RE: FW: Why?
"Tony Hain" <alh-ietf@tndh.net> Tue, 15 March 2005 00:50 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA13318; Mon, 14 Mar 2005 19:50:26 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DB0KC-0007Jz-Qd; Mon, 14 Mar 2005 19:54:21 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DB0Cq-0000oV-GL; Mon, 14 Mar 2005 19:46:44 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DB0Co-0000o7-HJ for ietf@megatron.ietf.org; Mon, 14 Mar 2005 19:46:42 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA12774 for <ietf@ietf.org>; Mon, 14 Mar 2005 19:46:37 -0500 (EST)
Message-Id: <200503150046.TAA12774@ietf.org>
Received: from bdsl.66.15.163.216.gte.net ([66.15.163.216] helo=tndh.net) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DB0GV-00073N-Ba for ietf@ietf.org; Mon, 14 Mar 2005 19:50:31 -0500
Received: from eaglet (127.0.0.1:3420) by tndh.net with [XMail 1.17 (Win32/Ix86) ESMTP Server] id <S962EE> for <ietf@ietf.org> from <alh-ietf@tndh.net>; Mon, 14 Mar 2005 16:46:44 -0800
From: Tony Hain <alh-ietf@tndh.net>
To: 'Jonathan Rosenberg' <jdrosen@cisco.com>
Date: Mon, 14 Mar 2005 16:46:33 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcUoq3ZZM1xVZxxlTCeB/miZujv/fAASlD0w
In-Reply-To: <4235AF1B.1080702@cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 73734d43604d52d23b3eba644a169745
Content-Transfer-Encoding: 7bit
Cc: ietf@ietf.org
Subject: RE: FW: Why?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
X-Spam-Score: 0.8 (/)
X-Scan-Signature: 386e0819b1192672467565a524848168
Content-Transfer-Encoding: 7bit
Jonathan Rosenberg wrote: > ... > I agree that ALGs are not the answer, and I believe the reasons for that > are treated in: > > http://www.ietf.org/internet-drafts/draft-iab-nat-traversal- > considerations-00.txt I have a fundamental problem with an IAB document that implies NAT provides a firewall. The artifact of lack of state is exploited to prevent inbound connections, but that has nothing to do with a policy rich firewall, and even less to do with anything resembling 'security'. As I said in an earlier post, the entire focus of this document is the wrong direction for the IAB. It should be focused on simplifying application operation, so there should be no NAT in the title. The IAB should be looking at how applications can avoid worrying about the convolution in the network, not focusing on how to navigate it. It is also broken in that it focuses on Client/Server application models, which are generally less of an issue for applications in a NAT environment. Peer-to-peer applications have more trouble with mangled headers so the second thing to do (after changing the title & focus) is to rework this so that P2P issues are up front. > > As I mentioned during the plenary, the document above makes a case that > the right answer in many situations are vpn-ish technologies that > include v6 tunnels. However, different applications have different > needs, and there are real differences between the various vpn-ish > solutions (TURN, STUN, teredo, etc.) that are driving their development > and adoption. For VoIP, where the nat traversal issue has been > especially painful, the increase in voice latency, packet loss, and > substantial cost increase of relaying traffic through the tunnel > servers, has driven people to solutions like STUN. Thus, I cannot agree > that there only needs to be a single solution here. You appear to be too focused on the weeds to notice the path forward. Yes many of the IPv6 transition technologies have the same issues as the NAT traversal technologies in IPv4 (in many cases they do exactly the same thing but with different encapsulated packets). That said if the applications community doesn't get the point that they can leave