Hi Tony, I have not been followign this thread at all. But, I did happen to look at this e-mail and decided to respond. Please see my comments below. Thanks. regards, suresh --- Tony Hain <alh-ietf@xxxxxxxx> wrote: > Jonathan Rosenberg wrote: > > ... > > I agree that ALGs are not the answer, and I believe the reasons for that > > are treated in: > > > > http://www.ietf.org/internet-drafts/draft-iab-nat-traversal- > > considerations-00.txt > > I have a fundamental problem with an IAB document that implies NAT provides > a firewall. The artifact of lack of state is exploited to prevent inbound [suresh] Why is it a problem with what Jonathan said in the IAB document? It is true that traditinal NATs do inherently provide a limited firewall functionality. Jonathan did not say that NAT function implies full Firewall functionality. Also, what exactly do you mean by the comment about "lack of state" being exploited to prevent inbound connections? Many firewalls are stateful and so are NATs. Who is exploiting "lack of state" in what? > connections, but that has nothing to do with a policy rich firewall, and > even less to do with anything resembling 'security'. > [suresh] Agree with your comment about firewalls being policy rich. The comment about security in the draft relates just to the filtering of inbound connections. Given that, why is it OK to say that a firewall secures an organization by not permitting inbound connections, but not OK to draw the same conclusion about a NAT? > As I said in an earlier post, the entire focus of this document is the wrong > direction for the IAB. It should be focused on simplifying application > operation, so there should be no NAT in the title. The IAB should be looking > at how applications can avoid worrying about the convolution in the network, > not focusing on how to navigate it. > [suresh] This sounds like some kind of an unwritten rule, or something. Why is it wrong for the IAB to address real-life problems involving NATs? A tremendous amount of work has been ongoing in the IETF lately concerning how applications should traverse NATs. A new IPsec standard has emerged to deal with NAT traversal. I think, it makes sense that the IAB recognizes that and makes a statement about NAT traversal for the apps. That is not to say that application designers should not design for the V6 networks. > It is also broken in that it focuses on Client/Server application models, > which are generally less of an issue for applications in a NAT environment. > Peer-to-peer applications have more trouble with mangled headers so the > second thing to do (after changing the title & focus) is to rework this so > that P2P issues are up front. > [suresh] The focus is principaly on the P2P applications in the draft, from what I can tell. > > > > As I mentioned during the plenary, the document above makes a case that > > the right answer in many situations are vpn-ish technologies that > > include v6 tunnels. However, different applications have different > > needs, and there are real differences between the various vpn-ish > > solutions (TURN, STUN, teredo, etc.) that are driving their development > > and adoption. For VoIP, where the nat traversal issue has been > > especially painful, the increase in voice latency, packet loss, and > > substantial cost increase of relaying traffic through the tunnel > > servers, has driven people to solutions like STUN. Thus, I cannot agree > > that there only needs to be a single solution here. > > You appear to be too focused on the weeds to notice the path forward. Yes > many of the IPv6 transition technologies have the same issues as the NAT > traversal technologies in IPv4 (in many cases they do exactly the same thing > but with different encapsulated packets). That said if the applications > community doesn't get the point that they can leave all that crap behind > when native IPv6 is available to them then they will never move. If the > applications community doesn't do their part we will always be stuck with > the garbage in the network. > [suresh] It sounds like you are suggesting that the IAB should advocate the mantra that application desginers shoudl jettison the issue of NAT traversal and simply write apps that work with v6 only. Why do you believe the application designers will heed that? Application desginers cannot afford to ignore the current deployment. After all, they want their apps to be deployed. > > > > That said, I agree that the IAB nat traversal consideration document > > lacks adequate consideration of how evolution plays into this, and I'll > > endeavor to improve the document on that front. > > I will try to send text, but I am buried for the next couple of months. > [suresh] That sounds good. > > > > Another concern I have is that, in an IPv6-only world, even if you > > eliminate NAT, there will still be firewalls, and those firewalls will > > frequently have the property that they block traffic coming from the > > outside to a particular IP/port on the inside unless an outbound packet > > has been generated from the inside from that IP/port. > > There is work going on outside the IETF to deal with this issue. There is no > point in wasting years arguing when progress can be made in the real world. > > > This means that IP > > addresses are not globally reachable. You'd still need most of the same > > solutions we have on the table today to deal with this problem. > > Not necessarily. > [suresh] VOIP appls go through the same kind of paylod processing in firewalls as do NATs with ALG support for the application. In many implementations, firewall and NAT share the same ALG for protocol monitoring and application processing. regards, suresh > > Indeed, > > in the VoIP space, I believe you'd need pretty much everything, > > excepting you'd be able to remove a single attribute from a few of the > > protocols (STUN and TURN in particular), which tell the endpoint its > > address on the other side of the NAT. The endpoint knows its address, > > but all of the protocol machinery is still needed to rendezvous with the > > other participant in the call. > > > > > > -Jonathan R. > > -- > > Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza > > Director, Service Provider VoIP Architecture Parsippany, NJ 07054-2711 > > Cisco Systems > > jdrosen@xxxxxxxxx FAX: (973) 952-5050 > > http://www.jdrosen.net PHONE: (973) 952-5000 > > http://www.cisco.com > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf