On 6 Dec 2011, at 16:17, Martin Rex wrote:
Greg Daley wrote:
I do not know if this is a current environment, or what you would like to see
(A reference would be good).
That is the current environment for home DSL subscribers (IPv4) in Germany.
One would use DHCPv6-PD to request the lease for a period,
Router Advertise it downstream to your devices, which use
it only for 24h, and at the end of the time return the prefix
to the pool.
At most 24h, I can get a new DHCP lease on request every 2 minutes
if I want to. With a single IPv4 address on the external interface
of the DSL router, this does affect all connections, of course.
If you wish to rotate through address space, you could still use
the 24 hour lease either as a replacement for or in addition to
your static prefix in IPv6, but you do not need to use NAT.
I do *NOT* want dynamic addresses on my local network. These
ought to be static. This is why IPv4 NAT and rfc1918 private
address space is so useful.
An IPv6 NAT would have to offer the same functionality, of course:
Address assigned through DHCP on the local/home network, but
extending the leases for the same addresses, and a randomized temporary
dynamic address on the external interface of the DSL router.
Renumbering the internal network would be completely silly.
You certainly do not want any interruptions of the local network traffic
just because you frequently change the address on the external interface for
privacy reasons.
1. If you just want to camouflage internal clients, do it with privacy
addresses or a socks proxy and clients.
2. If you want to hide, do it with proper means, i.e., tor. You needn't
suppose that the one agent who has the most insight into your network traffic,
that being your ISP, is trustworthy. Especially true given that it's the one
agent with the highest likelihood of actually succeeding in the intercept of
your Internet traffic. Or that it often has controls over its routers which
allow monitoring beyond rightful boundaries. Best intentions aside.
3. If you've got to have dynamic external IP addresses (note, not address; for
that, see 1 above), we'll have to find a way to renumber your network so
applications running on your hosts know what their new addresses are while
keeping your preferred topological configuration, every time your PD lease is
due *. However, you should be using ULA or LL addresses for intra-network
traffic, not global. This has to be the only legitimate use of NAT, but not
for port translation.
4. NAT must die. It is simply a pain in the arse. We're not stunting another
decade of growth simply to uphold an illusion caused by address sharing. Most
funny has been the many things attributed to it, because the original NAT
concept specification was written at a time when most traffic was within the
private realm, not through the translator into the public one. Please try to
think outside the box, as the popular expression goes. We can find solutions
to your problems that do not include damaging important principles which ensure
that the Internet actually grows and innovates, groupthink notwithstanding. And
yes, I realise that this statement is already enough to ruffle some people even
within the IETF, and definitely within the security community.
Cheers,
Sabahattin
* What's renum doing these days? There's got to be a better answer than NAT66
for this sort of problem.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf