Hi Mark, In my mail, you misunderstood if you thought I was simply suggesting xlat. Rather I was contrasting two "families" of tech that either provide IPv6-only or some type of dualstack, as some first decision point. Nevertheless you are right, in any solution the technology does matter. Your comments suggest that you have concerns that something more than IPv6-only + NAT64 is required? Nick
-----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: 17 October 2016 20:50 To: Heatley, Nick Cc: jordi.pa...@consulintel.es; sunset4@ietf.org Subject: Re: [sunset4] Sunset4 work In message <6536e263028723489ccd5b6821d4b2132c3b8...@uk30s005exs06.eead.eeint.co.uk>, "Heatley, Nick" writes: > A thought provoking discussion. > I don't think the specific transition technology matters so much as > the "family" it falls into. Actually the specific transition technology does matter. It impacts on what works and what doesn't in the IPv6 connected dual stack island. Can the client get a "listening" port to accept externally originating traffic? Games need to be able to get listening ports. Does the transition technology break DNSSEC? Do the nodes support it especially when the local net is ipv6-only. Just because the phones went 464xlat doesn't mean that it is the right fit for the home or office. Mark > What matters is whether IETF wishes to showcase IPv6-only down to the > customer client devices (and then to harvest the expected client > issues, IPsec failing?), or whether it wishes to showcase "local > dualstack on the small-stub-network, with an IPv6-only provider > connection" to show how small-stub-networks could be connected in the future. > > Let me explain (longer answer). > In a number of years' time, as providers run out of IPv4 publics, edge > "networks" will be brought on with only global IPv6 addressing > available as the persistent identifier for connected endpoints. (I am > assuming in > Sunset4 we can agree on that). > But what addressing is within the edge network? > 1. For large edge networks where private addressing numbers are not > sufficient to meet the number of connected devices, they will need to > go IPv6-only, as we have seen with large mobile operators, and learnt > with Microsoft Enterprise, Facebook etc. These networks all say > private IPv4 addressing is not sufficient. > 2. For smaller enterprise edge networks then they may well be sitting > and waiting, or following the above, time will tell. > 3. For "small-stub-networks" (SSN), where the number of connected > devices is manageable then clearly IPv4 private addressing is > sufficient. Public Wifi access being a perfect example of SSN, or any > model using a consumer CPE I suppose. So this is the question for sunset4: > (A) Do we wish to advocate IPv6-only in this SSN scenario? in which > case all current and future client issues must be resolved (IPv4 > literals) such that the clients work in the absence of an IPv4 > address? This case is typified by NAT64/DNS64, other transition mechanisms > are available. > (B) Do we wish to advocate dualstack networking to the client in this > SSN scenario? Avoid client issues by providing them with a GUA and a > IPv4 private? In which case the transition technology (held within the > CPE) needs to enable dualstack on the access side but on the provider > side, cope with only an IPv6-only provider connection. 464xlat in the > CPE (like 464xlat based tethering from a cellular handset) is an > example of a transition technology in this family, others are available. > > Both of these SSN approaches assume that within the core of the > internet their remains the legacy IPv4-only content, which seems valid > for "consumer electronics networking" in general. > They differ on how we expect consumer electronics networking to evolve > (or how we *want* it to evolve). We could advocate both for sure, but > not sure if that helps move sunset4 forward! > > My opinion, take it or leave it, is that pragmatically, a SSN vision > based on (B) is less problematic. It is less dependent on moving a > whole collection of Consumer Electronics away from today's deficient > state, because (A) essential demands they work in absence of IPv4. > This requires concerted effort to remove the "IPv6-only" mode bugs that we > know exist. > The biggest problem with (A) is that you cannot make the network model > the compulsory model, until the majority of Consumer Electronics is > fully ready, which creates another network provider chicken-egg > problem. You can do OS by OS (something that a popular smartphone and > PC vendor is attempting with IPv6-only, NAT64) but network providers > don't wish to create individual network paradigms for each OS. > > Then we look back at 2., above. Enterprises moving to IPv6-only - do > we have some need and obligation within Sunset4 to push (A) to avoid > Enterprises being trapped in an IPv4 world? To leave dualstack in one > part of the edge (SSN) - does it undermine the benefits we are telling > enterprises on IPv6-only e.g. removal of dual address complexity. > Personally I believe this is only really an issue in practice where > the enterprise is so large that the 20M private addresses are not > sufficient for their organisation - and I think such enterprises are > big enough to progress this issue themselves if they wish IPv6-only to work > for them. > But if (A) is consensus then Sunset4 should start to define the client > requirements for absence of IPv4 in a SSN. And unlike provider > networks, enterprise networks own and manage the end to end network > use case themselves. > > The other concern for me about (A) is that I have already > oversimplified devices as "consumer electronics" as though they only > fall into the hands of consumers in consumer usecases. > One of the big issues I foresee with the IPv6-only approach of certain > OS > vendor(s) is that something like a smartphone can be an end device > with its network interface servicing "on board Apps" (typical mobile > connectivity), but it can also be a network gateway when used for > tethering or "internet sharing". The end device (the device tethered > on the end of the wifi link) may actually be in an enterprise use case > ("VPN into an office network" for example). By making the SSN > IPv6-only we may risk placing requirements on the enterprise network > (i.e. outside-in connectivity like the VPN concentrator, may need > certain functionality to terminate an IPv6 IPsec VPN etc.). We may > need the requirements for (A) not just be about end devices but also > coordinating requirements for various gateways in enterprise networks? > If you believe that, it is another serious chicken-egg problem; do we > need enterprise networks upgraded before we can move to a solution for > SSNs? (See the IPsec comments in > https://tools.ietf.org/html/rfc7269#section-6.1 but in the general > case IPsec VPN is a fail, right?) I am very much in favour of the > family of transition technologies that enable (B). > > SO I inferred a definition of the term SSN to suit my needs in this mail. > What is really boils down to is that edge networks need some sort of > CPE or Gateway to the provider network. Do we want that CPE to provide > dualstack locally or IPv6-only when the provider addresses run out. > Back to the IETF SSID, what SSN vision do you wish to showcase? (I'd > prefer a choice for long term rather than "for next meeting" and I'd > go for something like Jordi's 464xlat in the CPE! Choose wisely :-) If > an IPv6-only SSID is just to showcase IPsec VPNs still failing, it is > a bit of a waste of people's time). > Regards, > Nick > > > > > > -----Original Message----- > From: sunset4 mailto:sunset4-boun...@ietf.org On Behalf Of JORDI PALET > MARTINEZ > Sent: 07 October 2016 21:02 > To: > Subject: Re: sunset4 Sunset4 work > > On 10/7/16, 6:27 AM, "sunset4 on behalf of JORDI PALET MARTINEZ" > <sunset4-boun...@ietf.org on behalf of jordi.pa...@consulintel.es> wrote: > > >This is what Im proposing. May be I miss explained it. > > > >NOT asking EVERY device in our network to HAVE 464XLAT client > (CLAT), but having ONLY our CPE to have it. > > > >Nodes will not notice anything. > > > >This is what is going to happen in the future in most of the > networks because they will not have IPv4 for every customer, so why > not trying it ourselves? Already happening in many cellular networks, > like in US, which are close to have 60% IPv6 traffic already. > > You think 464xlat is what's going to happen in the future in most > networks? > Mobile networks, yes, it's a primary transition mechanisms. > Wi-fi networks operated by ISPs or enterprises are more likely to > use NAT64, DS-Lite, or MAP, based on what I'm seeing people working on. > > I disagree in several points: > 1) 464XLAT is not only for cellular networks, just read the draft. > 2) It has been implemented by some CPE vendors. It can be run in > Virtual Machines as well. > a. http://www.necat.co.jp/en/ipv6/index.html > b. > https://conference.apnic.net/__data/assets/pdf_file/0013/50701/34th_ap > nic_ > 464xlat.pdf > 3) Ive tested it in several ISP network. Trials at the time being, but > coming into production. > 4) NAT64 is WORST than 464XLAT. NAT64 doesnt sort out the problems for > apps using literals. 464XLAT sort it out. Yes, NAT64 was developed > first, but thats the reason 464XLAT was needed, because not everything > was working in NAT64. > 5) If you dont trust 464XLAT, then you cant trust in NAT64, because is > just an incomplete version of 464XLAT. > > I agree with you that DS-Lite and MAP are other choices, comparable > with 464XLAT. They will be a better test, for sure than just NAT64. > > If you want something more lightweight than DS-Lite, probably will be > better to use lw4o6. > > Just to make sure it has been understood: Im not asking to implement > anything in the clients of our network. Nobody needs to install anything. > We just need to have a VM or a set of them if we dont trust on the > hardware performance, as the CPE router of the IETF SSIDs that we want > to run this. This VM need to incorporate the CLAT client. Our network > will behave as an enterprise network which as only IPv6 native > connectivity to Internet, and the ISP (in this case our own network) > will running the PLAT (NAT64/DNS64). > > If you still want to try the NAT64 one more, you can have the NAT64 > SSID, that has been already tested in all the RIR meetings, etc. But > this will not run any apps that use literals, old APIs, etc. > > My fear with 464xlat is that it's largely untested in environments > like the IETF. I would not support making it the default SSID. We've > had a NAT64 SSID for several years; it could be promoted to default, > if we can demonstrate with confidence that everyone can still get > their work done. > > NAT64 as default is not and option. It breaks everything using literals. > We want to have a good experience I guess, and be able to detect what > will fail in the future (logging CLAT and NAT64/DNS64 usage), not > break the IETF network. > > Lee > > > > >Saludos, > >Jordi > > > > > >-----Mensaje original----- > >De: sunset4 <sunset4-boun...