dougb at dougbarton.us
Tue Feb 12 19:33:22 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 02/12/2013 01:39 AM, Philipp Kern wrote:
| On Tue, Feb 12, 2013 at 12:38:27AM -0800, Doug Barton wrote:
|> Please demonstrate how these costs pertain to NPT. To the
|> application there shouldn't be any difference between operating in
|> an NPT environment than operating on GUAs. (This response also
|> applies to your comment about skype.)
| Every protocol that embeds literal IPv6 addresses (similar to the
| situation with NAT64 and DNS64, except for v6) will break, unless it
| tries to "discover" its global IP address somehow. That's reasonably
| easy in the Skype world where there is central infrastructure.
Right, solved problem.
| BitTorrent, for instance, cannot reasonably do it.
Um, it already does it, quite nicely. I've run bittorrent behind a
double-NAT and I'm still able to get incoming connections.
| So if you have one
| behind NPT and one behind a stateful firewall you cannot get your
| connections through.
The firewall issue would need a solution of course, but can we please
agree that anything related to the firewall is going to be the same
whether dealing with NPT or GUAs?
| Obviously it also breaks IPsec AH, but maybe ESP is good enough. RFC6296
| lists these considerations on page 6, as Brian already mentioned.
| Split DNS is also no fun for end-users who want to connect to multiple
| VPNs in a sane way, but I guess I'd just get ivory tower comments for
| raising that.
Nope, I think that's a legitimate issue, but IME it's the OS that
struggles with >1 VPN long before I start having to deal with routing
and/or DNS issues.
... and FWIW, as a DNS guy I hate, hate, hate split DNS. But it's
already sunk its filthy tendrils deep into the heart of the enterprise,
so having to deal with it in an NPT scenario is just another marginal cost.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the ipv6-ops