support of IPv6 by NFS

support of IPv6 by NFS

[Gilles Quillard]

I'm working on the support of IPv6 by NFS and the RPC on Linux.

As now preconized for the developing of new networking applications, I 
have developed a prototype implementation on which I have migrated all 
the NFS / RPC kernel stack and the user commands to use IPv6 addresses. 
The IPv4-mapping mechanism is used to assume the backward compatibility 
for IPv4 addresses which are still the most used.
This works but this needs that the kernel has been compiled with IPv6, 
which is not mandotary. A lot of people in the Linux community do not 
have experience with IPv6 yet and are not ready to use it. So making it 
mandatory for NFS, even in a pure IPv4 network, is not easy.
It seems that the most of the major distributions already provide 
default kernel built with IPv6, but the reference on kernel.org is still 
providing with the IPv6 support not set; and there are some 
unwillingness to make mandatory the compilation of the kernel with IPv6 
to support NFS.

The problem is not specific to NFS, any networking application written 
using IPv6 mechanisms for both IPv4 and IPv6 addresses (AF_INET6 socket 
opened, IPv4 addresses mapped) couldn't work without a kernel built with 
IPv6.

Are the final users really against the use of kernels built with IPv6 ?
What is preconized on Linux for the support of IPv6 ? The solution 
described above or the cohabitation of the two modes (struct sockaddr or 
sockaddr_storage used to contain either struct sockaddr_in or struct 
sockaddr_in6) with specific processing according to the family of the 
addresses ?

Regards,
Gilles

Re: support of IPv6 by NFS

[Quantum Scientific]

On Tuesday 01 March 2005 4:10, Gilles Quillard wrote:
> This works but this needs that the kernel has been compiled with IPv6, 
> which is not mandotary. A lot of people in the Linux community do not 
> have experience with IPv6 yet and are not ready to use it. So making it 
> mandatory for NFS, even in a pure IPv4 network, is not easy.

My experience is that IPV6 is extremely difficult to figure out how to set up 
securely, for the time being, due to lack of connection-sharing.  This little 
fact goes completely unmentioned in ALL of the HowTos.  Thank goodness for 
the USAGI project.

Also one must become an ip6tables expert in order to have a reasonably secure 
firewall, because ip6tables and 6tables are dead, and Shorewall does not 
support IPV6 security for some reason.  Another deterrant.

And 80% of potential users are behind a cable/DSL 4 NATting router.  There is 
no clarity that it is possible overcome this by either setting to DMZ, or 
hoping your cablemodem passes protos 41, 50 & 51.  Even some tunnel operators 
do not know this, so I had to figure it out myself.  There is no Linux 6to4 
UDP tunnelling app, but there should be, because this is such a common 
problem.  (As I understand, Teredo is Winduhs-only, and is not supported by 
most tunnel operators)

And frankly, most Linux users' only contact with IPV6 has been the DNS AAAA 
browser delay seemingly inherent in some distros.  Although I realize that 
all of us who run Linux are ostensibly uber-gurus, fact is this is a negative 
first experience for most, stemming from attempts by distros to encourage ppl 
to use it with an inoperative function, and without an obvious way to 
troubleshoot/repair.

These issues contradict assertions that IPV6 is beneficial and easy.  If I 
didn't have a strong motivation and lots of time, I would have chucked 
early-on.  Speaking the actual truth, not propaganda or spin, leads to 
understanding of the *real* world.

Carl Cook

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[Jeroen Massar]

[-- Attachment #1: Type: text/plain, Size: 3118 bytes --]

On Tue, 2005-03-01 at 07:44 -0600, Quantum Scientific wrote: 
>On Tuesday 01 March 2005 4:10, Gilles Quillard wrote:
>> This works but this needs that the kernel has been compiled with IPv6, 
>> which is not mandotary. A lot of people in the Linux community do not 
>> have experience with IPv6 yet and are not ready to use it. So making it 
>> mandatory for NFS, even in a pure IPv4 network, is not easy.
>
>My experience is that IPV6 is extremely difficult to figure out how to set up 
>securely, for the time being, due to lack of connection-sharing.

