On Wed, 20 Jun 2007 11:16:15 -0700 james woodyatt <[EMAIL PROTECTED]> wrote:
> On 20 Jun 2007, at 11:00, Mark Smith wrote: > > > > Getting rid of PAT doesn't eliminate a number of other problems that > > NAT creates, which Keith Moore has documented here : > > > > http://www.cs.utk.edu/~moore/what-nats-break.html > > I'd be more sympathetic to arguments like this if we RFC 4864 didn't > insist on recommending the deployment of stateful packet filters in > IPv6 that break most of the things NAT breaks in IPv4. > How does a statefule firewall, present on the end-node itself, cause these problems ? It seems to me that you're making the assumption that the only scenario IPv6 will be deployed in is one where end-nodes always have an upstream stateful firewalling device. That assumption already isn't true now in IPv4 (one example being this PC) and I think is even more unlikely to be with IPv6. I think any vendor who produces Internet capable devices (PCs, OSes, mobile phones, musical keyboards (Internet capable ones do already exist)) that don't assume they could be attached directly to the wide open Internet are unlikely to have much success with their product. (I'm aware of the IPv6 CPE design work that's going on, and have been meaning to point out whether that work should be completely based on the assumption of an upstream firewalling device (have been a bit time short recently). It's certainly a feasible scenario. However I think we'd probably be being a bit short sighted if we assumed that that is the only IPv6 deployment scenario, and I think that eventually it's probably going to be more likely an exception rather than a rule - if all the devices are looking after themselves independantly, adding another protection device upstream in the network doesn't add all that much additional security value, compared to the costs, financial and technical, it incurs.) > > I particularly think inhibiting deploying new transport layer > > protocols is a real drawback of NAT. [...] > > That's one of the things broken by the stateful packet filters > implied by RFC 4864. It seems to me that NAT for IPv6 isn't really > all that worse than what we've already recommended there. Sure, > everything is still globally addressable, but that really doesn't go > very far when symmetrical reachability is pretty much broken for > everything at the edges of the Internet. > > If people think they can make arguments for why NAT between ULA-C > addresses and PA address will solve more problems than it really > causes— given what other problems we've already bought with the RFC > 4864 packet filters— then I think we should hear them. > > > -- > james woodyatt <[EMAIL PROTECTED]> > member of technical staff, communications engineering > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
