On Oct 28, 2010, at 5:46 PM, Margaret Wasserman wrote:
>
> On Oct 28, 2010, at 3:50 PM, james woodyatt wrote:
>>
>> If so, then I-D.mrw-nat66 cannot help you; it offers no privacy addressing.
>> So, right now, it sounds like there isn't a publicly defined way to solve
>> the problem you're here to discuss without using a stateful IPv6/NAT, which
>> does well-understood harm to the Internet architecture and the Internet
>> community beyond the domain of enterprises that use it.
>
> NAT66 doesn't interfere in any way with the use of IPv6 privacy addresses.
I'm pretty sure that much of this conversation isn't about what we wrote in
that draft. I question how many have actually read it.
Guys - the difference between a network with NAT66 and a network without it is
this:
Without NAT66
- the transit core somehow knows the edge networks addresses.
that could be PA or PI. If it is PI, the transit core has a route for the
PI prefix
- a device in the edge network is reachable from the transit core absent a
firewall rule
- a device in the edge network knows one or more global addresses for itself.
These are the same addresses that the transit core knows.
- the edge network addresses conform to RFC 4291, and may be assigned using
SLAAC (ND
or SEND) or DHCPv6, and may be privacy addresses. In addition, there may be
ULAs or
link-local addresses.
With NAT66
- the transit core knows the PA prefix it uses for the edge network
- a device in the edge network is reachable from the transit core absent a
firewall rule
- a device in the edge network knows one or more local addresses for itself.
These are different than the addresses that the transit core knows.
- the edge network addresses conform to RFC 4291, and may be assigned using
SLAAC (ND
or SEND) or DHCPv6, and may be privacy addresses. If I were king, they
would be ULAs,
but that is not required. In addition, there may be other ULAs or
link-local addresses.
As Keith points out, to maintain Dynamic DNS AAAA records, the device has to be
able to determine its own external addresses. If a static DNS configuration is
maintained and privacy addresses do not periodically change (which kind of
calls for Dynamic DNS), the DNS service can be maintained centrally without the
collusion of the addressed systems.
IMHO, which Keith disagrees with, any other system including a system that
writes the HTML/etc file containing a referral can find the addresses of any
system in the network in DNS. That's DNS's job. I'll accept that one may want
to do that periodically rather than on every access.
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