NAT is not a firewall. Get that into your brain.

And indeed there is no Linux firewalling code yet, in the mainstream
that can do connection tracking. There is no non-EFT Cisco PIX code for
this either. The only OS that can do it is the various BSD's.

>And 80% of potential users are behind a cable/DSL 4 NATting router.  There is 
>no clarity that it is possible overcome this by either setting to DMZ, or 
>hoping your cablemodem passes protos 41, 50 & 51.  Even some tunnel operators 
>do not know this, so I had to figure it out myself.

Freenet6/Hexago have a UDP protocol and SixXS has AYIYA. Works perfectly
fine.

In most cases, I know from quite a bit of experience, proto-41
forwarding works very well in most of these DSL boxes.

> There is no Linux 6to4 
>UDP tunnelling app, but there should be, because this is such a common 
>problem.  (As I understand, Teredo is Winduhs-only, and is not supported by 
>most tunnel operators)

The protocol for Teredo is open and can be implemented at will:

http://www-rp.lip6.fr/teredo/
http://www.simphalempin.com/dev/miredo
http://people.via.ecp.fr/~rem/miredo/?C=N;O=D

First couple of hits when doing a google on "Teredo BSD", or for you to
click as that might be difficult:
http://www.google.com/search?q=teredo+bsd

>And frankly, most Linux users' only contact with IPV6 has been the DNS AAAA 
>browser delay seemingly inherent in some distros.  Although I realize that 
>all of us who run Linux are ostensibly uber-gurus, fact is this is a negative 
>first experience for most, stemming from attempts by distros to encourage ppl 
>to use it with an inoperative function, and without an obvious way to 
>troubleshoot/repair.

I can clearly assume that you are not part of the 'ostensibly
uber-gurus' you try to mention. 
>
>These issues contradict assertions that IPV6 is beneficial and easy.

That you don't understand it is your problem ;)

>If I 
>didn't have a strong motivation and lots of time, I would have chucked 
>early-on.  Speaking the actual truth, not propaganda or spin, leads to 
>understanding of the *real* world.

Loads of people seem to have no problem at all with IPv6, getting it up
and running and actually using it for a lot of traffic.
That fact that you are only complaining, without doing any actual
research, typing two words in google, says enough. You are not even
capable of configuring your mailer properly to include your own name,
the field is not called "Realname" for nothing...

Greets,
 Jeroen


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 240 bytes --]

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[YOSHIFUJI Hideaki / 吉藤英明]

In article <200503010744.38339.Info@Quantum-Sci.com> (at Tue, 1 Mar 2005 07:44:37 -0600), Quantum Scientific <Info@Quantum-Sci.com> says:

> And frankly, most Linux users' only contact with IPV6 has been the DNS AAAA 
> browser delay seemingly inherent in some distros.  Although I realize that 
> all of us who run Linux are ostensibly uber-gurus, fact is this is a negative 
> first experience for most, stemming from attempts by distros to encourage ppl 
> to use it with an inoperative function, and without an obvious way to 
> troubleshoot/repair.
:
> These issues contradict assertions that IPV6 is beneficial and easy.  If I 
> didn't have a strong motivation and lots of time, I would have chucked 
> early-on.  Speaking the actual truth, not propaganda or spin, leads to 
> understanding of the *real* world.

Well, we really need to analyse and solve "negative experiences"
and berries against IPv6, and the "IPv6-Fix" Project started:
    http://v6fix.net

Please report any incidents to <contact AT v6fix DOT net>.
We might need to list up pitwalls the people may have and tips
to solve those issues.

Thank you.

-- 
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA

Re: support of IPv6 by NFS

[YOSHIFUJI Hideaki / 吉藤英明]

In article <42243F8D.5030302@bull.net> (at Tue, 01 Mar 2005 11:10:21 +0100), Gilles Quillard <gilles.quillard@bull.net> says:

> The problem is not specific to NFS, any networking application written 
> using IPv6 mechanisms for both IPv4 and IPv6 addresses (AF_INET6 socket 
> opened, IPv4 addresses mapped) couldn't work without a kernel built with 
> IPv6.
:
> Are the final users really against the use of kernels built with IPv6 ?
> What is preconized on Linux for the support of IPv6 ? The solution
> described above or the cohabitation of the two modes (struct sockaddr or
> sockaddr_storage used to contain either struct sockaddr_in or struct
> sockaddr_in6) with specific processing according to the family of the
> addresses ?

