Re: [nat66] Necessity for NAT remains in IPv6
Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 07 November 2009 12:42 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0EA23A6954 for <nat66@core3.amsl.com>; Sat, 7 Nov 2009 04:42:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5cjJn1hosuo for <nat66@core3.amsl.com>; Sat, 7 Nov 2009 04:42:01 -0800 (PST)
Received: from mail-px0-f186.google.com (mail-px0-f186.google.com [209.85.216.186]) by core3.amsl.com (Postfix) with ESMTP id B53073A692A for <nat66@ietf.org>; Sat, 7 Nov 2009 04:42:01 -0800 (PST)
Received: by mail-px0-f186.google.com with SMTP id 16so65798pxi.29 for <nat66@ietf.org>; Sat, 07 Nov 2009 04:42:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=LBv6PEsKZrvtye1j4SPS7JQ1CKMOfeO5ZNyfCEU2t3w=; b=KZpsRytvAZFUqmLMbyYltCRrIeVq8pfdb//P9Ayt9ac/rBMuX2pXC60RPraC66Mmqe 1LC5XJhxA74EBoDQtPR6rXboKi3bZzLApTRhoWhsrzxHvTYhSsnxKAVmBjnJXhseiuYR ALkxDc1MjWMjYCVYWmbZYDvlVvfrWEZ9gF1m0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; b=RhrOn5ACYf84Wrq0gD5Js3KQ6LG60c+M31AiVR6fXT/1zI2qmIf3euOlMer2oxL4q1 F8WkDcyGVSANAWZSwllc8D6AWjyiPYsXUHp/Bq/6N1MmQloHu+WNhrEv+icO184NhMgy 6ww6R8WbH3Zc34ySgShbtAzwY/hVN5Ad4Jo3o=
Received: by 10.114.248.7 with SMTP id v7mr8805634wah.92.1257597746403; Sat, 07 Nov 2009 04:42:26 -0800 (PST)
Received: from ?133.93.128.64? (host-128-64.meeting.ietf.org [133.93.128.64]) by mx.google.com with ESMTPS id 22sm604606pxi.2.2009.11.07.04.42.24 (version=SSLv3 cipher=RC4-MD5); Sat, 07 Nov 2009 04:42:25 -0800 (PST)
Message-ID: <4AF4B30F.8030301@gmail.com>
Date: Sat, 07 Nov 2009 12:36:47 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "'nat66@ietf.org'" <nat66@ietf.org>
References: <F55FF9C4FDB76643AE0CEC06D0F5CEB3048557BFD8@Skyhawk>
In-Reply-To: <F55FF9C4FDB76643AE0CEC06D0F5CEB3048557BFD8@Skyhawk>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [nat66] Necessity for NAT remains in IPv6
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2009 12:42:03 -0000
Sigh, I've been keeping my fingers off the keyboard, but a few points in this thread really need clarification. Apologies for prolonging the off-topic thread, I will shut up after this. On 2009-11-03 08:15, Chris Engel wrote: ... > First, by way of introduction...I'm a Network Manager in > charge of operations at a small ASP. Hi. I used to be in charge of network operations at a large site (cern.ch), then I spent 10 years in industry, and now I'm an academic but working with our university's IT operations people on IPv6 deployment. I was also the instigator of and a contributor to RFC4864. So... ... > I do NOT feel that RFC 4864 adequately addresses the utility > of NAT.... nor adequately provides a acceptable substitutes > for it. We worked as hard as we could to make the list complete.Can you identify exactly which benefits of NAT are not mentioned in section 2 of the document? ... > > In section 2.2. of RFC 4864 "Simple Security Due to Tasteful > Filter Implementation" the authors contend that NAT's utility > for Security is not particularly compelling because it > incomplete and can be bypassed through techniques such as > Trojans.... and that filtering via a FW offers a more robust > solution. Respectfully, it's difficult for me to fathom that > anyone well versed in security would find these arguments > compelling. Well, how about any large site manager who runs a firewall but no NAT? This is a very common scenario, although I agree that many sites run boxes that are simultaneously NATs and firewalls. On 2009-11-04 15:14, Roger Marquis wrote: ... > Given that somewhere over 90% of devices connected to the IPv4 Internet are > NAT'd, allegations of "NAT harm" would seem to be like those funded by > insurance interest against single payer i.e., without basis but repeated > often in the hope that someone will believe them. The problem here is that NATs (especially the $99 kind misleadingly described as ADSL routers) lose session state and abort user sessions when they run out of resource. Then the user sees a glitch or a timeout, or occasionally an aborted credit card or banking transaction. But there is no logging and no diagnosis. So we simply have no data about how many hours of user time and help desk time are wasted on