[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RRG] Mitigating the Downsides of NAT'ing
Folks,
the discussion on interworking (subject "Comments on draft-lewis-lisp-
interworking") has shown that both PTRs and NAT'ing have important
shortfalls: PTRs lack a convincing incentives model, and NAT'ing has
technical issues. One way of solving the problem is to try and find
an incentives model for PTRs, another would be to mitigate the
technical issues of NAT'ing. Six/One Router is doing the latter, and
maybe this can provide the right balance between incentives and
technical soundness. Would be interesting to hear your opinion.
Robin and Brian brought up 3 technical issues with normal NAT'ing:
(1) Unreachability of hosts behind NAT
(2) Translation issues (processing complexity, exhaustion of external
address pool, premature state expiry)
(3) Loss of end-to-end semantics
Here is how Six/One Router mitigates these issues:
(1) Hosts reachable at edge and transit addresses
This requires DNS proxies in upgraded (i.e., Six/One-Router-
capable) edge networks: Receiving an A/AAAA query, a proxy
queries for both edge and transit addresses. The full reply is
forwarded to Six/One routers (to be used for mapping), but only
edge addresses are forwarded to the resolver. There are 3
options for realizing this (many credits to Stéphane Bortzmeyer):
(1a) Both edge and transit addresses are returned in standard
A/AAAA records, and extra (newly defined) "E/EEEE" records
indicate which ones are edge addresses. The DNS proxy
forwards only the A/AAAA records that include edge
addresses to the resolver. This is compatible with DNSSEC
because forwarded records are unchanged.
(1b) Transit addresses are returned in A/AAAA records, edge
addresses in E/EEEE records. The DNS proxy converts the
E/EEEE records into A/AAAA records and forwards them to the
resolver. DNSSEC can only be used between the proxy and
the DNS servers; the resolver must trust the proxy.
(1c) Like (1b), but DNSSEC signatures for E/EEEE records are
computed as if the record type was that of A/AAAA records.
DNSSEC end-to-end between the DNS servers and the resolver.
DNS proxies may be configured into hosts as DNS servers, or they
may be co-located in Six/One routers to intercept DNS queries
leaving the edge network. The latter enables hosts to use DNS
servers outside their edge network.
(2) 1-to-1 NAT'ing whenever possible
Most of the issues with today's NATs are specific to many-to-1
translation and absent from 1-to-1 translation. Address
translation in Six/One Router can always be 1-to-1. Only when a
host in an upgraded edge network communicates with an IPv4-only
host in a legacy edge network, many-to-1 translation may be more
desired due to IPv4 address scarcity.
If two upgraded edge networks communicate, Six/One Router does
not perform NAT'ing, but rather an equivalent to tunneling.
(3) Provide reverse-mapping functionality
A Six/One router has functionality for "inverse" NAT'ing (which
yields an equivalent to tunneling). This eliminates the
disadvantages of NAT'ing when Six/One Router is deployed on both
sides of a packet exchange.
Six/One Router is certainly not a panacea against the adverse impacts
of NATs. But it eliminates some of them from day one, and all of them
for an increasing number of packet exchanges on the long run.
- Christian
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg