* Owen DeLong <owen@delong.com> [2004-11-28 19:51]:
there are a lot of organizations now having PI without having an ASN and beeing multihomed. a transition to v6 with this policy would make things much worse for them, so why should they? They shouldn't unless they need features that are available in v6 that are not available in v4. Where's the harm in this? The v6 stack provides for encapsulating v4 addresses in v6 easily enough and the v6 specs already make allowance for this. I don't see any reason we need to get such a site over to v6.
ehm the v4-in-v6 mapping is a gigantic security issue. this is nothing but establishing tunnels automagically and extremely dangerous. v4-in-v6 is not supported on purpose or at least disabled by default on many OSes, and that is a good thing.
How is this any more of a security hole than address-based trust in the first place. As near as I can tell, the 6-to-4 mapping is simply a legitimate form of address spoofing more than what I would call dynamic tunnels. As I understand it, there's some magic IPv6 prefix which since I don't remember what it is, I'll call <pfx> and your V4 address simply gets mapped to <pfx>::<v4addr> and away it goes.
so you say they should just keep v4 - that does not really help in getting v6 deployed.
You keep talking like getting v6 deployed for the sake of getting v6 deployed is some sort of goal that I should have. I don't. I don't care if v6 ever gets deployed. I care about being able to reach the parts of the internet I care about being able to reach. I suspect you will find that to be the case among most people. If you want to deploy v6 so you can play with v6, do it in your lab. If you want to show the world reasons they should deploy v6, go for it. If you expect a company that has v4 addresses and will get shafted by v6 policies to convert to v6 just for the sake of converting to v6, then, I think you need to take fewer drugs.
The convenience factor _is_ already outlawed. true for new allocations, but there is a gigantic installed base, and making their situation worse isn't exactly helping in getting v6 deployed. As near as I can tell, there's very little reason for such a site to ever adopt v6 and very little reason for the world to care that they didn't.
i think there's many many many more of those sites than you think. and we really don't want to run in two parallel universes for longer than it has to be...
I think there are thousands of those sites and we _WILL_ run in two parallel universes until such time as v6 offers those sites some reason to convert. Hint: Shafting them on being able to get PI space in the v6 world is the opposite of a reason to convert.
As such, I'm not sure I understand why this is a significant issue. Is there some reason it's important for these sites to go to v6 instead of using 4-to-6 address encapsulation at their border?
4-to-6 is a horrible mess.
So you say, but, from the perspective of one of those sites that can't get PI space for v6, and, has v4 swamp space, I have to say, it looks like less of a mess than v6. Owen -- If it wasn't crypto-signed, it probably didn't come from me.