NAT-induced glitches. If every domestic user ran Wireshark continuously, and every glitch was carefully analysed, we'd have data. But that isn't going to happen. That's not to mention the performance and complexity cost for applications that have to work around NATs, which is a constant tax on everybody. So we know that there is a large dollar cost here, but we have no reasonable way to measure it. As far as the IT managers and ISPs who choose to put users behind NATs are concerned, it's an externality that they have no interest in pricing. The problem with NATs is basically one of economics: the incentives to NAT act on one group (IT managers) and the costs of NAT lie on another group (users). On 2009-11-04 15:19, Roger Marquis wrote: > Mark Andrews wrote: >> NAT44 was a necessary evil as we had effectively run out IPv4 addresses. > > This is false. NAT was implemented long, long before there were widespread > concerns regarding the number of addresses. Absolutely not. The concern about the number of address dates back to about 1991, and was formally documented in November 1992 (RFC1380, section 2.1.3): There is considerable uncertainty regarding the timeframe when we might exceed the limits of the IP address space. However, the issue is serious enough that it deserves our earliest attention. It is very important that we develop solutions to this potential problem well before we are in danger of actually running out of addresses. IPv6 is the result of that paragraph. But NAT (at least for IP) was first documented in 1994 (RFC1631). > A larger reason for NAT was > that many of us were using non-routable addresses, You were only using them because they were defined in 1994 (RFC1597), 2 months before NAT. > as there was (and still > is) no business case for any of our internal addresses to be publically > routable. Actually that is a side issue. I agree that it's a very reasonable business argument. But whether you use ambiguous (RFC1597/RFC1918) addresses, IPv6 ULAs, or globally unique addresses is completely orthogonal to whether they are routed on the public Internet. There are many cases of organisations with globally unique addresses used internally that are not routed externally. (The same goes for DNS names, although there is quite a bit of allergy in the IETF to two-faced DNS.) Brian
- [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 james woodyatt
- Re: [nat66] Necessity for NAT remains in IPv6 Mark Andrews
- Re: [nat66] Necessity for NAT remains in IPv6 Roland Bless
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Margaret Wasserman
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Wes Beebee (wbeebee)
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Roland Bless
- Re: [nat66] Necessity for NAT remains in IPv6 james woodyatt
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Mark Andrews
- Re: [nat66] nat66 Digest, Vol 7, Issue 3 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] nat66 Digest, Vol 7, Issue 3 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Mark Andrews
- Re: [nat66] nat66 Digest, Vol 7, Issue 3 Steven Blake
- Re: [nat66] nat66 Digest, Vol 7, Issue 3 Keith Moore
- Re: [nat66] nat66 Digest, Vol 7, Issue 3 Steven Blake
- Re: [nat66] nat66 Digest, Vol 7, Issue 3 Brian E Carpenter
- [nat66] adding indirection and deadlock Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Mark Andrews
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 Eric Klein
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 james woodyatt
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 james woodyatt
- Re: [nat66] Necessity for NAT remains in IPv6 mohamed.boucadair
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Margaret Wasserman
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Martin Röhricht
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Martin Röhricht
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Martin Röhricht
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore
- Re: [nat66] Necessity for NAT remains in IPv6 Roger Marquis
- Re: [nat66] Necessity for NAT remains in IPv6 Chris Engel
- Re: [nat66] Necessity for NAT remains in IPv6 Brian E Carpenter
- Re: [nat66] Necessity for NAT remains in IPv6 Keith Moore