So, what are the expected benefits? I have so far heard the following:
1) Simple security; 2) Network structure concealment; 3) Provider independence; 4) Multi-homing As Tony and James pointed out, simple security is not a function of address translation, but rather a function of the firewall. It is the classic "don't allow a packet to come in if it is not recognized as the answer to a previous packet that came out". There are various implementations, with various properties, depending on what people mean by "recognized as an answer", i.e. by source address, by source address + port, by address pairs, by address pairs + source port, by address pairs plus port pairs. Behave spent a lot of time parsing that out for NAT44. The network concealment is an interesting feature in some cases, although its usefulness is probably widely overrated in the presence of browser or flash cookies. There are two basic variants, depending on the amount of concealment desired: 1-1 mapping between internal and external, or 1-N mapping. I am sure someone someday will try 1-N mapping, and the result will be amusing. That is, if you have a perverse sense of humor. The provider independence feature is what Fred alluded to in his previous message. The idea is to get some kind of static internal structure, and then present different external addresses depending on the provider of the day. It certainly has some advantages, although provider independent addresses provide pretty much the same result to customers. (Not to providers, of course.) The multi-homing feature combines some aspects of provider independence with the old 8+8 idea. It has pros and cons, e.g. simpler than SHIM6 but also less robust to changes in multi-homing configuration. All of these have interesting engineering challenges of their own, interesting effects on applications like SIP, and interesting interaction with security protocols, for example IPSEC. Is that what we are speaking about? -- Christian Huitema _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
