ietf
[Top] [All Lists]

Re: NATs *ARE* evil!

2000-12-18 11:20:03
   Date: Fri, 15 Dec 2000 19:44:18 +0100 (CET)
   From: smd(_at_)ebone(_dot_)net (Sean Doran)

   | It's already happening.  Try running IPSec from one 10 network to
   | another 10 network.  Much pain.

   Surely the "much pain" is because, as Melinda Shore indicates, 
   some "anti-NAT fanatics" cannot understand the distinction
   between "who" and "where"?   

Historically, the IPv4 address specified "who", and not necessarily
"where".  NAT, for better or for worse, represents an attempt to change
that historical understanding.  Some would say that it is a fiat
acompli, and we should just live with it.  Others would say it's NAT's
fault for trying to change the rules in the middle of the game.

Regardless of who's "right" with respect to that argument, I'd argue
that it's not productive to dwell on it.  I am personally much more
interested in making sure this ambiguity doesn't arise with IPv6, since
even though it's fairly late in the game, we have more of a chance of
fixing things here since there's much less of a deployed base.

It would be *awfully* convenient if we declare up front that something
is the "end point identifier" (i.e., "who"), and is forever exempt from
being changed by intermediate routing entities, and if necessary,
something is else the routing component (i.e., "where"), which can
change.  This "end point identifer" should have a canonical form, which
means that using the DNS name, as some have suggested, probably isn't
ideal.  For better or worse, people are too used to playing DNS games
where foo.g.akamai.com (for example) isn't necessarily the same host,
regardless of where you are in the network.

The buttom line is that we need *something* which can unambiguously
serve as an end point identifier.  Is it the IPV6 address?  It's big
enough that we probably won't have to play NAT games to gain address
space.  On the other hand, I've heard claims that the routing folks want
to reserve the right to muck with parts of the IPV6 address to make
their job easier --- which is fine, but tell us which part in advance,
so we can only protect the end-point identifier part of the address in
protocols like IPSEC.  Other people claim that the DNS address should be
the unambiguous end point identifier.  But that has problems, as
discussed above.

   NAT merely exposes and exacerbates the perceptual problem,
   leading to bruised knees.

Indeed.  And regardless of who's at "fault" for creating this particular
problem, the scary part is that it's not at all obvious to me that we've
fixed it for IPV6.  As near as I can tell the ambiguity of what everyone
will agree is something we can use as an endpoint identifer remains.
The only question is (and I don't have an answer), are we too late to
try fixing it now?

                                                - Ted



<Prev in Thread] Current Thread [Next in Thread>