@ietf.org> en nombre de Philip > Homburg <pch-sunset...@u-1.phicoh.com> > >Responder a: <pch-sunset...@u-1.phicoh.com> > >Fecha: viernes, 7 de octubre de 2016, 12:04 > >Para: <sunset4@ietf.org> > >CC: "Bjoern A. Zeeb" <bzeeb-li...@lists.zabbadoz.net> > >Asunto: Re: sunset4 Sunset4 work > > > > In your letter dated Thu, 06 Oct 2016 23:28:32 +0000 you wrote: > > > Nastygram. So make the default IETF SSIDs IPv6-only or > (+NAT64) > > > if you want. Then have the ietf-legacy network, which would > give > > > you IPv4 and a portal page penalty that you have to state the > nature > > > why you have to use this network and cant live on the default > one. > > > Id be so curious to see what happens when people finally have > to > > > start thinking about it.. and open internal tickets .. It was > > > great fun doing it 6-ish years ago, .. > > > > Personally, I consider offering NAT64 over wifi quite absurd. > The obvious > > way to provide access to legacy IPv4 is some form of NAT4. How > it is > > transported over the rest of the network is upto the network > operator. But > > the obvious interface is RFC 894. > > > > So on networks that promote NAT64 (FOSDEM has this setup for > quite a number of > > years now) I just connect to the legacy network. Their legacy > network has > > perfectly fine IPv6, so I consider it way better than the NAT64 > that > > 'everybody' likes to push. > > > > For the specific mobile weirdness, NAT64 make sense. But > everywhere else, > > requiring every device to have 464xlat to deal with IPv4 > literals is just > > bad engineering. If your backbone is IPv6-only, then the obvious > solution > > is to deal with this in CPEs, wifi access points, etc. Not to > require all > > hosts to know the details of your network. > > > > > > _______________________________________________ > > sunset4 mailing list > > sunset4@ietf.org > > https://www.ietf.org/mailman/listinfo/sunset4 > > > > > > > > > > > >********************************************** > >IPv4 is over > >Are you ready for the new Internet ? > >http://www.consulintel.es > >The IPv6 Company > > > >This electronic message contains information which may be > privileged or confidential. The information is intended to be for the > use of the > individual(s) named above. If you are not the intended recipient be > aware that any disclosure, copying, distribution or use of the > contents of this information, including attached files, is prohibited. > > > > > > > >_______________________________________________ > >sunset4 mailing list > >sunset4@ietf.org > >https://www.ietf.org/mailman/listinfo/sunset4 > > > > > > > ********************************************** > IPv4 is over > Are you ready for the new Internet ? > http://www.consulintel.es > The IPv6 Company > > This electronic message contains information which may be privileged > or confidential. The information is intended to be for the use of the > individual(s) named above. If you are not the intended recipient be > aware that any disclosure, copying, distribution or use of the > contents of this information, including attached files, is prohibited. > > > > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 > > NOTICE AND DISCLAIMER > This email contains BT information, which may be privileged or > confidential. It's meant only for the individual(s) or entity named > above. > If you're not the intended recipient, note that disclosing, copying, > distributing or using this information is prohibited. > If you've received this email in error, please let me know immediately > on the email address above. Thank you. > > We monitor our email system, and may record your emails. > > EE Limited > Registered office:Trident Place, Mosquito Way, Hatfield, > Hertfordshire, > AL10 9BW > Registered in England no: 02382161 > > EE Limited is a wholly owned subsidiary of: > > British Telecommunications plc > Registered office: 81 Newgate Street London EC1A 7AJ Registered in > England no: 1800000 _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org NOTICE AND DISCLAIMER This email contains BT information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails. EE Limited Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9BW Registered in England no: 02382161 EE Limited is a wholly owned subsidiary of: British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000 _______________________________________________ sunset4 mailing list sunset4@ietf.org https://www.ietf.org/mailman/listinfo/sunset4
