RE: NATs as firewalls

Quite, the dissappearance of un-NATed IPv4 is inevitable.

Regretably the ready availability of IPv6 is not.


There are two possible future outcomes here. The first is that the only widely 
available option is NAT-ed IPv4. The second is a dual stack offering that 
combines NAT-ed IPv4 with full feature IPv6.

We do need to revise the architecture description. Using IP addresses as 
implicit signalling is bad. Another instance that hit me today is the fact that 
existing SSL implementations use the server IPv4 address to select which server 
certificate to present to a client. This means that if you want to multi-home 
multiple SSL sites on one box you need to burn an IPv4 address for each. EKR 
told me there is a solution but again we have to get people to use it.

-----Original Message-----
From: Darryl (Dassa) Lynch [mailto:dassa(_at_)dhs(_dot_)org] 
Sent: Wednesday, March 07, 2007 3:53 PM
To: ietf(_at_)ietf(_dot_)org
Subject: RE: NATs as firewalls

Hallam-Baker, Phillip wrote:

From: John C Klensin [mailto:john-ietf(_at_)jck(_dot_)com]

  And, when I conclude that IPv6 is inevitable (unless

someone comes

up with another scheme for global unique addresses RSN),


Here we disagree, I don't think that IPv6 is inevitable.
When I model the pressures on the various parties in the

system and

consider the shortest route by which the participants can

reach their

short term goals there are certainly alternative schemes.

I certainly do not want to see these schemes deployed but they are 
certainly possible outcomes. For example, a hyperNAT where the ISP 
NATs residential Internet as a matter of course. I suspect we will 
start to see this deployed on a large scale as soon as the market 
price for IP address allocation reaches a particular point.

There is a major difference between a NAT box plugged into

the real

Internet and a NAT box plugged into another NAT box. It is

a pretty

ugly one for the residential user.


I'm afraid it is already happening on a large scale in some 
parts.  Here in Australia I've seen multiple ISP's who NAT 
all residential customers.  Some of them amongst the largest 
players in the market.  Even some commercial offerings are on NATs.

Personally I'm more set against the wholesale blocking of 
ports and services which ISPs seem to be favouring at the 
moment, and the pricing that is applied to have the blocks 
removed.  There are artificial blocks being deployed to keep 
usage down that are a bigger problem than NATs IMHO.

Darryl (Dassa) Lynch 


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread]	Current Thread	[Next in Thread>
RE: NATs as firewalls, (continued) RE: NATs as firewalls, David Morris RE: NATs as firewalls, Hallam-Baker, Phillip RE: NATs as firewalls, Tony Hain RE: NATs as firewalls, Hallam-Baker, Phillip RE: NATs as firewalls, Darryl \(Dassa\) Lynch RE: NATs as firewalls, David Morris Re: NATs as firewalls, Mark Andrews Re: NATs as firewalls, Simon Leinen RE: NATs as firewalls, John C Klensin RE: NATs as firewalls, Hallam-Baker, Phillip RE: NATs as firewalls, Hallam-Baker, Phillip <= RE: NATs as firewalls, Jeffrey Hutzelman RE: NATs as firewalls, Hallam-Baker, Phillip RE: NATs as firewalls, michael.dillon RE: NATs as firewalls, michael.dillon Re: NATs as firewalls, bmanning RE: NATs as firewalls, Tony Hain RE: NATs as firewalls, michael.dillon RE: NATs as firewalls, michael.dillon RE: NATs as firewalls, David Morris Re: NATs as firewalls, bmanning