Re: OK, final NAT66 argument (Was: NAT Not Needed To Make Renumbering Easy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry in advance for the length of the post and, in parts, the rudeness of my spleen.

On 8 Nov 2009, at 17:55, Phillip Hallam-Baker wrote:
I assert that regardless of whether NAT66 is a good or a bad thing,
anything that layers on IPv6 must be NAT66 tolerant.

In the whole of the foregoing discussion about NAT and IPv6, the question that I'm only really left with is whether or not we actually lost anything by doing NAT. I have never seen the link between the application layer and the network layer (or whatever you call these things, "Layer" being a highly inadequate term), and taking the effects of NAT and the resultant protocol drain by way of example, now no longer "See" what end-to-end connectivity is good for ...

Until I remember FTP.

And SIP.

And IKE...

And I question the quality expectations and degraded service the Internet's users have endured. The attitude is no longer that "Address exhaust came, NAT pushes back the emergency" but "If it weren't for NAT, we'd have run out of addresses by now". You know, as if the botches we take for granted today are in any way good, as though the strategies we know and love to get around NAT are in any way acceptable, as though replacements for NAT-unfriendly protocols are somehow heavenly and divine. And whose idea was it to make the above protocols easily dependent on universal addressing, anyway? Was it necessary?

It would only be fair to wonder how FTP and SIP would be, if designed today. It would be a shame not to mention WebDAV and, oh, Skype. And SIP, done today, would probably depend on connection reuse, fixed ports and no payload rewriting to get around NAT, those features being both desirable in NAT and of presumably great use in circumstances where realm translation happens, as with proxying where translating the IP or application header is absolutely the most you can do and where, presumably, NAT or similar can actually be justified for those who simply must have it.

But one thing's damn certain, I will never, ever, ever configure a passive-mode FTP server behind a NAT ever again - not so long as the gateway supports FTP ALG but only if the behind-NAT FTP server pretends to be oblivious to the existence of NAT, while flopping completely if you try to be clever and set up ports and addresses to be given to clients. Worse yet, if it uses UPnP to open the needed holes. Do you care for a healthy Internet? I do. That sort of thing is beyond me, and I want somebody to tell me it's okay and it will all be over soon. And really, a lot of the excuses people give for keeping NAT are highly lame, in many instances suboptimal even for their intended purpose (source address spoofing behind NAT is my favourite argument against security held to be a value of NAT) and generally miss one or two points about the initial, healthy development of the 'net unencumbered by NAT. For a particularly aggressive take:
http://www.fourmilab.ch/speakfree/ link

And, of course, RFC 2993 is standard reading.

So yes, I need to know why we put up with NAT, or why you think others should. I also need any justification you may have about why end-to- end is wrong or never held for the Internet's design, and if it did, why it did.

While folk can postulate alternative universes in which enterprises
will not demand or vendors refuse to implement NAT66, there is another
area that is harder to wish away.

Observation: Without NAT44 the internet would already have run out of
address space.

I don't think this can be seriously disputed.

But see above.

Observation: Without NAT46 and NAT64, we cannot transition from IPv4 to IPv6.

Not now, no. It was the grand master plan though, back when. And, yes, capitalism and managers are to blame and, no, I don't feel the slightest sympathy for the slow movers who end in hot water because they didn't plan ahead. Really, it's a crisis whose only quandary is money and is entirely of their own making, and if they can't see beyond that point, it doesn't matter if they lose business. I don't know why the IETF keeps its hands out like that, when for years the clean start proposal was, while perhaps rather optimistic, perfectly adequate and, on the whole, of sound engineering. But now, vendors have begun pedalling the latest in CGN, and I'm tempted to imagine that if the transition had begun sooner there's a very real possibility the impetus and usefulness of IPv6 would have made the notion of CGN infeasible and unsellable. And don't get me started on the silly proposals to recycle unused IPv4 address space, they won't work longer than five minutes a time. Any market value those addresses may have is significantly outperformed by the real benefit of IPv6, when IPv6 is all there is to give.

Still, FWIW, I see the transition this way: CGN (carrier-grade NAT) will happen now and in response to future demand on existing address space reclamation efforts (ISP wants more business, for instance), giving client-only v4 access to v4 or v6 nodes, and v6-only nodes client access to v4. V4 will, finally, become nearly useless because of the real potential in peer-to-peer. IPv6, either native or over NAT- or non-NAT-friendly v6 tunnels, will suddenly seem very cool and necessary. V6 will suddenly gain traction, the value of v4 is the sum of the value of deployed CGNs to keep, and soon the only people with nearly useless connections will be the ones who got us into the mess to begin with. Everybody will scream at them for making their experiences sucky, slow and dependent on old code, ISPs will eventually make the corporates see sense in the v6 upgrade, and bingo! It's 2148, and we've made the transition! ISPs will almost certainly be long into the process before the blackout period, of course, for obvious reasons.

Well, one can dream, anyway. :-)

If we accept these two observations we arrive at a proof that NAT66 is
unavoidable. It will happen any time an IPv6 device with IPv4 service
attempts to connect to an IPv6 server. NAT64 + NAT46 = NAT66.

No. A device with just IPv4 addressing, even one behind NAT(s), can in fact get IPv6 connectivity, complete with global reachability (state of NAT(s) permitting). So it is not a prerequisite of a node that wants the complete benefits of IPv6 to have more than a single IPv4 address, preferably publicly routable.

Cheers,
Sabahattin

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]