Sorry in advance for the length of the post and, in parts, the
rudeness of my spleen.
On 8 Nov 2009, at 17:55, Phillip Hallam-Baker wrote:
I assert that regardless of whether NAT66 is a good or a bad thing,
anything that layers on IPv6 must be NAT66 tolerant.
In the whole of the foregoing discussion about NAT and IPv6, the
question that I'm only really left with is whether or not we actually
lost anything by doing NAT. I have never seen the link between the
application layer and the network layer (or whatever you call these
things, "Layer" being a highly inadequate term), and taking the
effects of NAT and the resultant protocol drain by way of example, now
no longer "See" what end-to-end connectivity is good for ...
Until I remember FTP.
And SIP.
And IKE...
And I question the quality expectations and degraded service the
Internet's users have endured. The attitude is no longer that
"Address exhaust came, NAT pushes back the emergency" but "If it
weren't for NAT, we'd have run out of addresses by now". You know, as
if the botches we take for granted today are in any way good, as
though the strategies we know and love to get around NAT are in any
way acceptable, as though replacements for NAT-unfriendly protocols
are somehow heavenly and divine. And whose idea was it to make the
above protocols easily dependent on universal addressing, anyway? Was
it necessary?
It would only be fair to wonder how FTP and SIP would be, if designed
today. It would be a shame not to mention WebDAV and, oh, Skype. And
SIP, done today, would probably depend on connection reuse, fixed
ports and no payload rewriting to get around NAT, those features being
both desirable in NAT and of presumably great use in circumstances
where realm translation happens, as with proxying where translating
the IP or application header is absolutely the most you can do and
where, presumably, NAT or similar can actually be justified for those
who simply must have it.
But one thing's damn certain, I will never, ever, ever configure a
passive-mode FTP server behind a NAT ever again - not so long as the
gateway supports FTP ALG but only if the behind-NAT FTP server
pretends to be oblivious to the existence of NAT, while flopping
completely if you try to be clever and set up ports and addresses to
be given to clients. Worse yet, if it uses UPnP to open the needed
holes. Do you care for a healthy Internet? I do. That sort of thing
is beyond me, and I want somebody to tell me it's okay and it will all
be over soon. And really, a lot of the excuses people give for
keeping NAT are highly lame, in many instances suboptimal even for
their intended purpose (source address spoofing behind NAT is my
favourite argument against security held to be a value of NAT) and
generally miss one or two points about the initial, healthy
development of the 'net unencumbered by NAT. For a particularly
aggressive take:
http://www.fourmilab.ch/speakfree/ link
And, of course, RFC 2993 is standard reading.
So yes, I need to know why we put up with NAT, or why you think others
should. I also need any justification you may have about why end-to-
end is wrong or never held for the Internet's design, and if it did,
why it did.
While folk can postulate alternative universes in which enterprises
will not demand or vendors refuse to implement NAT66, there is another
area that is harder to wish away.
Observation: Without NAT44 the internet would already have run out of
address space.
I don't think this can be seriously disputed.
But see above.
Observation: Without NAT46 and NAT64, we cannot transition from IPv4
to IPv6.
Not now, no. It was the grand master plan though, back when. And,
yes, capitalism and managers are to blame and, no, I don't feel the
slightest sympathy for the slow movers who end in hot water because
they didn't plan ahead. Really, it's a crisis whose only quandary is
money and is entirely of their own making, and if they can't see
beyond that point, it doesn't matter if they lose business. I don't
know why the IETF keeps its hands out like that, when for years the
clean start proposal was, while perhaps rather optimistic, perfectly
adequate and, on the whole, of sound engineering. But now, vendors
have begun pedalling the latest in CGN, and I'm tempted to imagine
that if the transition had begun sooner there's a very real
possibility the impetus and usefulness of IPv6 would have made the
notion of CGN infeasible and unsellable. And don't get me started on
the silly proposals to recycle unused IPv4 address space, they won't
work longer than five minutes a time. Any market value those
addresses may have is significantly outperformed by the real benefit
of IPv6, when IPv6 is all there is to give.
Still, FWIW, I see the transition this way: CGN (carrier-grade NAT)
will happen now and in response to future demand on existing address
space reclamation efforts (ISP wants more business, for instance),
giving client-only v4 access to v4 or v6 nodes, and v6-only nodes
client access to v4. V4 will, finally, become nearly useless because
of the real potential in peer-to-peer. IPv6, either native or over
NAT- or non-NAT-friendly v6 tunnels, will suddenly seem very cool and
necessary. V6 will suddenly gain traction, the value of v4 is the sum
of the value of deployed CGNs to keep, and soon the only people with
nearly useless connections will be the ones who got us into the mess
to begin with. Everybody will scream at them for making their
experiences sucky, slow and dependent on old code, ISPs will
eventually make the corporates see sense in the v6 upgrade, and
bingo! It's 2148, and we've made the transition! ISPs will almost
certainly be long into the process before the blackout period, of
course, for obvious reasons.
Well, one can dream, anyway. :-)
If we accept these two observations we arrive at a proof that NAT66 is
unavoidable. It will happen any time an IPv6 device with IPv4 service
attempts to connect to an IPv6 server. NAT64 + NAT46 = NAT66.
No. A device with just IPv4 addressing, even one behind NAT(s), can
in fact get IPv6 connectivity, complete with global reachability
(state of NAT(s) permitting). So it is not a prerequisite of a node
that wants the complete benefits of IPv6 to have more than a single
IPv4 address, preferably publicly routable.
Cheers,
Sabahattin
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf