- Fragmentation is no longer handled at the router level. It is negotiated by the hosts before hand.
- Therefore, it is necessary for firewalls to allow Path MTU Discovery (PMTU) (RFC 1981) between communicating hosts.
- Mobile IPv6 requires a consistent Home Address (which must be a global unicast address) and a Care-of Address (which also must be a global unicast address) for our mobile devices to operate when moving between networks.
- Although computationally expensive workarounds are possible, IPSec prefers end-to-end connectivity for confidentiality and integrity.
Network Address Translation is a burden on all of these. I found an interesting presentation by David Kessens and Teemu Savolainen with Nokia about the impact that IPv6 will have on batterly life. In order to keep track of the many private addresses, a NAT device has to maintain a mapping state when a connection is established. In order to keep this mapping state established the end node must send keep-alive packets to let the NAT device know that it isn't finished with the connection. For mobile devices, which are often behind NAT firewalls, this can be a real battery drain. With an IPv6 global unicast address this won't be necessary.
As a side note, firewalls could require a keep-alive for reasons other then NAT. Many stateful firewalls will make use of reflexive ACLs. These will open up a reverse connection inbound for clients behind the firewall that are making a connection outbound. These reflexive ACLs will only be open for a limited amount of time; until the connection is gracefully terminated or a timeout is reached. I mention all of this for completeness sake. IPv6 will not be able to completely eliminate keep-alive packets.
-Chris
No comments:
Post a Comment