Re: MBONE access?

Most of the NAT boxes allow you to use IPv6. There are several protocols that 
allow it.

The simpler one 
http://www.rfc-editor.org/cgi-bin/iddoctype.pl?letsgo=draft-palet-v6ops-proto41-nat-03

Regards,
Jordi

----- Original Message ----- 
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
To: "'Jeroen Massar'" <jeroen(_at_)unfix(_dot_)org>; "Hallam-Baker, Phillip" 
<pbaker(_at_)verisign(_dot_)com>
Cc: <ietf-mxcomp(_at_)imc(_dot_)org>; <ietf(_at_)ietf(_dot_)org>
Sent: Thursday, March 04, 2004 10:44 AM
Subject: RE: MBONE access?

Equally flawed and useless are the H.323 protocols that do not
tunnel through NAT or even work with a firewall in a remotely 
acceptable fashion.


NAT is the big bad dog here, that is what breaks the
end to end connectivity. <restart NAT war />


In case you had not noticed there are now tens of millions of NAT
devices in use. End users are not going to pay $10 per month for
an extra IP address when they can connect unlimited numbers of 
devices to the net using a $40 NAT box.

The NAT war has been over for years, NAT won. The problem is that
the IETF still has not come to terms with that fact.

The Internet was designed to be a network of networks. The core
architecture is NOT end-to-end, that is a political shiboleth that
has been imposed later.

The features of the Internet that work are the ones that work within
the end-to-end model. The features that are failures are the ones
where the end-to-end model is bogus.

The security world has long since realised that exclusive relianance
on end-to-end security is bogus. I don't know of any serious security
professionals who now claim that firewalls are bogus or that they 
will go away as the myth has it. Perimeter security is here to stay.

In the case of H323 the problem is not just NAT, it is the derranged 
protocol which uses a block of 3000 odd TCP/IP ports to receive
messages on. there is no way that this is consistent with good
firewall management - unless you go to some pretty sophisticated 
additional control to open up and shut down the ports as required.

As for IPv6, the only feasible way to deploy it is by co-opting those
NAT boxes.

Phill


**********************************
Madrid 2003 Global IPv6 Summit
Presentations and videos on line at:
http://www.ipv6-es.com

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

<Prev in Thread]	Current Thread	[Next in Thread>
Re: MBONE access?, (continued) Re: MBONE access?, ned . freed Re: MBONE access?, Melinda Shore Re: MBONE access?, JORDI PALET MARTINEZ Re: MBONE access?, Iljitsch van Beijnum Re: MBONE access?, Joel Jaeggli RE: MBONE access?, Hallam-Baker, Phillip RE: MBONE access?, Jeroen Massar RE: MBONE access?, Dean Anderson RE: MBONE access?, shogunx RE: MBONE access?, Hallam-Baker, Phillip Re: MBONE access?, JORDI PALET MARTINEZ <= Re: MBONE access?, Ole Jacobsen Re: MBONE access?, JORDI PALET MARTINEZ Re: MBONE access?, Steven M. Bellovin Re: MBONE access?, Ole Jacobsen Re: MBONE access?, JORDI PALET MARTINEZ Re: MBONE access?, Frank Solensky Re: MBONE access?, Ole Jacobsen Re: MBONE access?, James Seng Re: MBONE access?, Paul Vixie Re: MBONE access?, JORDI PALET MARTINEZ