Re: NAT Not Needed To Make Renumbering Easy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lets start with a few design principles.

1) No application protocol has any business being tied to a particular
packet transport.

If your application transport is passing raw IP addresses about as a
means of forming connections it is broken. IP is the Inter-NETWORK
protocol. The original architecture made no assumption that IP would
run end to end, let alone that the IP address would be constant end to
end.

We have seen the result of designing IPSEC to be intentionally NAT
unfriendly. I was there in the IPSEC WG meeting when folk were
laughing about the problems they would cause for NAT. As a result
IPSEC was a botched protocol and has required ad hoc, proprietary and
in many cases patented tweaks to make it fit for its intended purpose.
Remote access over SSL or SSH works a lot better in practice than
IPSEC does.

I do not see any architectural value in insisting that applications
assume that the IP address is constant from one end of a communication
to the other. It is not a necessary assumption, it is not a helpful
assumption, it is not one that any application protocol can rely on if
it is to work on 99% of the Internet deployed today.


2) IPv6 should be as little different to deployed IPv4 as possible.

IPv4 has NAT, get over it. NAT will be essential to enable the
transition from 4 to 6, get over it. NAT is part of the IP stack and
people will insist that the functionality remains in IPv6, get over
it.


3) You can't force contractual obligations through technology standards.

IPv6 is a hard enough transition without people trying to use it as an
opportunity to refight battles they lost with IPv4. The only rationale
that I have heard for the resistance to NAT that makes the least sense
to me is Keith Moore's point that he would like to force ISPs to
provide functionality necessary for server/peer support.

Whether or not you think that is a good idea, you cannot push with a
piece of string. If Comcast does not want to support certain
functions, they will do that.


Remember that the first rule of the Internet is: You are SO NOT in
charge here (for all values of YOU). The US govt is not in charge,
ICANN is not in charge, Comcast is not in charge, the UN is not in
charge and that even goes for the IETF.

The Internet got the way it was because it did not make unnecessary rules.

Thirty odd years ago, IP address consistency might have mattered. But
the consistency of the Internet is not determined by IP address
consistency any more, it is determined by intersubjective agreement of
DNS address authority.

Asking why would people want to do X is not the way the Internet got here.


NAT66 may not be essential as a security control, but it is mighty
useful as a security audit tool. And auditing the security of a
network is at least as hard as securing one. So I would want someone
who thinks I should not NAT66 to give me a really good reason why not
and an equally effective audit control.

And no, 'I do not have a good feeling in my gut about this' is not an
argument, not even when the person making it is incredibly eminent.


If I sound somewhat testy on this subject, it is because I think that
the anti-NAT camp have been the biggest barrier to deployment of IPv6
by cutting off the only viable technical transition strategy.
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]