[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: I-D ACTION:draft-vandevelde-v6ops-nap-01.txt]

Eric,

thanks for your comments, I'll try to address your comments/questions
below:
On Fri, 2005-02-04 at 18:45, ext EricLKlein wrote:
> Speaking for myself, as one of the Authors - see comments below.
> 

> > General comment: I think the audience of the paper are people who are
> > already true believers of IPv6 and then people that are just trying to
> > find the functionality that they need, or think they need from NATs. I
> > think neither of these people groups actually need any health warnings
> > on NATs themselves or are even interested in the problems of NATs.
> 
> Actually when I got involved with writing this it was for the IPv6 nay
> sayers who felt that NAT was the mos timportant feature in the IP world. I
> spoke with people in network security and network administration roles and
> when they hear that we had depriciated RFC1918 like addressed in IPv6 they
> compleatly freaked out. They felt that NAT was needed for site security, or
> for seperation of subnets, or other of the "percieved values" that we put
> into the paper.
> 
> So in short my goal was a paper that could be used by the IPv6 true belivers
> to either explain to newbies or disbelivers why their NAT was not being
> upgraded with the rest of the addresses and networking.

What I meant was: the true believers already know NATs are bad - they
don't need the repetition, and the people that think that NATs are the
best things since sliced bread are not going to believe it anyways.
Important story of the document is that IPv6 can provide you the
functionality that you think you are getting from NATs, but only better.

Anyways, that was just my opinion, and I don't feel very strongly about
it.

[Snip]

> 
> > Some comments about the text itself:
> If your provider is doing this (and it is not the first time I have heard of
> this configuration) then are you using NAT after the fixed address to share
> the connection between multiple hosts? Thus making it:
> 
> Fixed address (Carreir to carrier) <-> NAT (Carrier to Customer) <-> NAT
> Customer Network  <-> Host
> 
> If so then it is you that are saving the IP addresses not the carrier (this
> is why we have many diffrent catagories in section 5).
> As to the security concerns, where I have seen this done the carriers are
> usually using NAT to subnet their network (as described in 5.4) so that they
> have one large block and are using it to reduce problems in their
> administration network. But you are right to you there is still no security
> benifit.

Actually, I don't have NAT in my network. The setup is strange, because
there is this interesting thing going on: My IP access is provided by a
company that provides me access (with a VPN) to my company. However, to
get access to Internet I need a second provider. There are multiple
providers I can choose from and I have a contract with one of them. To
access the Internet I have to "activate" the access, by first choosing
my provider from a web menu and then giving the credentials (username,
password). After that I have Internet access. However, as by the time I
boot my computer it is not known which provider's access I'm going to
use they cannot give me the real IP addresses. When I then activate the
Internet access they would have to renumber my computer's IP address it
is easier to NAT. 
I actually can connect up to five computers to the Internet and really
all private addresses seem to correspond to an individual public
address...

> 
> Not all that is bad with NAT is limited to security.

I know, but this section is about security. I think the point is valid,
but it just seems to be in the wrong place.

Cheers,

Jonne.
-- 
Jonne Soininen
Nokia

Tel: +358 40 527 46 34
E-mail: jonne.soininen@nokia.com