On 7/30/2014 10:39 AM, Sandy Harris wrote:
Joe Touch <to...@isi.edu> wrote:
I raised this issue during the meeting, notably that we need to decide to
what extent we will support middlebox participation.
It's clear we need to support simple NATs....
To what extent, if any, does IPv6 change this?
Can we drop the NAT support requirement since with the larger
address space NAT becomes unnecessary?
No. At a minimum, NATs will continued to be deployed as a substitute for
proper firewall security.
If not, which of
the four translations -- 4-to-4, 4-to-6, 6-to-4, 6-to-6 -- should be
supported? Or is that irrelevant since we are at a higher level?
We ought to deal with either TCP in IPv4 or TCP in IPv6, where the IP
portion is only the pseudoheader fields. IMO, we should not attempt to
deal with further layers of encapsulation or their effects.
My understanding is that v6 requires IPsec on every node.
The spec did, but that never happened.
Can we use that? How?
IPsec as required supported pre-deployed shared secrets or required
certificates. We'd have to use BTNS-mode IPsec (that ignores the need
for either), but then we have the IPsec NAT traversal issue.
Joe
_______________________________________________
Tcpinc mailing list
Tcpinc@ietf.org
https://www.ietf.org/mailman/listinfo/tcpinc
