multiple prefixes

Doug Barton dougb at dougbarton.us
Tue Feb 12 19:33:22 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/12/2013 01:39 AM, Philipp Kern wrote:
| On Tue, Feb 12, 2013 at 12:38:27AM -0800, Doug Barton wrote:
|> Please demonstrate how these costs pertain to NPT. To the
|> application there shouldn't be any difference between operating in
|> an NPT environment than operating on GUAs. (This response also
|> applies to your comment about skype.)
|
| Every protocol that embeds literal IPv6 addresses (similar to the
| situation with NAT64 and DNS64, except for v6) will break, unless it
| tries to "discover" its global IP address somehow. That's reasonably
| easy in the Skype world where there is central infrastructure.

Right, solved problem.

| BitTorrent, for instance, cannot reasonably do it.

Um, it already does it, quite nicely. I've run bittorrent behind a
double-NAT and I'm still able to get incoming connections.

| So if you have one
| behind NPT and one behind a stateful firewall you cannot get your
| connections through.

The firewall issue would need a solution of course, but can we please
agree that anything related to the firewall is going to be the same
whether dealing with NPT or GUAs?

| Obviously it also breaks IPsec AH, but maybe ESP is good enough. RFC6296
| lists these considerations on page 6, as Brian already mentioned.

Fair point.

| Split DNS is also no fun for end-users who want to connect to multiple
| VPNs in a sane way, but I guess I'd just get ivory tower comments for
| raising that.

Nope, I think that's a legitimate issue, but IME it's the OS that
struggles with >1 VPN long before I start having to deal with routing
and/or DNS issues.

... and FWIW, as a DNS guy I hate, hate, hate split DNS. But it's
already sunk its filthy tendrils deep into the heart of the enterprise,
so having to deal with it in an NPT scenario is just another marginal cost.

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQEbBAEBCAAGBQJRGoryAAoJEFzGhvEaGryEMfEH+PLVurnbptcMESjL+zOuvnhF
CehfkSosba5FJZpRQ6Mitaf7qKXgVZ9eYyg7F+uQxPGLD/WmzRZAYOPHR/b0C5lK
5SIkVm8Nppb7GsFalRG0yefJVYF22YabyzTgUo3jSoWi+xwkymV9AdP3kaUjJgcy
9ca6cF+vAS1dxHICMJIbXQW5AzF3/xpu0xVk+neW0goaRYhY0X8TlLlkILYSwLYj
NV/W9Xl/ajVgE+SrBzDj5d6hxdj47gJ1bokH+T7j5Pz/PRWuxxk/RRL3MZwNQp0t
KB/IZaYk4aQ97dB9VxrGcTARmO4s54I4E9vxe87VK4gAPPKqfpoECJJRvy2jAg==
=priJ
-----END PGP SIGNATURE-----



More information about the ipv6-ops mailing list