IETF Logo Mail Archive

Re: [nat66] Necessity for NAT remains in IPv6

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 07 November 2009 12:42 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: nat66@core3.amsl.com
Delivered-To: nat66@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0EA23A6954 for <nat66@core3.amsl.com>; Sat, 7 Nov 2009 04:42:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, DATE_IN_PAST_12_24=0.992]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5cjJn1hosuo for <nat66@core3.amsl.com>; Sat, 7 Nov 2009 04:42:01 -0800 (PST)
Received: from mail-px0-f186.google.com (mail-px0-f186.google.com [209.85.216.186]) by core3.amsl.com (Postfix) with ESMTP id B53073A692A for <nat66@ietf.org>; Sat, 7 Nov 2009 04:42:01 -0800 (PST)
Received: by mail-px0-f186.google.com with SMTP id 16so65798pxi.29 for <nat66@ietf.org>; Sat, 07 Nov 2009 04:42:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=LBv6PEsKZrvtye1j4SPS7JQ1CKMOfeO5ZNyfCEU2t3w=; b=KZpsRytvAZFUqmLMbyYltCRrIeVq8pfdb//P9Ayt9ac/rBMuX2pXC60RPraC66Mmqe 1LC5XJhxA74EBoDQtPR6rXboKi3bZzLApTRhoWhsrzxHvTYhSsnxKAVmBjnJXhseiuYR ALkxDc1MjWMjYCVYWmbZYDvlVvfrWEZ9gF1m0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; b=RhrOn5ACYf84Wrq0gD5Js3KQ6LG60c+M31AiVR6fXT/1zI2qmIf3euOlMer2oxL4q1 F8WkDcyGVSANAWZSwllc8D6AWjyiPYsXUHp/Bq/6N1MmQloHu+WNhrEv+icO184NhMgy 6ww6R8WbH3Zc34ySgShbtAzwY/hVN5Ad4Jo3o=
Received: by 10.114.248.7 with SMTP id v7mr8805634wah.92.1257597746403; Sat, 07 Nov 2009 04:42:26 -0800 (PST)
Received: from ?133.93.128.64? (host-128-64.meeting.ietf.org [133.93.128.64]) by mx.google.com with ESMTPS id 22sm604606pxi.2.2009.11.07.04.42.24 (version=SSLv3 cipher=RC4-MD5); Sat, 07 Nov 2009 04:42:25 -0800 (PST)
Message-ID: <4AF4B30F.8030301@gmail.com>
Date: Sat, 07 Nov 2009 12:36:47 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "'nat66@ietf.org'" <nat66@ietf.org>
References: <F55FF9C4FDB76643AE0CEC06D0F5CEB3048557BFD8@Skyhawk>
In-Reply-To: <F55FF9C4FDB76643AE0CEC06D0F5CEB3048557BFD8@Skyhawk>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [nat66] Necessity for NAT remains in IPv6
X-BeenThere: nat66@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "List for discussion of IPv6-to-IPv6 NAT." <nat66.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nat66>
List-Post: <mailto:nat66@ietf.org>
List-Help: <mailto:nat66-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nat66>, <mailto:nat66-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2009 12:42:03 -0000

Sigh, I've been keeping my fingers off the keyboard, but a few
points in this thread really need clarification. Apologies
for prolonging the off-topic thread, I will shut up after this.

On 2009-11-03 08:15, Chris Engel wrote:
...
> First, by way of introduction...I'm a Network Manager in
> charge of operations at a small ASP. 

Hi. I used to be in charge of network operations at a large
site (cern.ch), then I spent 10 years in industry, and
now I'm an academic but working with our university's
IT operations people on IPv6 deployment. I was also the
instigator of and a contributor to RFC4864. So...

...
> I do NOT feel that RFC 4864 adequately addresses the utility
> of NAT.... nor adequately provides a acceptable substitutes
> for it.

We worked as hard as we could to make the list complete.Can you
identify exactly which benefits of NAT are not mentioned in
section 2 of the document?

...
> 
> In section 2.2.  of RFC 4864 "Simple Security Due to Tasteful
> Filter Implementation" the authors contend that NAT's utility
> for Security is not particularly compelling because it
> incomplete and can be bypassed through techniques such as
> Trojans.... and that filtering via a FW offers a more robust
> solution. Respectfully, it's difficult for me to fathom that
> anyone well versed in security would find these arguments
> compelling.

Well, how about any large site manager who runs a firewall
but no NAT? This is a very common scenario, although I agree
that many sites run boxes that are simultaneously NATs
and firewalls.

On 2009-11-04 15:14, Roger Marquis wrote:
...
> Given that somewhere over 90% of devices connected to the IPv4 Internet are
> NAT'd, allegations of "NAT harm" would seem to be like those funded by
> insurance interest against single payer i.e., without basis but repeated
> often in the hope that someone will believe them. 

The problem here is that NATs (especially the $99 kind
misleadingly described as ADSL routers) lose session state
and abort user sessions when they run out of resource. Then
the user sees a glitch or a timeout, or occasionally an
aborted credit card or banking transaction. But there is no
logging and no diagnosis. So we simply have no data about
how many hours of user time and help desk time are wasted
on NAT-induced glitches. If every domestic user ran Wireshark
continuously, and every glitch was carefully analysed, we'd
have data. But that isn't going to happen.

That's not to mention the performance and complexity cost
for applications that have to work around NATs, which
is a constant tax on everybody.

So we know that there is a large dollar cost here, but
we have no reasonable way to measure it. As far as the
IT managers and ISPs who choose to put users behind
NATs are concerned, it's an externality that they have
no interest in pricing. The problem with NATs is basically
one of economics: the incentives to NAT act on one group
(IT managers) and the costs of NAT lie on another group (users).

On 2009-11-04 15:19, Roger Marquis wrote:
> Mark Andrews wrote:
>> NAT44 was a necessary evil as we had effectively run out IPv4 addresses.
> 
> This is false.  NAT was implemented long, long before there were widespread
> concerns regarding the number of addresses.  

Absolutely not. The concern about the number of address dates
back to about 1991, and was formally documented in November 1992
(RFC1380, section 2.1.3):

   There is considerable uncertainty regarding the timeframe
   when we might exceed the limits of the IP address space.
   However, the issue is serious enough that it deserves our
   earliest attention.  It is very important that we develop
   solutions to this potential problem well before we are in
   danger of actually running out of addresses.

IPv6 is the result of that paragraph.

But NAT (at least for IP) was first documented in 1994
(RFC1631).

> A larger reason for NAT was
> that many of us were using non-routable addresses, 

You were only using them because they were defined in 1994
(RFC1597), 2 months before NAT.

> as there was (and still
> is) no business case for any of our internal addresses to be publically
> routable.

Actually that is a side issue. I agree that it's a very
reasonable business argument. But whether you use ambiguous
(RFC1597/RFC1918) addresses, IPv6 ULAs, or globally unique
addresses is completely orthogonal to whether they are routed
on the public Internet. There are many cases of organisations
with globally unique addresses used internally that are not
routed externally. (The same goes for DNS names, although there
is quite a bit of allergy in the IETF to two-faced DNS.)

   Brian

v2.23.0 | Report a Bug | By Email