IETF Logo Mail Archive

Re: [v6ops] double nat

Nejc Škoberne <nejc@skoberne.net> Sat, 27 October 2012 23:22 UTC

Return-Path: <nejc@skoberne.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C9521F85D6 for <v6ops@ietfa.amsl.com>; Sat, 27 Oct 2012 16:22:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_50=0.001, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEQ28l5Tbf2U for <v6ops@ietfa.amsl.com>; Sat, 27 Oct 2012 16:22:14 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 68DF221F85C1 for <v6ops@ietf.org>; Sat, 27 Oct 2012 16:22:14 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id dr13so2064902wgb.13 for <v6ops@ietf.org>; Sat, 27 Oct 2012 16:22:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skoberne.net; s=google; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=xQ8rHTC03DL4xE0Z6JqoPkkqwyC2IojwQ6eWgX3DEd0=; b=XKelwvj1MtOi8Sqj1S1eUx2ikfSMOktvnpMEXmSXIGY4ASCBxw/5Gkanq5+LUM3oub ZaT1HefY6rdRzIHiygtXOa2nsSXRzZ4P/6dDegvaSyCxm/+ob8JqY3UUhLZNgruxc7pn CK+Y0amc0O2WW70MiGrp42hx0D7DwT3cmaKz8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=xQ8rHTC03DL4xE0Z6JqoPkkqwyC2IojwQ6eWgX3DEd0=; b=hstplkPgI5N96xRjMG3uAIzS4uxGjYbGToNNeLm5uGyuQOtklqhTXVgebw9HS++vgA 6GGTSMeRa3nf7uNfRqxpOwSMNeCa0Nk9cP76GMA62TX02hR//iKj5m6RG/itNH9WXI8L xsM9rsDc3GRjI6oG1hNEXN6uIAbrliDRAN3cTuqIgVjoKO+qtBE7PBRkzP30QaXG4UlC r02jPKgAY95xbZzNP2E1QppV+GaRPIS8t4OmjW7odadugG6cAf3rgvTdb790CWa4l6Ae uBdG5Ye+n3iYXaLQTXQolXxMDOwhkzz8seAetz3aee7EPTKT3+9ZKDaSMTJ1msj2YjPd vSxw==
Received: by 10.180.80.104 with SMTP id q8mr9907555wix.6.1351380133533; Sat, 27 Oct 2012 16:22:13 -0700 (PDT)
Received: from [192.168.1.25] ([82.153.27.210]) by mx.google.com with ESMTPS id m14sm3968209wie.8.2012.10.27.16.22.12 (version=SSLv3 cipher=OTHER); Sat, 27 Oct 2012 16:22:12 -0700 (PDT)
Message-ID: <508C6CA5.4090406@skoberne.net>
Date: Sun, 28 Oct 2012 00:22:13 +0100
From: Nejc Škoberne <nejc@skoberne.net>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:16.0) Gecko/20121010 Thunderbird/16.0.1
MIME-Version: 1.0
To: v6ops@ietf.org
References: <m2lifpnpvf.wl%randy@psg.com> <20121002115421.GY13776@Space.Net> <m2boglnieb.wl%randy@psg.com>
In-Reply-To: <m2boglnieb.wl%randy@psg.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQk7YMuRu4AdoRCyx6FDA+fgxn/PmPTMMRpEdlrZAo/uziHqhRTY3rEpN026sl+PJS/ejYuB
Subject: Re: [v6ops] double nat
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Oct 2012 23:22:15 -0000

Hi,

I am reviving this thread, as (AFAIK) nobody mentioned the following issue:

"Other aspects of NAT behaviour, notably the NAT binding lifetime and 
the form of NAT
"cone behaviour" for UDP take on the more the more restrictive of the 
two NATs in sequence.
The binding times are potentially problematical in that the two NATs are 
not synchronised in
terms of binding behaviour. If the CGN has a shorter binding time, it is 
possible for the CGN to
misdirect packets and cause application level hang ups. However this is 
not overly different to
a single level NAT environment where aggressively short NAT binding 
times will also run the
risk of causing application level hang ups when the NAT drops the 
binding for a active session
that has been quiet for an extended period of time."

(Geoff Huston, 
http://www.potaroo.net/ispcol/2011-03/transtools-part2.pdf, page 7)

So binding lifetime desynch can be quite harmful here? Any real-world 
experience on this?

Thanks,
Nejc

On 2.10.2012 13:54, Randy Bush wrote:
>>> so, is double nat really worse than single nat?  is it formally
>>> different?  except in the case of overlapping spaces, of course.
>> One of the problems with "someone else controls your NAT" is that
>> you can't add port mappings.  This seems to be an inevitable side
>> effect of NAT444 (but can happen with single NAT44 as well, of
>> course, depending on where it's placed).
> i asked *formally*.  i am not concerned with all the ops, social,
> stuff.  and not about issues not directly connected to the nat.
> what does double translation do that single does not?
>
> randy
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email