On Mar 22, 2009, at 6:14 PM, Keith Moore wrote:
Fred Baker wrote:
On Mar 20, 2009, at 1:23 PM, Keith Moore wrote:
NATs impair both addressability and reachability, and we do a
disservice to the community if we pretend otherwise. NAT (really
NAPT)
does harm to reachability because it blocks traffic in one direction
even if this is not explicit policy, and NAPT limits the
flexibility of
a site to choose a policy that takes application usage into
account. NAT
can also impair reachability when binding state is lost or
discarded.
That's true of IPv4/IPv4 NATs. It's not true of NAT66 - explicitly.
Not clear. Any time it becomes necessary to use a particular v6
address
from a particular scope in order to reach a peer, reachability is
harmed. Any time a NAT creates an alias for an existing address that,
if used, might cause pessimal routing of traffic, reachability is
harmed.
I'm not sure I get your point.
NAT66 enables a network to place an address translating DMZ between
itself and its service provider. On the public side, the address is a
PA address, very much like the address that shim6 would use. In both
cases, any datagram headed to that address goes through that ISP and
that DMZ or one of those DMZs if the network has multiple with the
same SP. The difference between shim6 and NAT66 in the case is that
the host itself isn't aware that it is using the address (it is using
a ULA or some other address), while with shim6 the host is aware of
the fact. I don't see how that impacted either reachability or
routing. In both cases, every host that the network authorized to be
externally reachable is in fact reachable, and at an address that
permits a peer across the network to specifically select it.
Fill me in? Be specific, please. There is a lot of emotion and
hyperbole masquerading as reasonable fact flying in this debate, and
the best way to demonstrate that there is meat in a comment is to lay
it out.
If your point is that NAT66 doesn't give a PI prefix to the edge
network, you are correct that it doesn't. That said, arguing against
one solution because it isn't a different solution is an invalid
argument; if a given network would really prefer to implement a
different solution, it probably will. We're discussing *this*
solution, which is a 1:1 NAT, not 1:many NATs such as are used in
IPv4, and not PI addressing, and we are discussing it in the context
of usage in a network that chooses to do so.
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
