Re: [v6ops] draft-ietf-v6ops-ula-usage-recommendations - work or abandon?

[Owen DeLong <owen@delong.com>]

> On Nov 12, 2015, at 17:27 , Fernando Gont <fgont@si6networks.com> wrote:
> 
> Owen,
> 
> On 11/13/2015 03:21 AM, Owen DeLong wrote:
>> 
>>> On Nov 10, 2015, at 06:13 , Eric Vyncke (evyncke) <evyncke@cisco.com
>>> <mailto:evyncke@cisco.com>> wrote:
>>> 
>>>> Nope. It is much easier to establish a connection across a diode
>>>> firewall than to establish one across a NAT. In the former case, all
>>>> the endpoints need to do is send each other packets at about the same
>>>> time. In the latter, they need to implement NAT traversal via relays.
>>> 
>>> It is only 'slightly' easier... Because guessing the TCP sequence
>>> number of the other party... Well good luck :-)
>> 
>> With a diode firewall, you don’t have to guess. Most diode firewalls
>> don’t look at TCP sequence numbers actively. They look only at the L3
>> and L4 identifiers to determine state.
>> Some look at SYN bits and toss SYN packets going in the wrong direction,
>> but most just look for an ACK bit.
>> 
>> Nonetheless, it’s also much easier because a diode firewall can easily
>> be given an exception to permit a particular flow or the initiation of a
>> class of flows to a particular protected host or set of hosts.
> 
> The problem is how to do this automagically.

Why does it have to be automagic?

> 
> 
>> In the case of a NAT, however (more specifically a NAPT), it is not
>> possible to program multiple port 80 terminations to land on different
>> hosts behind the NAT.
> 
> That's like saying that the problem with cars is that they cannot fly --
> yes, that's what a NAT is.

Well… That is certainly a limitation of most automobiles, but I’m happy to
report that there are working alternatives such as the Terrafugia Transition
and some older prototypes as well.

> I might also add that this is another kludge that is made evident by
> NAT: there's no reason whatsoever for which a given service should run
> in any specific transport protocol port. Consider that a kludge or
> shortcut than a principle.

Meh… There’s no mechanism available for signaling port numbers in response
to name lookups (modulo SRV records that don’t seem to be very popular in
practice). There are certain advantages to the idea of well known port numbers
and whether or not you consider them a kludge, they are certainly in widespread
use and have a great deal of history and support in the IETF and IANA.

>> I retain my perspective that one of the worst and most ultimate forms of
>> layering violation is for a forwarding system not residing on either of
>> the end-hosts in a session to impersonate an end-host and mutilate
>> unexpected portions of the datagram in flight.
> 
> I might grant that one if you want. But virtualy everything that you
> mentioned that NAT breaks are shortcuts (or flawed design) rather than
> "principles" we should stick to.

We can agree to disagree as we so often do.

Owen