On Mon, Mar 27, 2006 at 11:35:21PM -0500, Keith Moore wrote:
now if what you're saying is that we need a standard NAT extension
protocol that does that, I might agree. though IMHO the easiest way to
do that is to make the NAT boxes speak IPv6.
Yes, I am saying we need this or something similar. It seems like
the current solution I've seen implemented is something like static port
mapping with private ip space behind the NAT for most applications. There's
still the limited known ports issue (discussed earlier) among several
which are as yet either unsolved or unimplemented on the global scale.
again, this doesn't really solve the problem - it only nibbles off a
small corner of it. NATs do harm in several different ways - they take
away a uniform address space, they block traffic in arbitrary
directions, they hamper appropriate specification of security policies,
and these days they often destroy transparency. You have to fix all of
those problems and still preserve (improve!) the plug-and-play nature of
the NAT. what you end up with is something like a router that does both
v4 and v6, autoconfiguring itself in both cases (including getting
address blocks from upstream networks), with transparent v6, NAT on v4,
a sort of generic IPv4 application socks-like proxy built into the NAT
that lets v4-only apps allocate outside addresses/ports, accept
connections on them, and also initiate connections from them.
This sounds workable. But I really question whether there is an
adequate userbase who cares enough about these problems enough to support the
development and deployment of the more complex system you suggest.
The limitations of NAT you mention make little difference to most
of the NAT users I am familiar with. These are typically end users or
small organizations. They generally don't know what they are missing, and NAT
works adequately well for their purposes. I don't foresee them switching or
"enhancing" unless there is some killer application as yet unsurfaced which
demands it and won't work adequately well with a limited amount of bizarre
hacks and workarounds.
The financial penalty from using non-natted ipv4 space is less of
an issue to larger organizations. When address space becomes a more scarce
resource globally will they care enough about the limitations above and beyond
what bizarre NAT hacks marginally solve to fund ipv6 implementation? Maybe. I
haven't seen any evidence of it yet, but maybe some time in the future they
Ietf mailing list