"Steven M. Bellovin" wrote:
In message <3A8C692B(_dot_)8A68420E(_at_)nma(_dot_)com>, Ed Gerck writes:
"Steven M. Bellovin" wrote:
In message <3A8C196C(_dot_)197E510(_at_)nma(_dot_)com>, Ed Gerck writes:
Actually, in the UK you can do just what you wish ;-)
You give a name to your house (say, "The Tulip") and
the post office knows where The Tulip is. If you move,
you can do the same at your new location, provided
there is no conflict. This seems to be more similar to the
notion of using an IP number as a name -- but isn't this
why we need DNS? ;-)
And if you move from London to Belfast, this will still work?
In the UK, as I said. I would think that other countries may have
a similar system. Note that this is a natural example of NAT,
in which the post office is doing the address translation to a local
address that only that post office knows, but which is globally
reachable through that post office. And the post office does so
without changing the global addresses or the local addresses.
Last I checked, Belfast was in the UK, though I realize that some folks
wish it were not so.
It will work in the UK was my reply.
But you missed my point -- as you note above, the
house name is known to "that post office". In other words, there is
hierarchy in the routing algorithm; it's not globablly known, or even
known throughout the UK.
I disagreed with your point, not missed it. "The Tulip" together with *that*
post office's postcode (for example CM22 6SX, which they assign on a
geographical basis) is globally routable. Even from Belfast ;-)
The same is true of the Internet, and it's why IP addresses aren't portable.
IP addresses are not portable simply due to a design choice. If IP numbers
were designed the way the UK designed their postal service long ago,
then IP numbers would be portable indeed.
IMO, it is thus artificial to try to block Internet NATs. Far better would
be
to define their interoperation with other network components that we also
need to use, in each case.
Block them? Not at all; I have no desire to do that. But we need to
recognize that *with the current Internet architecture*, there are some
inherent limitations. To use your analogy, suppose that senders
sometimes wrote their house name on the letter enclosed in the envelope
-- but they didn't include the post office name, so the recipient
couldn't reply.
I see that we are in agreement with my post office example. "The Tulip"
together with the postal code (ie, the post office's "name") is globally
routable.
Or imagine that the Post Office only kept track of
house names when there was a recent outgoing letter.
These are security choices -- the time to live in a NAT could be unlimited,
with fixed port numbers. The address:port numbers could also be pre-registered,
before any message is sent. This is the current UK post-office model.
Likewise, the
UK post-office model could only kept track of house names when there was a
recent outgoing letter, with "recent" defined by policy.
That's the reality of NAT today.
IMO, this is simply a security choice -- NATs could work with the current UK
post-office model as well. But if the house owner only wants to allow the post
office to kept track of his house's name when there was a recent outgoing
letter,
then who is going to say otherwise? After all, he may refuse to receive any
letter and just send them One way or another, the house (network) owner is
sovereign over his house (network). My network is my castle.
Please pay careful attention to two things I did *not* say. I did
*not* say that NATs were an irrational engineering choice in today's
environment. In fact, they clearly are rational in some circumstances,
despite their disadvantages.
I would say characteristics, not disadvantages. An apple is a bad orange.
Second, I didn't say that one couldn't
have designed an Internet architecture with nested addresses. Quite
obviously, that could have been done.
In my view, this is already done. It works this way, although not engineered
this way. The Internet has its own dynamics is the lesson I see in this.
It routes around blocks ;-)
But it wasn't, and we have an
Internet that likes single, fixed-length addresses. NATs are at best
an ugly add-on in such a world.
An alternative view is that we have an Internet that likes so much to work
with heterogeneous networks that it now supports NATs even though
NATs were not originally designed into it.
(My personal techo-religion preaches
that *all* successful systems run out of address space
;-) agreed, but only systems with finitary address space.
, and that you're
better off planning for it up front. I (among others) argued strongly
for IPv6 addresses of 8, 16, 24, or 32 bytes, precisely to plan ahead.
In fact, the penultimate design called for fixed-length, 8-byte
addresses. The switch to 16 bytes was done to satisfy those of us who
feared that that was not nearly enough.)
Going further with your line of thought, an extensible archictecture with open
addresses (the kind that heterogeneous networks make possible) would provide
the real solution to the address space problem -- because it is no longer
finite.
NATs are an integral part of such design.
Cheers,
Ed Gerck