Re: OK, final NAT66 argument (Was: NAT Not Needed To Make Renumbering Ea

Sorry in advance for the length of the post and, in parts, the  
rudeness of my spleen.
On 8 Nov 2009, at 17:55, Phillip Hallam-Baker wrote:
> I assert that regardless of whether NAT66 is a good or a bad thing,
> anything that layers on IPv6 must be NAT66 tolerant.
In the whole of the foregoing discussion about NAT and IPv6, the  
question that I'm only really left with is whether or not we actually  
lost anything by doing NAT.  I have never seen the link between the  
application layer and the network layer (or whatever you call these  
things, "Layer" being a highly inadequate term), and taking the  
effects of NAT and the resultant protocol drain by way of example, now  
no longer "See" what end-to-end connectivity is good for ...
Until I remember FTP.

And SIP.

And IKE...

And I question the quality expectations and degraded service the  
Internet's users have endured.  The attitude is no longer that  
"Address exhaust came, NAT pushes back the emergency" but "If it  
weren't for NAT, we'd have run out of addresses by now".  You know, as  
if the botches we take for granted today are in any way good, as  
though the strategies we know and love to get around NAT are in any  
way acceptable, as though replacements for NAT-unfriendly protocols  
are somehow heavenly and divine.  And whose idea was it to make the  
above protocols easily dependent on universal addressing, anyway?  Was  
it necessary?
It would only be fair to wonder how FTP and SIP would be, if designed  
today.  It would be a shame not to mention WebDAV and, oh, Skype.  And  
SIP, done today, would probably depend on connection reuse, fixed  
ports and no payload rewriting to get around NAT, those features being  
both desirable in NAT and of presumably great use in circumstances  
where realm translation happens, as with proxying where translating  
the IP or application header is absolutely the most you can do and  
where, presumably, NAT or similar can actually be justified for those  
who simply must have it.
But one thing's damn certain, I will never, ever, ever configure a  
passive-mode FTP server behind a NAT ever again - not so long as the  
gateway supports FTP ALG but only if the behind-NAT FTP server  
pretends to be oblivious to the existence of NAT, while flopping  
completely if you try to be clever and set up ports and addresses to  
be given to clients.  Worse yet, if it uses UPnP to open the needed  
holes.  Do you care for a healthy Internet?  I do.  That sort of thing  
is beyond me, and I want somebody to tell me it's okay and it will all  
be over soon.  And really, a lot of the excuses people give for  
keeping NAT are highly lame, in many instances suboptimal even for  
their intended purpose (source address spoofing behind NAT is my  
favourite argument against security held to be a value of NAT) and  
generally miss one or two points about the initial, healthy  
development of the 'net unencumbered by NAT.  For a particularly  
aggressive take:
http://www.fourmilab.ch/speakfree/ link

And, of course, RFC 2993 is standard reading.

So yes, I need to know why we put up with NAT, or why you think others  
should.  I also need any justification you may have about why end-to- 
end is wrong or never held for the Internet's design, and if it did,  
why it did.
> While folk can postulate alternative universes in which enterprises
> will not demand or vendors refuse to implement NAT66, there is another
> area that is harder to wish away.
>
> Observation: Without NAT44 the internet would already have run out of
> address space.
>
> I don't think this can be seriously disputed.
But see above.

> Observation: Without NAT46 and NAT64, we cannot transition from IPv4  
> to IPv6.
Not now, no.  It was the grand master plan though, back when.  And,  
yes, capitalism and managers are to blame and, no, I don't feel the  
slightest sympathy for the slow movers who end in hot water because  
they didn't plan ahead.  Really, it's a crisis whose only quandary is  
money and is entirely of their own making, and if they can't see  
beyond that point, it doesn't matter if they lose business.  I don't  
know why the IETF keeps its hands out like that, when for years the  
clean start proposal was, while perhaps rather optimistic, perfectly  
adequate and, on the whole, of sound engineering.  But now, vendors  
have begun pedalling the latest in CGN, and I'm tempted to imagine  
that if the transition had begun sooner there's a very real  
possibility the impetus and usefulness of IPv6 would have made the  
notion of CGN infeasible and unsellable.  And don't get me started on  
the silly proposals to recycle unused IPv4 address space, they won't  
work longer than five minutes a time.  Any market value those  
addresses may have is significantly outperformed by the real benefit  
of IPv6, when IPv6 is all there is to give.
Still, FWIW, I see the transition this way: CGN (carrier-grade NAT)  
will happen now and in response to future demand on existing address  
space reclamation efforts (ISP wants more business, for instance),  
giving client-only v4 access to v4 or v6 nodes, and v6-only nodes  
client access to v4.  V4 will, finally, become nearly useless because  
of the real potential in peer-to-peer.  IPv6, either native or over  
NAT- or non-NAT-friendly v6 tunnels, will suddenly seem very cool and  
necessary.  V6 will suddenly gain traction, the value of v4 is the sum  
of the value of deployed CGNs to keep, and soon the only people with  
nearly useless connections will be the ones who got us into the mess  
to begin with.  Everybody will scream at them for making their  
experiences sucky, slow and dependent on old code, ISPs will  
eventually make the corporates see sense in the v6 upgrade, and  
bingo!  It's 2148, and we've made the transition!  ISPs will almost  
certainly be long into the process before the blackout period, of  
course, for obvious reasons.
Well, one can dream, anyway. :-)

> If we accept these two observations we arrive at a proof that NAT66 is
> unavoidable. It will happen any time an IPv6 device with IPv4 service
> attempts to connect to an IPv6 server. NAT64 + NAT46 = NAT66.
No.  A device with just IPv4 addressing, even one behind NAT(s), can  
in fact get IPv6 connectivity, complete with global reachability  
(state of NAT(s) permitting).  So it is not a prerequisite of a node  
that wants the complete benefits of IPv6 to have more than a single  
IPv4 address, preferably publicly routable.
Cheers,
Sabahattin

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf