On Oct 26, 2010, at 10:04 AM, Christian Huitema wrote: > The NAT66 draft enables NAT to rewrite the IPv6 header in a "checksum > compatible" way. NAT66 don't have to go fetch the UDP or TCP header and whack > the checksum. That is certainly a simplification, but it comes at a cost. > Since there is a simple mapping between internal and external subnets, the > external addresses carry information about the internal topology. How is that > as a tradeoff?
Yes, there is a 1:1 translation. It may even be the same value, if the checksum update is being done in the EID. I guess my question is whether that's an issue. If folks would prefer a stateful NAT, we can obfuscate the source address further. But at least to my mind, topology obfuscation is a lost cause in the presence of applications that carry IP addresses - I can reverse engineer the parts of your network that I care about from the SMTP envelopes in your email, from information . For example, you were using a link local (169.254) address on your laptop when you sent the email, and the email went through three servers within Microsoft that are identified by DNS name and IP address, and then the message got to AMS (IETF) and finally Cisco. Yes, on the link from your home or your company to your upstream we can diddle with your source address. Is that important? What information do you actually think you're hiding, and from whom? Heck. Who needs IP addresses. I'll fire up firesheep and become you at the application layer next time you access a site that uses http instead of https and pushes cookies. _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
