North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)

  • From: Iljitsch van Beijnum
  • Date: Wed Oct 03 04:03:02 2007

On 2-okt-2007, at 15:56, Stephen Sprunk wrote:

Second, the ALGs will have to be (re)written anyways to deal with IPv6 stateful firewalls, whether or not NAT-PT happens.

That's one solution. I like the hole punching better because it's more general purpose and better adheres to the principle of least astonishment.

That's the purpose of an ALG. Requiring users to modify their home router config or put in a change request with their IT department for a firewall exception is a non-starter if you want your app to be accepted.

Hence uPnP and NAT-PMP plus about half a dozen protocols the IETF is working on.

Huh? They both do, that's the point. (Although the former doesn't work for everything and the latter removes the "IPv6-only" status from the host if not from the network it connects to.)

The former only handles outbound TCP traffic, which works through pure NAT boxes as it is.

BitTorrent is TCP, but it sure doesn't like NAT because it gets in the way of incoming sessions.

The latter "solution" ignores the problem space by telling people to not be v4-only anymore.

Decoding IPv4 packets on a host is trivial, they already have all the necessary code on board. It's building an IPv4 network that's a burden.

Could you please explain what problems you see with the
proxy/tunnel approach and why you think NAT-PT doesn't have
these problems?

NAT-PT works for more apps/protocols.

Disagree. Tunneling gives you actual IPv4 so obviously that will always be better than translation.

One of the problems with a proxy is that you have to configure hosts to use it, and all traffic flows through it whether it's needed or not. Obviously we could make the clients smarter, but then you're back to the decade problem. It's too late for that.

Automatic proxy configuration already exists. I agree that having IPv6 traffic go through a proxy is unnecessary but that can be fixed.

And there's no such thing as "too late" (if there were, the IETF would have been out of business long ago): problems stick around until you fix them.

There is a difference between the networks and the hosts.
Upgrading networks to dual stack isn't that hard, because it's
built of only a limited number of different devices.

*giggle* You mean like the 90% of hosts that will be running Vista (which has v6 enabled by default) within a couple years? Or the other 10% of hosts that have had v6 enabled for years?

The problem isn't the hosts. It isn't even really the core network. It's all the middleboxes between the two that are v4-only and come from dozens of different clue-impaired vendors.

You forget that the majority of applications need to be changed to work over IPv6. If I turn off IPv4 on my Mac and use some magic to go from v6 to v4, I can get to the web and do stuff like ssh and ftp, but most other applications don't work because they don't support IPv6 yet.

On 2-okt-2007, at 16:10, Stephen Sprunk wrote:

You just open up a hole in the firewall where appropriate.

You obviously have no experience working in security.

Who wants those headaches?

You can't trust the OS (Microsoft? hah!), you can't trust the application (malware), and you sure as heck can't trust the user (industrial espionage and/or social engineering). The only way that address-embedding protocols can work through a firewall, whether it's doing NAT or not, is to use an ALG.

You assume a model where some trusted party is in charge of a firewall that separates an untrustworthy outside and an untrustworthy inside. This isn't exactly the trust model for most consumer networks.

Also, why would you be able to trust what's inside the control protocol that the ALG looks at any better than anything else?

The defense and healthcare industries will force vendors to write those ALGs (actually, make minor changes to existing ones) if they care about the protocols in question because they have no choice -- security is the law.

Seems to work well, that law.

But these people don't complain when their video streaming/chatting doesn't work out of the box. These are highly specialized setups that are really beyond what general purpose hard- and software can be expected to cope with.

Even for home users, most have zero clue how to "open a hole" in their home firewall.

Repeat after me: uPnP, NAT-PMP.