On 6 Dec 2011, at 16:17, Martin Rex wrote: > Greg Daley wrote: >> I do not know if this is a current environment, or what you would like to see >> (A reference would be good). > > That is the current environment for home DSL subscribers (IPv4) in Germany. >> >> One would use DHCPv6-PD to request the lease for a period, >> Router Advertise it downstream to your devices, which use >> it only for 24h, and at the end of the time return the prefix >> to the pool. > > At most 24h, I can get a new DHCP lease on request every 2 minutes > if I want to. With a single IPv4 address on the external interface > of the DSL router, this does affect all connections, of course. >> >> If you wish to rotate through address space, you could still use >> the 24 hour lease either as a replacement for or in addition to >> your static prefix in IPv6, but you do not need to use NAT. > > I do *NOT* want dynamic addresses on my local network. These > ought to be static. This is why IPv4 NAT and rfc1918 private > address space is so useful. > > An IPv6 NAT would have to offer the same functionality, of course: > Address assigned through DHCP on the local/home network, but > extending the leases for the same addresses, and a randomized temporary > dynamic address on the external interface of the DSL router. > > Renumbering the internal network would be completely silly. > You certainly do not want any interruptions of the local network traffic > just because you frequently change the address on the external interface for > privacy reasons. 1. If you just want to camouflage internal clients, do it with privacy addresses or a socks proxy and clients. 2. If you want to hide, do it with proper means, i.e., tor. You needn't suppose that the one agent who has the most insight into your network traffic, that being your ISP, is trustworthy. Especially true given that it's the one agent with the highest likelihood of actually succeeding in the intercept of your Internet traffic. Or that it often has controls over its routers which allow monitoring beyond rightful boundaries. Best intentions aside. 3. If you've got to have dynamic external IP addresses (note, not address; for that, see 1 above), we'll have to find a way to renumber your network so applications running on your hosts know what their new addresses are while keeping your preferred topological configuration, every time your PD lease is due *. However, you should be using ULA or LL addresses for intra-network traffic, not global. This has to be the only legitimate use of NAT, but not for port translation. 4. NAT must die. It is simply a pain in the arse. We're not stunting another decade of growth simply to uphold an illusion caused by address sharing. Most funny has been the many things attributed to it, because the original NAT concept specification was written at a time when most traffic was within the private realm, not through the translator into the public one. Please try to think outside the box, as the popular expression goes. We can find solutions to your problems that do not include damaging important principles which ensure that the Internet actually grows and innovates, groupthink notwithstanding. And yes, I realise that this statement is already enough to ruffle some people even within the IETF, and definitely within the security community. Cheers, Sabahattin * What's renum doing these days? There's got to be a better answer than NAT66 for this sort of problem. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf