[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on the NAT66 draft
On Nov 10, 2008, at 07:26, EricLKlein@softhome.net wrote:
[...] Now people are trying to revive the patch known as NAT into v6
when it is still not clear why they are needed beyond "that is how
we always did it" solutions. If RFC 3879 and RFC 4864 are not
detailed enough as to why local only addresses are not part of v6
lets do a proper need and gap analysis and then design a solution to
what is really needed.
As I have periodically tried to remind everyone, there is a usage
scenario for NAT in IPv4 that is not addressed by RFC 3879 or RFC
4864, and it remains in my view the one compelling reason for
specifying how NAT66 should work. That scenario is the one where
stateful packet filtering for application flows is transparently
inserted on paths into and out from enterprise networks using an
address translation to redirect flows at border routers to the
application-filtering middleboxes.
You can imagine doing that without address translation, i.e. with
tunnels and redirects, but that raises practical issues with path MTU,
and it just moves the address translation from the insertion point to
the application helper. You've still got the translation and the
potential for transparency loss that comes with it. It's important to
remember that people deploying systems like this tend to view end-to-
end integrity as a bug rather than a feature, and the introduction of
potential for transparency loss is the whole point of the exercise.
If doing it with NAT66 instead of tunnels and redirects makes
practical sense to enterprise network operators, and I think it does,
then I assure you... that's how it will be done.
As much as I would like to believe that enterprises will stop feeling
the need to deploy this kind of nonsense, I'm very skeptical that IETF
will be able to change their minds. If we're going to have
middleboxes that intercept and process IPv6 application flows, then I
don't see how NAT66 or something like it can be avoided.
That said, I'm not impressed by the arguments put forward by the
opponents of RFC 4864 local network protection who, in my view, are
greatly exaggerating the seriousness of the network renumbering
problem. My response to that concern is that any organization too
small to win a PI allocation and too poor to bear the almost
negligible expense of renumbering an IPv6 network [much smaller than
renumbering an IPv4 network] is an organization with more serious
problems than its difficulty in changing its Internet service
provider. I don't see why such organizations should have much
standing here, and I think we should ignore them while we have more
important problems to solve, e.g. IPv4-IPv6 coexistence matters.
--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering