On Jan 15, 2011, at 1:16 PM, Brian Keefer wrote: > On Jan 12, 2011, at 9:21 AM, George Bonser wrote: > >>> >>> I'd eat a hat if a vendor didn't implement a PAT equivalent. It's >>> demanded too much. There is money for it, so it will be there. >>> >>> >>> Jack >> >> Yeah, I think you are right. But in really thinking about it, I wonder >> why. The whole point of PAT was address conservation. You don't need >> that with v6. All you need to do with v6 is basically have what amounts >> to a firewall in transparent mode in the line and doesn't let a packet >> in (except where explicitly configure to) unless it is associated with a >> packet that went out. >> >> PAT makes little sense to me for v6, but I suspect you are correct. In >> addition, we are putting the "fire suit" on each host in addition to the >> firewall. Kernel firewall rules on each host for the *nix boxen. > > Actually there are a couple very compelling reasons why PAT will probably be > implemented for IPv6: > 1.) Allows you to redirect a privileged port (on UNIX) to a non-privileged > port. For daemons that don't implement some form of privilege revoking after > binding to a low port (and/or aren't allowed to run as root), this is very > useful. It's much easier to have a firewall redirect than to implement > robust privilege revoking. Example: PAT 25/tcp -> 2525/tcp. > Actually, that's just port rewriting which is mostly harmless. PAT refers, instead, to a stateful translation which is most definitely not harmless.
> 2.) Allows you to redirect multiple ports to a single one, to support legacy > implementations. Suppose your application used to require separate ports for > different types of requests, but now is able to multiplex them. The new > daemon only listens on one port, but other applications may not have updated > their configuration. Example: PAT 4443/tcp -> 443/tcp & PAT 8443/tcp -> > 443/tcp. > That's a pretty ugly situation, but, it would require a stateful mechanism to address it. I think it is much cleaner to have the daemon listen on the multiple ports. > Basically the idea is that implementing PAT for IPv6 allows smoother > transition for apps that made use of it in IPv4, thus accelerating the > adoption of IPv6. > I think the lack of IPv4 resources will soon serve as sufficient acceleration of IPv6 adoption. Owen
