ietf
[Top] [All Lists]

Re: Stupid NAT tricks and how to stop them.

2006-04-05 13:24:38
On 5-apr-2006, at 21:57, John C Klensin wrote:

they all had an
option to run with or without NAT. Many of them also have the
option to have a "bridge" mode allowing the customer to
provide their own router/firewall solution.

It is that "bridge" mode that is critical.  As I indicated
above, neither the Linksys nor the Netgear devices provide it.
The SonicWall does, but raises other, unrelated, issues.  I
carefully did not address any devices I haven't actually used.
That leaves us in a state in which it is necessary to handle
static public IP addresses by either

        * running the ISP's interface device in bridge mode,
        which many (although perhaps not all) ISPs prohibit

        * running the router devices as one-one NATs

It occurs to me that there is nothing that prevents this exact same issue from coming up in IPv6. Even with an unpronouncable number of addresses, if you provide your own box that performs routing (which is generally a requirement for any kind of firewalling), the ISP has set up an address range to communicate with that box, and another address range that it forwards to that box for use behind it.

I.e., if the ISP provides a CPE box under their control and I have my own router/firewall, then I need a subnet between the two and at least one more subnet on another port of my router/firewall where my hosts reside. The first issue is that this makes getting a single /64 from the ISP useless, and the second issue is that either there needs to be some manual configuration or there needs to be some kind of address provisioning protocol to be run between the CPE and the customer router/firewall, such as DHCPv6 prefix delegation.

(Note by the way that PPP can do address provisioning for a single address in IPv4 but it can't do this for IPv6, making stuff like IPv6 over dial-up extremely hard to do.)

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf