[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: on NAT-PT



has any way been found as yet to accomplish end to end ipsec with nat.if
not, will this require a modification in the way ipsec ah and ipsec esp
works or will nat-pt will have to be revised alltogether (which i don't
think is a very good proposition)? i think an urgent solution to this is
required if nat/napt-pt is to be used at a larger scale.
regards
anand

> -----Original Message-----
> From:	itojun@iijlab.net [SMTP:itojun@iijlab.net]
> Sent:	Thursday, November 28, 2002 11:44 AM
> To:	v6ops@ops.ietf.org
> Subject:	Re: on NAT-PT 
> 
> >	there are some concerns raised in the working group meeting
> >	with respect to NAT-PT.  it seems to me that the concerns does not
> >	have enough technical ground (or there are some confusions in
> >	understanding how NAT-PT works).  i don't see the need for revising
> >	NAT-PT at all.  some clarifications on the document might be nice,
> >	but no major re-work is needed, IMHO.
> 
> 	more comments on other drafts.
> 
> 	i'm not really defending NAT-PT itself, actually i would like to see
> 	less use of NAT-PT (i prefer dual stack approach).   i just don't
> see
> 	the technical ground for the voices like "NAT-PT is evil, need a
> 	revised version".
> 
> itojun
> 
> 
> draft-durand-natpt-dns-alg-issues-00.txt
> 1.1
> 
> >   RFC2766 is not clear on how a DNS-ALG should treat answers to A
> >   queries made by internal nodes. As a matter of fact, one could
> >   fear that a careless a DNS-ALG would also intercept them and translate
> >   them into a AAAA form.  In other words, nodes asking for a A record
> >   could be returned a AAAA record. Although this may not be a problem
> >   for simple IPv6 only applications, it may be a concern for
> applications
> >   that 'walk through' the DNS structure and may pas information to
> peers.
> 
> 	if you are an IPv6-only node and would like to communicate with
> IPv4-
> 	only node within the same site, you will still want to use NAT-PT
> 	translator, therefore it is okay for DNS-ALG to translate A
> responses
> 	into AAAA responses.
> 
> >   Second, the application has no way of knowing that the returned AAAA
> >   address is actually not a real IPv6 one, but a IPv4 translated one.
> >   It may be led to believe that it's a real one and think "It's IPv6,
> >   so it has End to End IP connectivity, thus there will be no NAT in
> >   the middle and I can use any IPv6 specific options"
> 
> 	This is the whole point of NAT - you want NAT box be invisible
> 	from the NAT customers (in NAT-PT case, IPv6-only nodes).
> 	if the NAT is visible to the NAT customer, it is more like RSIP.
> 
> 1.2
> 
> >   => The communication between a node within the NAT-PT domain and a
> >   external dual stack host will select the translated path over the
> >   native IPv6 path.
> 
> 	It really depends on how your DNS-ALG treats dual stack FQDN.
> 	As far as I understand, DNS-ALG won't perform address rewrite (from
> A
> 	to AAAA) if an FQDN has both A and AAAA records.  Therefore, the
> 	point made in 1.2 looks moot.
> 
> 1.3
> 
> >   NAT-PT ALG makes the assumption that the DNS traffic goes through the
> >   NAT-PT box.
> >
> >   This is OK is DNS resolution is done over IPv4. However, if it is
> >   done over IPv6, there is no reason why the DNS traffic will still go
> >   through the NAT-PT box unless the NAT-PT box is also the default IPv6
> >   router of the site.
> 
> 	not necessary.  what NAT-PT really want are:
> 	- the translated prefix (P::/96) used by DNS-ALG gets routed towards
> 	  NAT-PT translator box.
> 	- NAT-PT translator box, as well as DNS-ALG be dual stack
> 	there's no requirement at all for NAT-PT translator box, nor DNS-ALG
> 	box, being a default router.
> 
> 	i guess RFC2766 is a bit unclear about this point - you may want to
> 	check RFC3142 for better documentation.
> 
> 1.4
> 	
> >   Section 7.5 of RFC2766 says that NAT-PT is not deployable with DNS-
> >   sec.  It would work if all the DNS resolution were done over IPv6,
> >   but in a mixed environment as described in draf-ietf-ngtrans-dns-
> >   ops-req-03.txt, this will be a problem.
> 
> 	as written in the previous email meesage, why bother.
> >>	(5) - when you rely upon DNS responses created on the fly, as well
> as
> >>	a box that rewrites your data traffic, why this is a show-stopper?