[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The argument for writing a general purpose NAT for IPv6

To: IETF V6OPS WG <v6ops@ops.ietf.org>
Subject: Re: The argument for writing a general purpose NAT for IPv6
From: james woodyatt <jhw@apple.com>
Date: Wed, 18 Apr 2007 11:25:04 -0700
In-reply-to: <20070418140342.GB29715@grc.nasa.gov>
References: <200704130208.l3D28UWs017668@cichlid.raleigh.ibm.com> <F7359BE1-601E-4047-AC44-8653872303E2@apple.com> <20070415095925.28786098.ipng@69706e6720323030352d30312d31340a.nosense.org> <406C954E-B2D4-4EE0-904F-12C65902EA13@apple.com> <20070417061641.6df36300.ipng@69706e6720323030352d30312d31340a.nosense.org> <D9E32C70-B89D-4417-8340-38C79657F6A9@apple.com> <46248630.8020804@zurich.ibm.com> <A264E1A8-679B-4EEC-8FE6-453BB3AB5EC5@apple.com> <4625D4B8.4070804@zurich.ibm.com> <20070418140342.GB29715@grc.nasa.gov>

On Apr 18, 2007, at 07:03, Wesley Eddy wrote:

On Wed, Apr 18, 2007 at 10:20:08AM +0200, Brian E Carpenter wrote:

I am confused.

If the issue is stateful packet filters the solution is
to be able to configure them off for specified hosts. I can't
see why transport proxies are needed (as far as you describe them,
they exist *because* the IPv4 box is a NAT, not because it
contains stateful filters).

The transport proxies don't exist just because the IPv4 box is aNAT. They would need to be there even if the box implemented IPv4stateful packet inspection/filtering without NAT. Let me outline thelogical flow:


  1) SPI -> ALG
  2) ALG -> transport proxies
  3) transport proxies -> NAT

  therefore

  4) SPI -> NAT

We will never need NAT for translating between global and privateIPv6 address realms. That's not at issue. However, we *do* need NATfor transparently redirecting IPv6 flows into transport proxies toimplement application layer gateways to permit stateful packetinspection filters to keep from breaking Internet applications.

I think I agree.  It looks like James is saying that *in his code*,
implementing IPv6-NAT is the easiest way to re-use existing upper-layerpacket inspection code in order to poke holes in the firewall. Idon't
think that this in any way applies to implementations in general.

This is true to a point. Unfortunately, there isn't anythingparticularly special about my implementation. If you looked at thesource code, you'd see it's very similar to other implementationswidely deployed on the Internet today.

It's also true that some applications, e.g. RealPlayer comes to mind,are just not easily handled without using transport-layer transparentproxies. I've implemented ALG's for that using both methods, i.e.network-layer packet inspection and transport-layer proxy, and 1) thedifference in engineering costs to maintain them is stark, plus 2)the transport-layer proxy is more functional because it doesn't breakwhen headers are split across multiple TCP segments, as sometimeshappens.

I believe he's only said that this seems like the path of least
resistance in his code, but I don't think he's said that it would be

impossible to re-use his packet inspection code through some othermeans

without implementing IPv6-NAT, but I may have missed something.

Not impossible, but many will find it prohibitively expensive anddifficult.

What I hope the V6OPS group will take away from this discussion isthe awareness that, if my engineering management is thinking thatimplementing IPv6-NAT is worth doing to make application layergateways function properly, then others may too. If there is a goalto make IPv6-NAT an unnecessary tool and a waste of resources todevelop, then that goal is *not* being met.



--
j h woodyatt <jhw@apple.com>

Follow-Ups:
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

References:
- Re: IPv6-PMP?
  - From: Thomas Narten <narten@us.ibm.com>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: The argument for writing a general purpose NAT for IPv6
  - From: Wesley Eddy <weddy@grc.nasa.gov>

Prev by Date: Re: The argument for writing a general purpose NAT for IPv6
Next by Date: Re: The argument for writing a general purpose NAT for IPv6
Previous by thread: Re: The argument for writing a general purpose NAT for IPv6
Next by thread: Re: The argument for writing a general purpose NAT for IPv6
Index(es):
- Date
- Thread