On Thu, 24 Jul 2008, Iljitsch van Beijnum wrote:
last IETF meeting, there was a NAT-PT translator present. So I could browse
the web, connect to Jabber, send/receive email etc even though the servers
didn't have IPv6 addresses.
...
On the other hand, this can also be accomplished with an arbitrary prefix if
the host knows the prefix and intercepts API calls that would normally
generate IPv4 packets but turn those into IPv6 packets towards the translator
if there is no IPv4 connectivity.
Exactly! As you demonstrated, host stacks needs to be modified no
matter what.
If you choose a prefix that is supposed to be "well known" (used by
all implementations), you could overload the existing use of mapped
addresses, or choose something else altogether. Given that you can't
depend on the existing behaviour of mapped addresses anyway, if you go
this "fixed address block" route, the least astonishing failure modes
could be achieved with a new special prefix.
Now, as you say, the node could also signal the prefix somehow. As
Julien Laganier wrote, these kind of deployments (with faithd, totd,
etc.) have already been used for a long time. As the prefix is
dependant on the network, there are no source spoofing, routing table
pollution, etc. problems.
If you don't signal anything, the result is that you spew out packets
with the mapped addresses with the assumption that there is going to
be a translator somewhere along the path that's going to do something
to them. Otherwise they end up transiting enterprise and backbone
networks and potentially arriving at the destination which does
something unexpected with that, e.g. discard them or end up waiting in
SYN-RECEIVED state. IMO, it seems better to not send packets out
unless you know they are going to be useful for someone.
What seems to be missing is a good way to signal the prefix and some
modifications to API calls. As demonstrated, stack modifications are
already needed (at least in API handling), so why not do it all the
way?
As a source address, if the node(s) on link are also provided with real
IPv6 addresses, this would be indistinguishable from source address
spoofing.
Only translators would transmit packets with v4mapped source addresses, so
this isn't much of an issue.
(I thought the mapped addresses would have been used between a host
and a translator -- or, if there doesn't happen to be translator, the
packets would end up in the destination network. But maybe not..)
So we're required to trust that anyone running a translator in the
Internet is honest netizen?
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
