IETF Logo Mail Archive

Re: [v6ops] double nat

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 02 October 2012 18:00 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BDFF21F84DD for <v6ops@ietfa.amsl.com>; Tue, 2 Oct 2012 11:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.562
X-Spam-Level:
X-Spam-Status: No, score=-103.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FsRj9FMT2GBx for <v6ops@ietfa.amsl.com>; Tue, 2 Oct 2012 11:00:19 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id E977921F84F0 for <v6ops@ietf.org>; Tue, 2 Oct 2012 11:00:18 -0700 (PDT)
Received: by iec9 with SMTP id 9so17657206iec.31 for <v6ops@ietf.org>; Tue, 02 Oct 2012 11:00:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=56bu4rGjxeRJ0SDbBkOAITuU9O+Z209TCMgsiWWcfio=; b=QoA1TX9tpggSCpt4Vl1p4CIgEeH5GDfV7FTI4SCHql9gBmpmCDV6BXKtwivvPgzV0Y dkacvOpPba7Qwt4kUZXJVcIslLbQ3P/U+3RhuJBUiYpDtn2rFZrTycFLWoJnqFjaMhWz le/4K74TlWEkuaZ1xs0HxwRdxOKX/x/GpY8MBfvmIeqIvh/gYs8yRySe+0njgSTqASWL JTkSfDNwdghet9Skw5XEQ3KQvTZkya847vr1B/+gXSKVO2ZHAmsK53MqHWX1A20/AK/u nX2dTWg/mdjthCHrEYO3BG6JGfdW1tNhwzuahO2k9CDASPbKV4apRKQZQRt4Tgqi9mBk duPQ==
Received: by 10.50.202.73 with SMTP id kg9mr9706233igc.42.1349200818453; Tue, 02 Oct 2012 11:00:18 -0700 (PDT)
Received: from [10.255.25.102] (50-76-68-140-static.hfc.comcastbusiness.net. [50.76.68.140]) by mx.google.com with ESMTPS id ez8sm1320104igb.17.2012.10.02.11.00.16 (version=SSLv3 cipher=OTHER); Tue, 02 Oct 2012 11:00:17 -0700 (PDT)
Message-ID: <506B2BAE.3050905@gmail.com>
Date: Tue, 02 Oct 2012 19:00:14 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Gert Doering <gert@space.net>
References: <m2lifpnpvf.wl%randy@psg.com> <20121002115421.GY13776@Space.Net> <m2boglnieb.wl%randy@psg.com> <20121002131402.GC13776@Space.Net>
In-Reply-To: <20121002131402.GC13776@Space.Net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: IETF v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] double nat
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2012 18:00:19 -0000

On 02/10/2012 14:14, Gert Doering wrote:
> Hi,
> 
> On Tue, Oct 02, 2012 at 01:54:52PM +0100, Randy Bush wrote:
>>>> so, is double nat really worse than single nat?  is it formally
>>>> different?  except in the case of overlapping spaces, of course.
>>> One of the problems with "someone else controls your NAT" is that
>>> you can't add port mappings.  This seems to be an inevitable side
>>> effect of NAT444 (but can happen with single NAT44 as well, of
>>> course, depending on where it's placed).
>> i asked *formally*.  i am not concerned with all the ops, social,
>> stuff.  and not about issues not directly connected to the nat.
>> what does double translation do that single does not?
> 
> OK, sorry, I misunderstood.  
> 
> Just focusing on the technical aspects, I'd say a double-NAT doesn't do 
> anything different than a single NAT.

I don't see how to separate the "formal" impact of NAT from environmental
issues such as placement of middleboxes. If the traffic passes through some
kind of upper-layer-aware middlebox in between the two NATs, I am sure the
e2e result will be different than if the middlebox is at one side or the
other of both NATs, assuming the middlebox messes with the IP header or
packet size, or causes fragmentation. I doubt if there is any general
statement to be made beyond that, due the variety of NAT behaviours and
middlebox behaviours.

I think that means that there isn't a guaranteed formal equivalence
between the operation NAT() and the operation NAT(NAT()), because
in the real world we might have NAT(MIDDLEBOX(NAT())).

Another point is that geolocation will find the nearest NAT, and so will
forensic traceback.

Observational data: http://tools.ietf.org/html/draft-donley-nat444-impacts-05

> 
> This is assuming
> 
>  - identical implementations (like FTP ALGs that handle the same subset
>    of PORT/PASV features, not different subsets in both NATs)
>  - no shortage of port space on the second NAT (which is again one of
>    the "real deployment" issues, not a pure theoretical "put two NAT
>    boxes behind each other, without adding extra users" issue)

Right, making a few false assumptions does simplify mathematics ;-)

   Brian

v2.23.0 | Report a Bug | By Email