You cannot assume whether the user enables IPv6 or not,
and you cannot assume s/he has connectivity to global Internet,
in most cases.

So, you likely need to try both IPv6 and IPv4.
Getaddrinfo() / getnameinfo(), or "protocol independent progarmming," 
are your friend.

--yoshfuji

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[Olaf Kirch]

On Tue, Mar 01, 2005 at 04:08:32PM +0100, Jeroen Massar wrote:
> > There is no Linux 6to4 
> >UDP tunnelling app, but there should be, because this is such a common 
> >problem.  (As I understand, Teredo is Winduhs-only, and is not supported by 
> >most tunnel operators)
> 
> The protocol for Teredo is open and can be implemented at will:

Except that it's quite horrible, and it requires a centralized broker,
and IIRC it also makes assumptions about the way your NAT implementation
assigns ports.

Olaf
-- 
Olaf Kirch   |  --- o --- Nous sommes du soleil we love when we play
okir@suse.de |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[Rémi Denis-Courmont]

[-- Attachment #1: Type: text/plain, Size: 747 bytes --]

Le Mardi 1 Mars 2005 14:44, Quantum Scientific a écrit :
> And 80% of potential users are behind a cable/DSL 4 NATting router. 
> There is no clarity that it is possible overcome this by either
> setting to DMZ, or hoping your cablemodem passes protos 41, 50 & 51. 
> Even some tunnel operators do not know this, so I had to figure it
> out myself.  There is no Linux 6to4 UDP tunnelling app, but there
> should be, because this is such a common problem.  (As I understand,
> Teredo is Winduhs-only, and is not supported by most tunnel
> operators)

There is at least one Teredo client for Linux :
http://www.simphalempin.com/dev/miredo/

Alternatively, TSP tunneling might also work through NAT devices.

-- 
Rémi Denis-Courmont

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[Jeroen Massar]

[-- Attachment #1: Type: text/plain, Size: 1025 bytes --]

On Tue, 2005-03-01 at 17:19 +0100, Olaf Kirch wrote:
>On Tue, Mar 01, 2005 at 04:08:32PM +0100, Jeroen Massar wrote:
>> > There is no Linux 6to4 
>> >UDP tunnelling app, but there should be, because this is such a common 
>> >problem.  (As I understand, Teredo is Winduhs-only, and is not supported by 
>> >most tunnel operators)
>> 
>> The protocol for Teredo is open and can be implemented at will:
>
>Except that it's quite horrible,

It needs to be horrible as it needs to cross horrible NAT's.

> and it requires a centralized broker,

Doesn't every tunneling method require this? Or is 6to4 anycasted and
thus not central?

Do note that you can setup your own Teredo relay, see the docs at the
Miredo site for more information.

>and IIRC it also makes assumptions about the way your NAT implementation
>assigns ports.

It expects a Cone NAT (or was it the other thing?). The functionality
for the others where taken out because of 'security' concerns from some
people.

Greets,
 Jeroen


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 240 bytes --]

Re: (usagi-users 03224) Re: support of IPv6 by NFS

[Rémi Denis-Courmont]

Le Mardi 1 Mars 2005 17:19, Olaf Kirch a écrit :
> > The protocol for Teredo is open and can be implemented at will:
>
> Except that it's quite horrible,

Yes, it is, and that's its biggest weakness. NAT traversal is horrible 
by design. So either you use a point-to-point tunnel over UDP (or TCP, 
but it is slow), either you end up with something horrible.

> and it requires a centralized broker,

Actually, Teredo is much more decentralised than, say, TSP. There could 
be several Teredo relays among the IPv6 world, from different entities, 
much like there are currently 6to4 relays.

The only centralized thing is the server whose only purpose is autoconf 
and NAT traversal.

> and IIRC it also makes assumptions about the way your NAT
> implementation assigns ports.

