--On October 27, 2010 8:42:16 PM -0700 Roger Marquis <[email protected]>
wrote:
Keith Moore wrote:
I've been personally writing apps that had to deal with NAT brain-damage
for 15 years. The opinions of your Berkeley professors and "IT security"
colleagues don't mean jack.
And I appreciate those apps.
It's clear that you don't appreciate those apps, because you have no idea
what they are.
But what you're proposing, deprecating NAT, is fundamentally different.
I'm not proposing to deprecate NAT. NAT is and always was a violation of
the core Internet standards. NAT is and always was also fundamentally in
violation of the Internet architecture. NAT is and always was harmful to a
wide range of applications and also quite often harmful to operation of
networks.
NAT can't be deprecated because it was never approved. It's never been
acceptable as a general solution to anything.
And yet, we do find some legitimate corner cases for which we don't (yet)
have a better solution than NAT. One such corner case is interoperation
between v4/v6 during a transition to v6. Another such corner case is
giving v6 networks a global address prefix that is stable across changes to
network providers or attachment points, until such time as the network
routing system can be adapted to cope with anticipated scale.
So what I'm proposing is several things:
1. that (along with identifying cases where NATs are clearly not a good
solution, such as substitutes for firewalls), we also identify those
specific corner cases for which we don't yet have a better solution than NAT
2. that we keep looking for ways to address those corner cases without
using NAT
3. that we define interface standards for NAT that allow applications
(including those that need to do referrals) to deal with the worst pitfalls
of NAT
4. that we be scrupulously honest about both NAT's limitations and the
corner cases for which there are no better known solutions that appear to
be deployable
What apps are we talking about anyhow? P2P or anything depending on SIP
or SCTP? There's no business case for allowing those apps or protocols to
establish stateless inbound connections anywhere in my network.
I'm talking about apps that my employers and customers needed. You've
probably never heard of most of them, but they were important within their
spheres, and it was important that those apps be able to function in the
presence of NATs.
There's nothing special about P2P apps. The idea that all apps should
communicate through some central server is myopic in the extreme. That
kind of thinking should have gone out the door with IBM dinosaur mainframes
and SNA.
You're free to run (or prohibit) what you like on your own network, but
your idea of what makes a good business case for your network has no
bearing on whether IETF should endorse the use of NATs. Especially since
use of NATs to enforce security is poor practice.
Keith
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