all that crap behind when native IPv6 is available to them then they will never move. If the applications community doesn't do their part we will always be stuck with the garbage in the network. > > That said, I agree that the IAB nat traversal consideration document > lacks adequate consideration of how evolution plays into this, and I'll > endeavor to improve the document on that front. I will try to send text, but I am buried for the next couple of months. > > Another concern I have is that, in an IPv6-only world, even if you > eliminate NAT, there will still be firewalls, and those firewalls will > frequently have the property that they block traffic coming from the > outside to a particular IP/port on the inside unless an outbound packet > has been generated from the inside from that IP/port. There is work going on outside the IETF to deal with this issue. There is no point in wasting years arguing when progress can be made in the real world. > This means that IP > addresses are not globally reachable. You'd still need most of the same > solutions we have on the table today to deal with this problem. Not necessarily. > Indeed, > in the VoIP space, I believe you'd need pretty much everything, > excepting you'd be able to remove a single attribute from a few of the > protocols (STUN and TURN in particular), which tell the endpoint its > address on the other side of the NAT. The endpoint knows its address, > but all of the protocol machinery is still needed to rendezvous with the > other participant in the call. > > > -Jonathan R. > -- > Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza > Director, Service Provider VoIP Architecture Parsippany, NJ 07054-2711 > Cisco Systems > jdrosen@cisco.com FAX: (973) 952-5050 > http://www.jdrosen.net PHONE: (973) 952-5000 > http://www.cisco.com _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- Re: FW: Why? JFC (Jefsey) Morfin
- FW: Why? Tony Hain
- Re: FW: Why? Erik Nordmark
- Re: FW: Why? shogunx
- Re: FW: Why? Joel M. Halpern
- Re:Why? JORDI PALET MARTINEZ
- Re: FW: Why? Noel Chiappa
- Re:Why? Edward Lewis
- Re: FW: Why? JFC (Jefsey) Morfin
- Re:Why? JORDI PALET MARTINEZ
- Re:Why? JORDI PALET MARTINEZ
- Re: FW: Why? Tim Chown
- RE: FW: Why? Michel Py
- RE: FW: Why? Ralph Droms
- Re: FW: Why? Tim Chown
- Re: FW: Why? shogunx
- RE: FW: Why? Michel Py
- Re: FW: Why? Steven M. Bellovin
- Re: FW: Why? Kevin Loch
- Metcalfe's Law challenged Steve Crocker
- Re: FW: Why? JFC (Jefsey) Morfin
- RE: FW: Why? Tony Hain
- Re: Why? Keith Moore
- Re: Why? Keith Moore
- Re: Why? Noel Chiappa
- Re: Why? Keith Moore
- RE: Why? Michel Py
- Re: Why? Kevin Loch
- Re: Why? Bill Manning
- Re: Why? Noel Chiappa
- Re: Why? shogunx
- RE: Why? Noel Chiappa
- RE: Why? Michel Py
- Re: Why? Keith Moore
- RE: Why? Michel Py
- Re: Why? Keith Moore
- Re: Why? shogunx
- Re: Why? Bill Manning
- RE: Why? Michel Py
- Re: Why? Noel Chiappa
- Re: Why? JFC (Jefsey) Morfin
- Re: Why? Keith Moore
- Re: Why? Keith Moore
- Re: Why? Terry Gray
- RE: Why? Michel Py
- Re: Why? Brian E Carpenter
- Re: FW: Why? Tom Petch
- Re:Why? JORDI PALET MARTINEZ
- Re: FW: Why? Jonathan Rosenberg
- Re:Why? JORDI PALET MARTINEZ
- Re: Why? Noel Chiappa
- RE: FW: Why? Tony Hain
- RE: FW: Why? Pyda Srisuresh
- RE: Why? Michel Py
- RE: FW: Why? Tony Hain
- Re: FW: Why? Juergen Schoenwaelder
- Re: Why? Keith Moore
- Re: Why? David R Oran
- Re: Why? Theodore Ts'o
- Re: Why? Keith Moore
- Re: FW: Why? Brian E Carpenter
- Re: Why? Keith Moore
- Re:Why? JORDI PALET MARTINEZ
- Re: FW: Why? Melinda Shore
- Re: Why? Noel Chiappa
- RE: FW: Why? Noel Chiappa
- Re: Why? Keith Moore
- Re: Why? Brian E Carpenter
- Re: Why? Melinda Shore
- Re: Why? Keith Moore
- Re: FW: Why? Joe Touch
- Re: FW: Why? Joe Touch