Re: The argument for writing a general purpose NAT for IPv6

[Gert Doering <gert@space.net>]

Hi,

On Wed, Apr 18, 2007 at 11:07:28PM +0300, Rémi Denis-Courmont wrote:
> modify the packets at all; you only need to keep automagically open 
> pinholes for connections that are "related" (borrowing Linux-NetFilter 
> naming hree) to some existing connections... e.g. open a hole for an 
> FTP data connection if you see the need according to the FTP control 
> session, or for the RTP and RTCP flows of an RTSP media.
> 
> I don't see the need for a NAT there.

That's an implementation detail.

You can either do it at the packet inspection level ("netfilter 'related'
connections"), or you can do it using a "proxy program" approach - like
the way you can use Squid to do transparent web proxy/caching even 
without client users knowing.

If you use the second approach, you need some sort of NAT (local to
the machine) to make the packets that come in, destined for some other
host, to end up in your local userland socket.


> IMHO, it would of course be much better for the unmanaged networks 
> scenarios to not have stateful firewalls by default at all. In fact, 
> restored connectivity is the only incentive for "end-user" ISPs to 
> deploy IPv6 at the moment, as far as I can tell. Why would they invest 
> if it brings just about nothing? In that sense, it seems to me that 
> Apple Airport decision and v6ops NAP is on a collision course with 
> ISPs. But I should rather let ISPs speak for themselves.

I share the sentiment that "unmanaged networks and stateful firewalls"
is a problematic scenario, but it seems that this is what we *have*
(due to not-so-well informed decision processes).

So if that is going to stay, we need a communication "process" between
application and stateful firewall.

Much better would be a public statement "for the unmanaged case, use
on-host distributed firewalls, for the managed case, use whatever fits
the bill".  (But even then you end up in the case of an application
requiring a pinhole and the firewall not supporting this specific
protocol)

Worse, should ubiquitous (sp?) IPSEC ever happen, network layer firewalls 
have no way to decide on "this is a good or bad packet", so the firewalls
really need to be on the host.

(Speaking from an ISP POV: the end-user ISPs will deploy IPv6 if and only
if customers are asking for it, or they can sell a product that will
only work with IPv6, like 'some sort of voip or IPTV product'.  Or if
they can't get IPv4 addresses for new subscribers anymore.  If there is 
no extra money, or compelling force, end-user ISPs won't do IPv6).

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279