Yes, indeed. Unfortunately, the only way to avoid such assumptions is to 
use point-to-point IPv6 tunnels (or not try to use IPv6 from behind a 
NAT at all).

Point-to-point tunneling might be fine, but, as far as I know, there is 
no automatic and registration-less IPv6 point-to-point tunneling 
solution at the moment :-(

-- 
Rémi Denis-Courmont

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[Quantum Scientific]

On Tuesday 01 March 2005 9:08, Jeroen Massar wrote:
> On Tue, 2005-03-01 at 07:44 -0600, Quantum Scientific wrote: 
> >On Tuesday 01 March 2005 4:10, Gilles Quillard wrote:
> >> This works but this needs that the kernel has been compiled with IPv6, 
> >> which is not mandotary. A lot of people in the Linux community do not 
> >> have experience with IPv6 yet and are not ready to use it. So making it 
> >> mandatory for NFS, even in a pure IPv4 network, is not easy.
> >
> >My experience is that IPV6 is extremely difficult to figure out how to set 
up 
> >securely, for the time being, due to lack of connection-sharing.
> 
> NAT is not a firewall. Get that into your brain.

Jeroen, was this addressed to me, or to Giles?  Never mind, it doesn't matter;  your 
words show that you are an uneducated man.

 
On Tuesday 01 March 2005 9:08, Jeroen Massar wrote:
> First couple of hits when doing a google on "Teredo BSD", or for you to
> click as that might be difficult:
> http://www.google.com/search?q=teredo+bsd
...
> On Tue, 2005-03-01 at 07:44 -0600, Quantum Scientific wrote: 
> >Although I realize that all of us who run Linux are ostensibly uber-gurus, 
> >fact is this is a negative first experience for most, stemming from
> >attempts by distros to encourage ppl to use it with an inoperative
> >function, and without an obvious way to troubleshoot/repair.
> 
> I can clearly assume that you are not part of the 'ostensibly
> uber-gurus' you try to mention. 

And we can clearly assume that you are petty, and just an asshole.  No, I am 
not a Linux uber-guru.  I am a commercial real estate developer, using Linux 
as a hobby.  You may not want my input, but others seem to, judging from 
emails I've gotten in back-channel about you.


> Loads of people seem to have no problem at all with IPv6, getting it up
> and running and actually using it for a lot of traffic.
> That fact that you are only complaining, without doing any actual
> research, typing two words in google, says enough. You are not even
> capable of configuring your mailer properly to include your own name,
> the field is not called "Realname" for nothing...

Obviously you have not been following my emails, and have simply written your 
response to carp and ignorantly pretend you are superior in some way.  This 
is no different than noise.

As most here have ascertained, I said the things I have said, as reflective of 
the experiences of the majority when trying to set up IPV6.  If you have a 
problem with that, you are unable to understand the true issues, and show it 
with every word.  

You will have no more responses from me.

Carl Cook

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[Jeroen Massar]

[-- Attachment #1: Type: text/plain, Size: 4631 bytes --]

On Tue, 2005-03-01 at 12:56 -0600, Quantum Scientific wrote:
>On Tuesday 01 March 2005 9:08, Jeroen Massar wrote:
>> On Tue, 2005-03-01 at 07:44 -0600, Quantum Scientific wrote: 
>> >On Tuesday 01 March 2005 4:10, Gilles Quillard wrote:
>> >> This works but this needs that the kernel has been compiled with IPv6, 
>> >> which is not mandotary. A lot of people in the Linux community do not 
>> >> have experience with IPv6 yet and are not ready to use it. So making it 
>> >> mandatory for NFS, even in a pure IPv4 network, is not easy.
>> >
>> >My experience is that IPV6 is extremely difficult to figure out how to set 
>up 
>> >securely, for the time being, due to lack of connection-sharing.
>> 
>> NAT is not a firewall. Get that into your brain.
>
>Jeroen, was this addressed to me, or to Giles?  Never mind, it doesn't matter;  your 
>words show that you are an uneducated man.

As you have read correctly, and how the indentation of the message shows
it was a reply to your post. Btw, I am 'educated' enough ;)
 
>On Tuesday 01 March 2005 9:08, Jeroen Massar wrote:
>> First couple of hits when doing a google on "Teredo BSD", or for you to
>> click as that might be difficult:
>> http://www.google.com/search?q=teredo+bsd
>...
>> On Tue, 2005-03-01 at 07:44 -0600, Quantum Scientific wrote: 
>> >Although I realize that all of us who run Linux are ostensibly uber-gurus, 
>> >fact is this is a negative first experience for most, stemming from
>> >attempts by distros to encourage ppl to use it with an inoperative
>> >function, and without an obvious way to troubleshoot/repair.
>> 
>> I can clearly assume that you are not part of the 'ostensibly
>> uber-gurus' you try to mention. 
>
>And we can clearly assume that you are petty, and just an asshole.

Pretty depends on who you ask of course, most ladies will say so
fortunately and I don't care about a guys opinion ;)

>  No, I am 
>not a Linux uber-guru.  I am a commercial real estate developer, using Linux 
>as a hobby.  You may not want my input, but others seem to, judging from 
>emails I've gotten in back-channel about you.

Could you please publish these 'back-channel' communications?
I would love to hear comments about me. They are apparently about me,
and reading from your sentence you are implying that they are accusing
me of a lot of bad things. I don't need names, but please publish them,
then everybody knows what it is so bad about me, and even better, then I
might learn from these 'issues' that so 'others' might be having.

But I'll just assume you've misjudged me. The fact that you need faul
words tells a lot about your reasoning.

>> Loads of people seem to have no problem at all with IPv6, getting it up
>> and running and actually using it for a lot of traffic.
>> That fact that you are only complaining, without doing any actual
>> research, typing two words in google, says enough. You are not even
>> capable of configuring your mailer properly to include your own name,
>> the field is not called "Realname" for nothing...
>
>Obviously you have not been following my emails, and have simply written your 
>response to carp and ignorantly pretend you are superior in some way.  This 
>is no different than noise.

Where is your actual technical arguments then? The only few items you
named are wellknown and are being addressed already, but things like
that take time, especially in an environment where people are doing it
on a free basis.

As for the 'superiority', let your 'back-channel' decide on that.

>As most here have ascertained, I said the things I have said, as reflective of 
>the experiences of the majority when trying to set up IPV6.

"most" of the participants of these mailinglists, both of them to which
you where at first unable to subscribe, contain people who simply lurk
and listen and try to learn from the content that is brought forth here.
Claiming 'most' is simply silly.

>If you have a 
>problem with that, you are unable to understand the true issues, and show it 
>with every word.  

The problems are known, but you are trying to misleadingly shove them
under the wrong header. Check http://www.v6fix.net as others have also
pointed out to you. You might have also wanted to read my mails in where
I noted that even Cisco PIX's don't support it yet, unless you get an
EFT or the brand sprankling new 7.0 image.

>You will have no more responses from me.

Thank you very much, that saves me quite some valuable time trying to
reply to posts which are misleading in various ways.

Greets,
 Jeroen


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 240 bytes --]

Re: (usagi-users 03226) Re: support of IPv6 by NFS

[Elliott Mitchell]

>From: Quantum Scientific <Info@quantum-sci.com>
> On Tuesday 01 March 2005 9:08, Jeroen Massar wrote:
> > On Tue, 2005-03-01 at 07:44 -0600, Quantum Scientific wrote: 
> > >On Tuesday 01 March 2005 4:10, Gilles Quillard wrote:
> > >> This works but this needs that the kernel has been compiled with IPv6, 
> > >> which is not mandotary. A lot of people in the Linux community do not 
> > >> have experience with IPv6 yet and are not ready to use it. So making it 
> > >> mandatory for NFS, even in a pure IPv4 network, is not easy.
> > >
> > >My experience is that IPV6 is extremely difficult to figure out how to set 
> up 
> > >securely, for the time being, due to lack of connection-sharing.
> > 
> > NAT is not a firewall. Get that into your brain.
> 
> Jeroen, was this addressed to me, or to Giles?  Never mind, it doesn't matter;  your 
> words show that you are an uneducated man.

