[RRG] Mitigating the Downsides of NAT'ing

[Christian Vogt <christian.vogt@nomadiclab.com>]

Folks,

the discussion on interworking (subject "Comments on draft-lewis-lisp-
interworking") has shown that both PTRs and NAT'ing have important
shortfalls:  PTRs lack a convincing incentives model, and NAT'ing has
technical issues.  One way of solving the problem is to try and find
an incentives model for PTRs, another would be to mitigate the
technical issues of NAT'ing.  Six/One Router is doing the latter, and
maybe this can provide the right balance between incentives and
technical soundness.  Would be interesting to hear your opinion.


Robin and Brian brought up 3 technical issues with normal NAT'ing:

(1)  Unreachability of hosts behind NAT

(2)  Translation issues (processing complexity, exhaustion of external
     address pool, premature state expiry)

(3)  Loss of end-to-end semantics


Here is how Six/One Router mitigates these issues:

(1)  Hosts reachable at edge and transit addresses

     This requires DNS proxies in upgraded (i.e., Six/One-Router-
     capable) edge networks:  Receiving an A/AAAA query, a proxy
     queries for both edge and transit addresses. The full reply is
     forwarded to Six/One routers (to be used for mapping), but only
     edge addresses are forwarded to the resolver.  There are 3
     options for realizing this (many credits to Stéphane Bortzmeyer):

     (1a)  Both edge and transit addresses are returned in standard
           A/AAAA records, and extra (newly defined) "E/EEEE" records
           indicate which ones are edge addresses.  The DNS proxy
           forwards only the A/AAAA records that include edge
           addresses to the resolver.  This is compatible with DNSSEC
           because forwarded records are unchanged.

     (1b)  Transit addresses are returned in A/AAAA records, edge
           addresses in E/EEEE records.  The DNS proxy converts the
           E/EEEE records into A/AAAA records and forwards them to the
           resolver.  DNSSEC can only be used between the proxy and
           the DNS servers; the resolver must trust the proxy.

     (1c)  Like (1b), but DNSSEC signatures for E/EEEE records are
           computed as if the record type was that of A/AAAA records.
           DNSSEC end-to-end between the DNS servers and the resolver.

     DNS proxies may be configured into hosts as DNS servers, or they
     may be co-located in Six/One routers to intercept DNS queries
     leaving the edge network.  The latter enables hosts to use DNS
     servers outside their edge network.


(2)  1-to-1 NAT'ing whenever possible

     Most of the issues with today's NATs are specific to many-to-1
     translation and absent from 1-to-1 translation.  Address
     translation in Six/One Router can always be 1-to-1.  Only when a
     host in an upgraded edge network communicates with an IPv4-only
     host in a legacy edge network, many-to-1 translation may be more
     desired due to IPv4 address scarcity.

     If two upgraded edge networks communicate, Six/One Router does
     not perform NAT'ing, but rather an equivalent to tunneling.


(3)  Provide reverse-mapping functionality

     A Six/One router has functionality for "inverse" NAT'ing (which
     yields an equivalent to tunneling).  This eliminates the
     disadvantages of NAT'ing when Six/One Router is deployed on both
     sides of a packet exchange.


Six/One Router is certainly not a panacea against the adverse impacts
of NATs.  But it eliminates some of them from day one, and all of them
for an increasing number of packet exchanges on the long run.

- Christian



--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg