> Here, again, is the nub of what we have to deal with: > > >> The notion of a system with a single, globally unique namespace > >at the> lowest level is a really nice one, one we had for a while > >- and *one> we think we can reclaim*. I now think we've been > >deluding ourselves;> that past .. is gone for good. > > How would I move forward from there, constructively, to try and > produce a less broken architecture/system? the only way I can see to do so is to provide tools to ease migration to a less broken system. I don't see any way to make the NAT technique significantly less broken (and I have tried) that takes less effort than supporting IPv6 alongside NAT. basically you end up trying to create a new network with a new address space on top of a NATted network, instead of alongside it. and to do this you have to upgrade the NAT boxes, and the hosts, and the apps that can't deal with status quo NAT - at which point you're imposing about the same deployment barrier as IPv6 imposes. IPv6 is both cleaner and ahead of the curve. > There are many different flavors of NAT, and so it's hard to make an > application "work with NAT" when you don't know exactly what the NAT > box is going to do. indeed, this is a problem - and NATs are also a moving target. but it's almost as difficult to "work with NAT" even when you do know exactly what the NAT box is going to do. also, the argument is often made that NATs are "here to stay" precisely because they are already so widely deployed. if one accepts that, doesn't it follow that broken NATs with their inconsistent behavior are "here to stay" also, for the same reasons? and if we assume we can upgrade the NATs anyway, why not make them support something cleaner than IPv4+NAT+MIDCOM-style application hooks? > The next step would be to add a "NAT considerations" section to all > protocol specifications, just like the "Security considerations" we > have now. Protocols can be designed to be less NAT-hostile - e.g. no > giving addresses to third parties as a way to contact someone, etc. many protocols cannot be designed to be less NAT hostile without imposing significant overhead both in bandwidth and in extra infrastructure, and degrading performance and reliability. if we want to set up proxies for each protocol outside of every NAT we can make those protocols work. IPv6 is a lot simpler and more robust. > Nothing positive can happen as long as we keep acting as NAT i) is too > disgusting to seriously try and deal with, and ii) will go away if we > stick our heads in the sand hard enough nothing positive can happen as long as we keep acting as if NAT is here to stay and that it's going to be forced on all future apps. Keith