Problems with removing NAT from a network

[matthew at matthew.at (Matthew Kaufman)]

On 1/5/2011 9:39 PM, Cameron Byrne wrote:
>
> I understand my users pretty well, they only go to a few web pages ...
> its the nature of the net.  I assure you, i am not taking any undue
> risk with regards to web.  Try our friendly user trial and give me
> your feedback, thats why i am running it.
I'm not particularly surprised that a mobile client platform has a 
different access pattern than desktop users... not a whole lot of mobile 
BitTorrent clients yet, for instance.
>
> Ah Skype.  According to your web page you work at Skype.  Skype is a
> well known IPv6 spoiler application.  In fact, in the IETF and many
> other circles, Skype is the only app that we can't seem to get to work
> with IPv6.  Are you here to help with that or to tell us that we need
> to keep IPv4 around indefinitely?
Indeed, I work at Skype now and Adobe (developing RTMFP) before that.

At this point (because not everyone has IPv6) this class of applications 
(along with BitTorrent and ICE-using VoIP apps) needs to be able to use 
your NAT64 to talk to peers that are IPv4-only. To do that, they need to 
be able to discover your NAT64 even though they're not doing DNS lookups 
to find the IPv4 addresses of peers.

This will take 1) a way to do this and 2) upgrades of the apps to take 
advantage of it. It is impossible to do #2 until #1 is solved.

There's been discussion in BEHAVE about this topic... 
draft-korhonen-behave-nat64-learn-analysis for instance. I even proposed 
a solution that wasn't raised in that or previous documents here: 
http://www.ietf.org/mail-archive/web/behave/current/msg09050.html (which 
I suppose, since it hasn't been mentioned elsewhere, should be written 
up as a draft if/when I have some free time)

>   Skype should not be the IPv6 spoiler app when
> NEARLY EVERYTHING ELSE WORKS.  Read the thread i mentioned, real
> users, real developers, real network that is IPv6-only.  Notice that
> things generally work, those folks have hacked their way to perhaps
> even making Skype work.
There's lots of other apps that don't work. Skype is just the squeaky 
wheel because it is so popular.


>
> Seriously, 95+% of my traffic is web and email, and STUN and ICE don't
> matter much to grandma as long as m.v6.facebook.com loads.
See my above comment about how I'm not surprised, given the specific 
client population.
>
> As long as dual-stack is around, the app vendors don't have to move
> and network guys have to dream up hacks to support these legacy apps
> (CGN ....).
Dual-stack + NAT44 has a lot fewer unsolved corner cases *and* doesn't 
require apps to be upgraded to do discovery of the NAT64 prefix(es) 
(which, for some legacy apps that are no longer under development will 
never happen).

NAT64/DNS64 is an interesting experiment that works for >95% of the web. 
But it isn't really a solution unless "the web" is all you care about.

Matthew Kaufman