[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPv6 adoption behavior


Benny Amorsen wrote:

> On 2003-10-21 at 14:15, Todd T. Fries wrote:
> > I'm sorry to reply late to this, but I can't help but realize that
> > NAT+IPv4 vs IPv6+firewall can be equivalent in `isolation'.  Simply
> > `block in all' and `pass out on $ext_if keep state' (in the pf terms of
> > OpenBSD) and in two rules you have the same isolation of a NAT+IPv4 as
> > you do with IPv6+firewall.
> Imagine that two internal hosts are communicating in your 
> scenario. They have a TCP connection running for weeks.
> Then the outside connection to
> the Internet breaks and is brought back up, but assigned a different
> address. In the IPv4+NAT case hosts that only contact other 
> hosts on the internal network do not notice the failure at all.
> In the IPv6+firewall case the new addresses are provided to the
> hosts and eventually the old
> addresses time out -- and the internal TCP connection breaks. Ouch.

As long as the IP addresses are not deconfigured this is no problem
The "old" IP addresses are deprecated for use, 'old' connections
stay up, but the new IP is used for new connections. Note that
ofcourse you will need to update DNS and such.

Last week I saw a good example of this. In May 2003 we transitioned
the Concepts POP from to RIPE addresses by allowing both the old
and new prefix to be used until June 1st after which we reconfigged
the ingress filter, allowing only the delegated RIPE space and
dropping and logging the rest. Even upto last month connections
where seen coming from the 6bone space from one person who still
had machines running which where not reconfigured and thus still
used the old prefix in his local setup.

I think IPv6 works perfectly well in cases like these ;)

Neeeeeeexxxt reason why NAT is so good..... which it really
isn't. It indeed has some advantages but most problems outweigh
those with ease.


Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/


IETF IPv6 working group mailing list
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6