Re: IPv6-PMP?

[james woodyatt <jhw@apple.com>]

On Apr 12, 2007, at 19:08, Thomas Narten wrote:
> As much as I am no fan of NAT, NAT is made even worse by the lack  
> of standards and predictability in what has been deployed.
>
> Will we see the same with firewalls? This is an important question,  
> given that a premise of IPv6 is to restore end-to-end addressing.  
> We won't see that if firewalls effectively block all inbound  
> connections by default.

End-to-end addressing isn't going away unless the various open  
threats of IPv6 NAT get more traction, which I don't yet see  
happening.  (At the moment, I can only think of one compelling reason  
to implement IPv6 NAT, and I don't consider it a particularly big  
threat because I don't see it actually destroying end-to-end  
addressing.  It will happen, though.  In fact, it's on my medium-term  
list of things to do, mainly because otherwise I don't have a good  
mechanism for redirecting IPv6 flows into application layer gateways.)

I think it's reasonable to expect that if IETF doesn't produce a  
standard for endpoint nodes to signal routers (any of which may or  
may not be comprised of stateful packet filters) of their expectation  
to receive incoming flow initiations, then Apple will probably decide  
to implement something non-standard, of its own invention, and ship  
it without waiting for the blessings of IETF.  It's not like we  
haven't done that before.  In the IPv4/NAT case, the behavior we need  
today is implemented by NAT-PMP (and UPnP IGD), and now we need  
something like it for IPv6.

NAT-PMP was always intended to be a transition mechanism until IPv6  
could replace it. IPv6 cannot replace IPv4/NAT until this deficiency  
is remedied.  Whatever mechanism is developed to address this problem  
will be-- no joke-- with us for the next thousand years, so we  
obviously think a naïve adaptation of NAT-PMP to IPv6 would be  
suboptimal.

Alas, however, if that's what gets the problem solved...


--
j h woodyatt <jhw@apple.com>