keeping NAT mappings stable [Re: v6 deployment in general [Re: tunnel broker deployment [RE: Tunneling scenarios and mechanisms evaluation]]]

[Pekka Savola <pekkas@netcore.fi>]

On Wed, 17 Mar 2004, Erik Nordmark wrote:
> > > > The problem is worse with transition mechanisms, especially the ones 
> > > > which traverse NATs, but the situation may improve as soon as we can 
> > > > get rid of them.  In any case, such mechanisms can provide a stable 
> > > > as long as they can keep the NAT/IP mappings stable -- which is, for a 
> > > > properly designed application, maybe sufficient.
> > > 
> > > I guess I don't understand what "such mechanisms" refer to above.
> > > I don't know if mechanisms like Teredo can provide a stable IPv6 address 
> > > when the nat mappings change, but doing TB/UDP for nat traversal should be
> > > able to provide stable IP addresses/prefixes in this case.
> > 
> > The point is to keep the NAT (etc.) mappings open as long as possible
> > so that they don't change -- and if they change, that'd be due to ISP
> > trying to enforce the user to a specific policy (e.g., changing v4
> > addesses on the fly) -- and I'm not sure if it's worth trying to
> > outsmart ISPs.  Stupidity always wins, with the customer in even a
> > bigger mess in the end.. :-/
> 
> I still don't understand what you were trying to say in the first paragraph
> above.
> That paragraph doesn't take into account that one can build
> tunnel broker UDP tunneling schemes where the IPv6 address/prefix
> is stable when the NAT mapping changes.

Of course -- but such technology will have additional complexity in
terms of signalling (the most important one: user must be
authenticated/identified -- in the case of more or less anonymous
service, this may not be feasible).  

The point is that there can be mechanisms which tie the stability of
v6 prefix to the stability of the v4 address [/port].  This seems to 
be sufficient for a less advanced user, for a transition mechanism.  
The v6 prefix stability irrespective of v4 address[/port] would be an 
optional, additional signalling method, to be used where user 
authentication is feasible.

> Was that paragraph only talking about Teredo? I read it as attempting to
> make a more general statement.

Teredo is currently an example of this; STEP in ad-hoc mode is
another.  This is a more generic issue, especially if we want to
ensure zero-configured IPv6 deployment in ISPs' non-upgraded access
networks.
 
> On the third paragraph above, the NAT mapping might change for
> multiple reasons - one of them being the ISP forcing a new external IP
> address of the NAT box. Others being the NAT state timing out for various
> reasons (having lived 3 years behind a ISDN NAT box which looses the UDP
> port mapping when the ISDN line is dropped due to lack of traffic
> I've seen this).

Of course; the point is avoiding loosing the mapping.  But if it gets
lost, you either renumber (v6 and possibly v4) or reconfigure the
tunnel end-point (if supported and possible).  Depending on quickly
you are able to detect this, you may or may not be able to prevent v6
TCP connections failing during the failure period.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings