On 2012-06-04 15:27, Joe Maimon wrote:
Jeroen Massar wrote:
If people want to use a tunnel for the purpose of a VPN, then they will, be that IPv4 or IPv6 or both inside that tunnel.
Instead of having a custom VPN protocol one can do IPSEC properly now as there is no NAT that one has to get around. Microsoft's Direct Access does this btw and is an excellent example of doing it correctly.
Microsoft has had this capability since win2k. I didnt see any enterprises use it, even those who used their globally unique and routed ipv4 /16 internally. NAT was not why they did not use it.
They did not use it externally, they did not use it internally.
In fact, most of them were involved in projects to switch to NAT internally.
Enterprises also happen not to be thrilled with the absence of NAT in IPv6.
What I read that you are saying is that you know a lot of folks who do not understand the concept of end-to-end reachability and think that NAT is a security feature and that ICMP is evil. That indeed matches most of the corporate world quite well. That they are heavily misinformed does not make it the correct answer though.
Dont expect huge uptake there.
Every problem has it's own solution depending on the situation. Direct Access is a just another possible solution to a problem. If NATs would not have existed and the IPSEC key infra was better integrated into Operating Systems the uptake for IPSEC based VPNs would have likely been quite a bit higher by now. But all guess work.
No why should it? But note that "IPv6 tunnels" (not VPNs) are a transition technique from IPv4 to IPv6 and thus should not remain around forever, the transition will end somewhere, sometime, likely far away in the future with the speed that IPv6 is being deployed ;)
So VPN is the _only_ acceptable use of sub 1500 encapsulation?
Why would anything be 'acceptable'? If you have a medium that only can carry X bytes per packet, then that is the way it is, you'll just have to be able to frag IPv6 packets on that medium if you want to support IPv6. And the good thing is that if you can support jumbo frames, just turn it on and let pMTU do it's work. Happy 9000's ;)
Today, most people cant even get IPv6 without tunnels.
In time that will change, that is simply transitional.
If turning it on with a tunnel breaks things, it wont make native transition happen sooner.
Using tunnels does not break things. Filtering PTB's (which can happen anywhere in the network, thus also remotely) can break things though. Or better said: mis-configuring systems break things.
This whole thread is all about how IPv6 has not improved any of the issues that are well known with IPv4 and in many cases makes them worse.
You cannot unteach stupid people to do stupid things. Protocol changes will not suddenly make people understand that what they want to do is wrong and breaks said protocol. Greets, Jeroen