, old APIs, etc.
My fear with 464xlat is that it's largely untested in environments like the
IETF. I would not support making it the default SSID. We've had a NAT64 SSID
for several years; it could be promoted to default, if we can demonstrate with
confidence that everyone can still get their work done.
⇒ NAT64 as default is not and option. It breaks everything using literals. We
want to have a good experience I guess, and be able to detect what will fail in
the future (logging CLAT and NAT64/DNS64 usage), not break the IETF network.
Lee
>
>Saludos,
>Jordi
>
>
>-----Mensaje original-----
>De: sunset4 <sunset4-boun...@ietf.org> en nombre de Philip Homburg
<pch-sunset...@u-1.phicoh.com>
>Responder a: <pch-sunset...@u-1.phicoh.com>
>Fecha: viernes, 7 de octubre de 2016, 12:04
>Para: <sunset4@ietf.org>
>CC: "Bjoern A. Zeeb" <bzeeb-li...@lists.zabbadoz.net>
>Asunto: Re: [sunset4] Sunset4 work
>
> In your letter dated Thu, 06 Oct 2016 23:28:32 +0000 you wrote:
> > Nastygram. So make the default IETF SSIDs IPv6-only or (+NAT64)
> > if you want. Then have the ietf-legacy network, which would give
> > you IPv4 and a portal page penalty that you have to state the nature
> > why you have to use this network and cant live on the default one.
> > Id be so curious to see what happens when people finally have to
> > start thinking about it.. and open internal tickets .. It was
> > great fun doing it 6-ish years ago, ..
>
> Personally, I consider offering NAT64 over wifi quite absurd. The
obvious
> way to provide access to legacy IPv4 is some form of NAT4. How it is
> transported over the rest of the network is upto the network operator.
But
> the obvious interface is RFC 894.
>
> So on networks that promote NAT64 (FOSDEM has this setup for quite a
number of
> years now) I just connect to the legacy network. Their legacy network
has
> perfectly fine IPv6, so I consider it way better than the NAT64 that
> 'everybody' likes to push.
>
> For the specific mobile weirdness, NAT64 make sense. But everywhere
else,
> requiring every device to have 464xlat to deal with IPv4 literals is
just
> bad engineering. If your backbone is IPv6-only, then the obvious
solution
> is to deal with this in CPEs, wifi access points, etc. Not to require
all
> hosts to know the details of your network.
>
>
> _______________________________________________
> sunset4 mailing list
> sunset4@ietf.org
> https://www.ietf.org/mailman/listinfo/sunset4
>
>
>
>
>
>**********************************************
>IPv4 is over
>Are you ready for the new Internet ?
>http://www.consulintel.es
>The IPv6 Company
>
>This electronic message contains information which may be privileged or
confidential. The information is intended to be for the use of the
individual(s) named above. If you are not the intended recipient be aware that
any disclosure, copying, distribution or use of the contents of this
information, including attached files, is prohibited.
>
>
>
>_______________________________________________
>sunset4 mailing list
>sunset4@ietf.org
>https://www.ietf.org/mailman/listinfo/sunset4
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the use of the
individual(s) named above. If you are not the intended recipient be aware that
any disclosure, copying, distribution or use of the contents of this
information, including attached files, is prohibited.
_______________________________________________
sunset4 mailing list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4
NOTICE AND DISCLAIMER
This email contains BT information, which may be privileged or confidential.
It's meant only for the individual(s) or entity named above.
If you're not the intended recipient, note that disclosing, copying,
distributing or using this information is prohibited.
If you've received this email in error, please let me know immediately on the
email address above. Thank you.
We monitor our email system, and may record your emails.
EE Limited
Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9BW
Registered in England no: 02382161
EE Limited is a wholly owned subsidiary of:
British Telecommunications plc
Registered office: 81 Newgate Street London EC1A 7AJ
Registered in England no: 1800000
_______________________________________________
sunset4 mailing list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4
