[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on NAT-PT



>	there are some concerns raised in the working group meeting
>	with respect to NAT-PT.  it seems to me that the concerns does not
>	have enough technical ground (or there are some confusions in
>	understanding how NAT-PT works).  i don't see the need for revising
>	NAT-PT at all.  some clarifications on the document might be nice,
>	but no major re-work is needed, IMHO.

	more comments on other drafts.

	i'm not really defending NAT-PT itself, actually i would like to see
	less use of NAT-PT (i prefer dual stack approach).   i just don't see
	the technical ground for the voices like "NAT-PT is evil, need a
	revised version".

itojun


draft-durand-natpt-dns-alg-issues-00.txt
1.1

>   RFC2766 is not clear on how a DNS-ALG should treat answers to A
>   queries made by internal nodes. As a matter of fact, one could
>   fear that a careless a DNS-ALG would also intercept them and translate
>   them into a AAAA form.  In other words, nodes asking for a A record
>   could be returned a AAAA record. Although this may not be a problem
>   for simple IPv6 only applications, it may be a concern for applications
>   that 'walk through' the DNS structure and may pas information to peers.

	if you are an IPv6-only node and would like to communicate with IPv4-
	only node within the same site, you will still want to use NAT-PT
	translator, therefore it is okay for DNS-ALG to translate A responses
	into AAAA responses.

>   Second, the application has no way of knowing that the returned AAAA
>   address is actually not a real IPv6 one, but a IPv4 translated one.
>   It may be led to believe that it's a real one and think "It's IPv6,
>   so it has End to End IP connectivity, thus there will be no NAT in
>   the middle and I can use any IPv6 specific options"

	This is the whole point of NAT - you want NAT box be invisible
	from the NAT customers (in NAT-PT case, IPv6-only nodes).
	if the NAT is visible to the NAT customer, it is more like RSIP.

1.2

>   => The communication between a node within the NAT-PT domain and a
>   external dual stack host will select the translated path over the
>   native IPv6 path.

	It really depends on how your DNS-ALG treats dual stack FQDN.
	As far as I understand, DNS-ALG won't perform address rewrite (from A
	to AAAA) if an FQDN has both A and AAAA records.  Therefore, the
	point made in 1.2 looks moot.

1.3

>   NAT-PT ALG makes the assumption that the DNS traffic goes through the
>   NAT-PT box.
>
>   This is OK is DNS resolution is done over IPv4. However, if it is
>   done over IPv6, there is no reason why the DNS traffic will still go
>   through the NAT-PT box unless the NAT-PT box is also the default IPv6
>   router of the site.

	not necessary.  what NAT-PT really want are:
	- the translated prefix (P::/96) used by DNS-ALG gets routed towards
	  NAT-PT translator box.
	- NAT-PT translator box, as well as DNS-ALG be dual stack
	there's no requirement at all for NAT-PT translator box, nor DNS-ALG
	box, being a default router.

	i guess RFC2766 is a bit unclear about this point - you may want to
	check RFC3142 for better documentation.

1.4
	
>   Section 7.5 of RFC2766 says that NAT-PT is not deployable with DNS-
>   sec.  It would work if all the DNS resolution were done over IPv6,
>   but in a mixed environment as described in draf-ietf-ngtrans-dns-
>   ops-req-03.txt, this will be a problem.

	as written in the previous email meesage, why bother.
>>	(5) - when you rely upon DNS responses created on the fly, as well as
>>	a box that rewrites your data traffic, why this is a show-stopper?