[ppml] [address-policy-wg] Re: article about IPv6 vs firewalls vs NAT in arstechnica (seen on slashdot)
Iljitsch van Beijnum iljitsch at muada.com
Tue May 22 20:51:39 CEST 2007
On 22-mei-2007, at 17:41, Randy Bush wrote: >> 4 years from now, there will be an active IPv4 address space market, >> whatever about ipv6. > bingo! ...and that will be the fastest way to kill the remaining v4 space. Triple word value! > what amazes me is the lack of real work on the problem that a a > jillion > v6-only sites can not connect to the internet in a useful scalable > way. Interconnection between IPv6 clients and IPv4 servers can work very well and it can be done at three layers: - application - transport - network At the application layer we have proxies. The problem is that applications need to be aware of them and you need different proxies for different applications. However, pretty much any client-to-server TCP application can make use of the CONNECT method created for HTTPS proxying without the proxy having to be aware of the application protocol. At the transport layer you can have a TCP relay with a DNS ALG, serves the same function as a CONNECT proxy but without the app having to know about it. Not widely implemented, though. And for the network layer the IETF defined NAT-PT (network address translation - protocol translation) which translates between IPv6 and IPv4 and performs IPv4 NAT. Haven't tested this myself due to lack of implementations I could get my hands on and then the IETF decided this wasn't a good idea after all so NAT-PT is either already gone or on the way out. So the good news is that it's fairly trivial to support IPv6-only clients if you have a dual stack proxy and mail server. This takes care of HTTP (90% of all apps right there), HTTPS, mail and basic IM functionality. There are two flavors of peer-to-peer. The first one is towards specific peers, such as with VoIP, so you either need to wait for everyone to have IPv6 or have application-specific proxies. The second type is towards any reasonable subset of a lot of peers, such as BitTorrent. You don't care which peers you talk to, as long as it's enough to get the file. So what you need here is a reasonable subset of peers that are dual stack to facilitate the movement of bits between IPv6-only and IPv4-only peers. There's also often a server or tracker, which would have to be proxied or dual stack. There you have it. You can actually run IPv6-only and get work done, even with the current state of affairs.