Here, again, is the nub of what we have to deal with:
>> The notion of a system with a single, globally unique namespace
>at the> lowest level is a really nice one, one we had for a while
>- and *one> we think we can reclaim*. I now think we've been
>deluding ourselves;> that past .. is gone for good.
How would I move forward from there, constructively, to try and
produce a less broken architecture/system?
the only way I can see to do so is to provide tools to ease migration to
a less broken system. I don't see any way to make the NAT technique
significantly less broken (and I have tried) that takes less effort than
supporting IPv6 alongside NAT. basically you end up trying to create a
new network with a new address space on top of a NATted network,
instead of alongside it. and to do this you have to upgrade the NAT
boxes, and the hosts, and the apps that can't deal with status quo NAT -
at which point you're imposing about the same deployment barrier as IPv6
imposes. IPv6 is both cleaner and ahead of the curve.
There are many different flavors of NAT, and so it's hard to make an
application "work with NAT" when you don't know exactly what the NAT
box is going to do.
indeed, this is a problem - and NATs are also a moving target. but it's
almost as difficult to "work with NAT" even when you do know exactly
what the NAT box is going to do.
also, the argument is often made that NATs are "here to stay" precisely
because they are already so widely deployed. if one accepts that,
doesn't it follow that broken NATs with their inconsistent behavior are
"here to stay" also, for the same reasons? and if we assume we can
upgrade the NATs anyway, why not make them support something cleaner
than IPv4+NAT+MIDCOM-style application hooks?
The next step would be to add a "NAT considerations" section to all
protocol specifications, just like the "Security considerations" we
have now. Protocols can be designed to be less NAT-hostile - e.g. no
giving addresses to third parties as a way to contact someone, etc.
many protocols cannot be designed to be less NAT hostile without
imposing significant overhead both in bandwidth and in extra
infrastructure, and degrading performance and reliability. if we want
to set up proxies for each protocol outside of every NAT we can make
those protocols work. IPv6 is a lot simpler and more robust.
Nothing positive can happen as long as we keep acting as NAT i) is too
disgusting to seriously try and deal with, and ii) will go away if we
stick our heads in the sand hard enough
nothing positive can happen as long as we keep acting as if NAT is
here to stay and that it's going to be forced on all future apps.