Pretty much
On Jan 23, 2009, at 5:52 PM, Christian Huitema wrote:
So, what are the expected benefits?
I have so far heard the following:
1) Simple security;
2) Network structure concealment;
3) Provider independence;
4) Multi-homing
As Tony and James pointed out, simple security is not a function of
address translation, but rather a function of the firewall. It is
the classic "don't allow a packet to come in if it is not recognized
as the answer to a previous packet that came out". There are various
implementations, with various properties, depending on what people
mean by "recognized as an answer", i.e. by source address, by source
address + port, by address pairs, by address pairs + source port, by
address pairs plus port pairs. Behave spent a lot of time parsing
that out for NAT44.
The network concealment is an interesting feature in some cases,
although its usefulness is probably widely overrated in the presence
of browser or flash cookies. There are two basic variants, depending
on the amount of concealment desired: 1-1 mapping between internal
and external, or 1-N mapping. I am sure someone someday will try 1-N
mapping, and the result will be amusing. That is, if you have a
perverse sense of humor.
The provider independence feature is what Fred alluded to in his
previous message. The idea is to get some kind of static internal
structure, and then present different external addresses depending
on the provider of the day. It certainly has some advantages,
although provider independent addresses provide pretty much the same
result to customers. (Not to providers, of course.)
The multi-homing feature combines some aspects of provider
independence with the old 8+8 idea. It has pros and cons, e.g.
simpler than SHIM6 but also less robust to changes in multi-homing
configuration.
All of these have interesting engineering challenges of their own,
interesting effects on applications like SIP, and interesting
interaction with security protocols, for example IPSEC.
Is that what we are speaking about?
-- Christian Huitema
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
