On Mon, Mar 27, 2006 at 11:35:21PM -0500, Keith Moore wrote: > >>now if what you're saying is that we need a standard NAT extension > >>protocol that does that, I might agree. though IMHO the easiest way to > >>do that is to make the NAT boxes speak IPv6. > >> > > > > Yes, I am saying we need this or something similar. It seems like > >the current solution I've seen implemented is something like static port > >mapping with private ip space behind the NAT for most applications. There's > >still the limited known ports issue (discussed earlier) among several > >others > >which are as yet either unsolved or unimplemented on the global scale. > > again, this doesn't really solve the problem - it only nibbles off a > small corner of it. NATs do harm in several different ways - they take > away a uniform address space, they block traffic in arbitrary > directions, they hamper appropriate specification of security policies, > and these days they often destroy transparency. You have to fix all of > those problems and still preserve (improve!) the plug-and-play nature of > the NAT. what you end up with is something like a router that does both > v4 and v6, autoconfiguring itself in both cases (including getting > address blocks from upstream networks), with transparent v6, NAT on v4, > a sort of generic IPv4 application socks-like proxy built into the NAT > that lets v4-only apps allocate outside addresses/ports, accept > connections on them, and also initiate connections from them. > This sounds workable. But I really question whether there is an adequate userbase who cares enough about these problems enough to support the development and deployment of the more complex system you suggest. The limitations of NAT you mention make little difference to most of the NAT users I am familiar with. These are typically end users or small organizations. They generally don't know what they are missing, and NAT works adequately well for their purposes. I don't foresee them switching or "enhancing" unless there is some killer application as yet unsurfaced which demands it and won't work adequately well with a limited amount of bizarre hacks and workarounds. The financial penalty from using non-natted ipv4 space is less of an issue to larger organizations. When address space becomes a more scarce resource globally will they care enough about the limitations above and beyond what bizarre NAT hacks marginally solve to fund ipv6 implementation? Maybe. I haven't seen any evidence of it yet, but maybe some time in the future they will. Austin _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf