From: Keith Moore [[email protected]] Ted Hardie wrote: >> At 4:58 PM -0700 3/20/09, james woodyatt wrote: >>> They think the IPv4/NAT model is better >>> than the IPv6 model *because* it breaks address referrals. They like >>> that referrals generally don't work unless you're in the same address >>> realm or there's an application rendezvous service somewhere mediating >>> address realm traversal-- *that's* a service that can usually be >>> blocked by default and opened only where policy allows. >> >> To put this another way, there is a group of administrators that does not >> want to be on the Internet. They do want a set of services delivered over IP. >> >> Have I got that right?
>yes, except that they still want to call it the Internet. >Keith I think that the reality is a little different and a little worse. They don't want to connect to the Internet, but they do want a set of services delivered over IP. The easiest way to get those set of services has historically been to get connected to the Internet, then cripple the connection so that it is limited to those services. But this does not work, as the users those administrators try to control actually want access to the Internet, not a restricted set of services (e.g. they want access to their "home" email, their personal IM accounts, social networks, and so on). So they use whatever services are provided to tunnel whatever access they want. The * over HTTP set is very prolific, and I have personally seen even relatively unsophisticated users manage an HTTP-based proxy tunnel to get to what they want. So there is an arms race: the administrators ban further services, then implement deep packet inspection, then try to control access in further ways (by banning local installation of apps, and so on). Where this gets really scary is when the upstreams selling to various markets decide that they don't need to deliver full Internet connectivity (even if that is what they are advertising), because "everybody" just breaks it. Or what "everybody" wants is something where deep packet inspection, or peer-to-peer performance hindrance or something else is just the default case. James' original point is that these administrators want address referrals to break, because it gives them a huge leg up in the arms race to control their users. But what worries a lot of us is that this has been a terrible default state in IPv4; if it is retained into IPv6 by mechanisms like this (*especially* if it becomes the default state in IPv6), there is essentially no chance that v6 can be a unifying namespace for the Internet as a whole. Since v4 is not and the DNS is not (cf. "split DNS"), we will be going forward with no unifying default namespace *at all*. That means one of two things: some set of namespaces (like DHT-based overlay network namespaces) replaces the IP layer as the critical namespace for new applications, and IP becomes "lower layer gunk" to route around; or the Internet becomes a platform for networks offering services (think IMS or NGN) rather than retaining its capacity to allow application traffic to flow between arbitrary interested parties. To speak bluntly, most of the people steering industry in this direction have no intent to head their ships for these rocks (and may not see them as rocks at all); they are trying to accomplish small things that turn out to have very big aggregate consequences. But if this body, which does understand the consequences, decides it wants to build the tools to further this, it has no excuse that it does so unknowingly. The folks pointing out the consequences have been doing so for years. Speaking, obviously, as an individual, Ted Hardie _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
