The argument for writing a general purpose NAT for IPv6

[james woodyatt <jhw@apple.com>]

On Apr 16, 2007, at 13:46, Mark Smith wrote:
> On Mon, 16 Apr 2007 11:37:25 -0700, james woodyatt <jhw@apple.com>  
> wrote:
> > Yes.  I have to do this to make application layer gateways (ALG) for
> > IPv6 to be fully transparent.
>
> They won't be "fully transparent". The devices on the public side of
> the NAT will be able to detect them, or conversely, will break because
> those devices or applications assume (quite reasonably, because that's
> the (IPv6) Internet architecture) that there is a one-to-one mapping
> between a network layer device and address.

p1. The mapping between nodes and addresses is already not one-to-one.

p2. I don't see the NAT required for IPv6 ALG's as breaking end-to- 
end addressability.

Whether network policy permits application reachability is  
independent of whether applications are addressable.  I only think  
NAT needs to be used to redirect application flows between  
middleboxes, not between application endpoints in separate addressing  
realms.

> Having had to deal with the problems that "transparent" ALG devices
> cause at the network layer, I don't want to see them again. e.g.
> traceroute doesn't show the path the traffic is actually taking, they
> create performance bottle necks, you have to traffic engineer certain
> traffic to always pass a certain point in the network so that the ALG
> gets a look at it, [...].

If stateful packet filters are widely deployed in residential IPv6  
gateways and turned on in the factory default mode, I can only see  
one way to make some of those problems avoidable: by defining  
something as a bump-in-the-stack that uses a yet-to-be-defined ICMP  
subprotocol for signaling application listeners to the packet filters  
in the path, and rolling that out everywhere in the Internet instead.

Personally, I think this alternative makes better sense over the very  
long term, but my experience is that the very long term always comes  
at a lower priority than the end of the current financial quarter.

> [...] they create problems with remote websites and
> applications that very reasonably assume a one-to-one mapping between
> an IP address and a user.

Yeah, but there are security considerations there.  RFC 3041 is an  
effort to address some of those, and not in a way that will make it  
*easier* for remote websites to continue assuming a one-to-one  
mapping between IP addresses and users.  This was always a dumb  
assumption, and it will only get dumber with IPv6, no matter what we  
do to resolve the problems I'm trying to highlight here.

> Can you describe some of those interactions ? As far as I'm aware  
> RTSP,
> as do other applicaton protocols above the transport layer, just  
> use IP
> as a dumb packet transport between specified IP addresses.

Sure.  Both the RTSP client and server write IP address and UDP port  
numbers for the RTP and RTCP flows into the RTSP headers.  The  
stateful packet filter that blocks incoming flows will need to  
inspect the SETUP method and search for the "Transport:" headers,  
parse them for the source, destination, client_port and server_port  
attributes, and open/close pinholes for them as needed.

There are other applications, I'm sure, that have similar problems.   
As noted, ISAKMP/IKE is one of them unless ESP encapsulation in UDP  
is used in conjunction with some kind of ICE-like UDP probing scheme  
to keep the outbound UDP pinhole open while incoming UDP/ESP- 
encapsulated flows might be received.

I'm pretty sure that BitTorrent is another such application.  Also,  
I'm given to understand that some VoIP applications may be broken by  
the stateful packet filtering IETF recommends unless there is an ALG  
present for the application.

> > I figure while I'm doing that, I might as well write a general
> > purpose IPv6 NAT.  I wish I didn't have to do this, but the security
> > considerations are pushing me into it.
>
> Can you detail those security considerations ? I'd find it hard to
> believe that NAT is the only security technique (and personally I  
> don't
> really consider it to be one anyway) that solves your problem. What
> unique property does NAT provide that no other alternative (such as
> stateful firewalling with public addressing) doesn't?

I only *NEED* the NAT to redirect flows into transparent ALG's to  
support the stateful packet filter.  (I'd say it's the market that  
seems unconvinced-- despite the laudable efforts of the authors of  
the NAP draft-- that IPv6 is sufficient for their needs without  
general purpose NAT being available, but that's not really my concern.)

I'm considering the task of writing a general purpose IPv6 NAT because:

1) I now have to maintain a full suite of ALG's for both IPv4 and IPv6;

2) I've got a collection of IPv4 ALG's already that depend on NAT to  
work;

3) I will still have support IPv4/NAT for the foreseeable future;

Therefore... the easiest way forward for me is the shortest path: by  
extending my general purpose IPv4 NAT to support IPv6.  It saddens me  
to have to do it, but there it is.


--
j h woodyatt <jhw@apple.com>