Though I was planning to be more polite, I was going to write a similar
message. If you're depending on a firewall as a main defense, you're
already dead. If you wish your hosts to be secure, they MUST be secure
even if they didn't have a firewall!

The already mentioned approach works quite well. Filter packets with
only the SYN bit set, no incoming connections will work, outgoing
connections will be unaffected. No state needed. Though important for a
firewall, stateful filtering isn't a critical feature to state the IPv6
stack is working.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \   (    |         EHeM@gremlin.m5p.com PGP 8881EF59         |    )   /
  \_  \   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
    \___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/

Re: support of IPv6 by NFS

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 959 bytes --]

On Tue, Mar 01, 2005 at 07:44:37AM -0600, Quantum Scientific wrote:
> Also one must become an ip6tables expert in order to have a reasonably secure 
> firewall, because ip6tables and 6tables are dead, and Shorewall does not 
> support IPV6 security for some reason.  Another deterrant.

I have to oppose that statement.  ip6tables is not dead, it's alive.
We're even at the brink of submitting nf_conntrack, the new connection
tracking engine that covers ipv4 and ipv6, to the mainline kernel.

I'm running a number of ipv6 packet filters, and as of now we are not
aware of any known issues or bugs in the current ip6tables code base.

-- 
- Harald Welte <laforge@gnumonks.org>          	        http://gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: (usagi-users 03222) Re: support of IPv6 by NFS

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1126 bytes --]

On Tue, Mar 01, 2005 at 04:08:32PM +0100, Jeroen Massar wrote:
> >My experience is that IPV6 is extremely difficult to figure out how
> >to set up securely, for the time being, due to lack of
> >connection-sharing.
> 
> NAT is not a firewall. Get that into your brain.

oh, that was what he meant.  I wasn't familiar with the term 'connection
sharing'.  

I've stated numerous time that IPv6<->IPv6 NAT will only end up in
netfilter/iptables over my dead body.  IPv4<->IPv6 NAT-PT is a different
issue, obviously.

btw, the IETF BEHAVE group is actually demanding that a NAT device does
not NAT ipv6 traffic!!

> And indeed there is no Linux firewalling code yet, in the mainstream
> that can do connection tracking. 

still, ip6_conntrack is shipped by commercial distributions like SuSE...

-- 
- Harald Welte <laforge@gnumonks.org>          	        http://gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: (usagi-users 03249) Re: support of IPv6 by NFS

[Jeroen Massar]

[-- Attachment #1: Type: text/plain, Size: 1630 bytes --]

On Sun, 2005-03-06 at 12:04 +0100, Harald Welte wrote:
>On Tue, Mar 01, 2005 at 04:08:32PM +0100, Jeroen Massar wrote:
>> >My experience is that IPV6 is extremely difficult to figure out how
>> >to set up securely, for the time being, due to lack of
>> >connection-sharing.
>> 
>> NAT is not a firewall. Get that into your brain.
>
>oh, that was what he meant.  I wasn't familiar with the term 'connection
>sharing'.  

That is the Windows term for it ;)

>I've stated numerous time that IPv6<->IPv6 NAT will only end up in
>netfilter/iptables over my dead body.

Hmmm..... then I guess that I'll have to kill you at some point ;)
But I'll leave it to printing out a kernel source and throwing it on
your casket in a year or 100 or so.

>IPv4<->IPv6 NAT-PT is a different issue, obviously.
>
>btw, the IETF BEHAVE group is actually demanding that a NAT device does
>not NAT ipv6 traffic!!

Doing the NAT as in the 'connection sharing', or better said, "rewriting
source/dest addresses and packet contents" is evil. But the other method
for which we are going to use a "translation of addresses", but on both
sides will be very interesting and will cost you your dead body <grin>.

>> And indeed there is no Linux firewalling code yet, in the mainstream
>> that can do connection tracking. 
>
>still, ip6_conntrack is shipped by commercial distributions like SuSE...

There is nothing wrong with connection tracking as that can be used for
checking if a certain packet is allowed to come back into the firewall
or not, one of the basic principles of stateful firewalling

Greets,
 Jeroen


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 240 bytes --]