Re: [6bed4-devel] Comments and thoughts on bed64 (NAT and IPv6)
zeroconfig IPv6 tunnel
Status: Beta
Brought to you by:
vanrein
From: <ebi...@xm...> - 2012-07-23 07:03:32
|
Rick van Rein <ri...@op...> writes: >> Reading through RFC 5245 Interactive Connectivity Establishment I came >> across a nasty observation. >> >> In some NATs you can not create a new hole faster than once ever 20ms. >> >> Which makes NAT holepunching something that has to be done a lot more >> carefully than I would have guessed. > > I am *so* done with NAT and IPv4... I can understand the feeling. I want to point out some specific things to take into consideration for future desgins. RFC6296 IPv6 to IPv6 Network Prefix Translation. All that changes is one IPv6 address in the IPv6 header. RFC6204 Basic Requirements for IPv6 Customer Edge Routers. This recommends following RFC6092 for packet filtering and it recommends deploying RFC4193 Unique Local addresses. The birthday paradox suggests that once there are above 1 million (10^6) users using ULAs there will be duplicate ULA prefixes. RFC6092 IPv6 CPE Simple Security. This recommends using at least address indepedent filtering, and possibly address dependent filter for IPv6 flows. Which means that many of the same challenges that existed in IPv4 will exist in a fully deployed IPv6. Where IPv6 improves upon the current situation is that there is no need for address sharing, and as such there is no excuse for implementing endpoint dependent translation. Without endpoint dependent translation (the EVIL of symmetric NATs) peer to peer communication will always be possible. Eric |