Re: Modified IPv6 to unmodified IPv4

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 22-okt-2007, at 23:42, Stephen Sprunk wrote:

> The problem I think you're indirectly referring to is NAT  
> awareness, and most of the problem there is going to exist in v6  
> with stateful firewalls even if we do manage to avoid creating a  
> NATv6 world.  ALGs are simpler when you only have to inspect  
> packets, not mangle them, but they're not going away, and end hosts/ 
> apps can't get away from coping with administratively-imposed  
> reachability problems.

NAT and stateful firewalling don't have the same effect on applications.

In both cases, an ALG can make everything work for many applications  
if an ALG is available for the protocol in question and the control  
traffic isn't encrypted, and doesn't use options that the ALG doesn't  
understand. ALGs also require a control channel, so they don't  
address the situation where an application is simply listening for  
incoming sessions.

Alternatively, applications can reach out to the NAT or firewall and  
receive information about the public address from the NAT and open up  
incoming ports on the NAT or firewall. There are two non-IETF  
protocols to do that for NAT and a whole bunch of IETF protocols to  
do this for (IPv4?) firewalls. The difference between the NAT and the  
firewall case is that in the NAT case, the application must know  
about the public address, while in the firewall case it only has to  
open up the port. Conceivably, this could be done automatically by  
the OS when a listening socket is created. But such a simple solution  
doesn't address all NAT issues.

So the need to deal with firewalls doesn't mean it's a good idea to  
go ahead with NAT in IPv6, either explicitly or in the form of  
adopting an IPv6/IPv4 translation mechanism that exposes IPv6  
applications to NAT.