Hi,
Thus wrote Rémi Després ([email protected]):
> > The DMZs are not flat, and use both private and public addresses.
>
> Do you mean with the three public address spaces A1, A2, A4, in the first DMZ?
A1, A2, A3, yes
> If the DMZ uses private addresses, are they the same as in the internal space?
same /48, different /64s .. imagine the DMZ hosts as strung up in the
middle between inner and outer firewall, and not routing.
> > Rerouting will break all previous connections for the route that gets
> > changed.
>
> I see.
> This is rather permissive, but is a possible choice.
It's a cheap compromise :)
> > Cost considerations will likely make us use translation whether it's
> > standardized or not.
>
> This, in my understanding, holds for stateless NAT66 as well as for
> algorithmic NAT66.
> Right?
I assume you mean stateful/algorithmic-stateless?
In my model, where 1:1 is good enough, statelessness means "cheaper" as in
eating less ressources, easier to failover.
> > Currently available translation is stateful, which is
> > more interference with the packets than needed here.
>
> The algorithmic translation does 1's complement arithmetic on variable part
> of addresses, which has complex consequences.
Yes, but that's what most (all?) protocol checksums use, so it oughtn't
be all that scary by now.
> Resulting restrictions on values to be used in subnet numbering are, in my
> understanding, still uncertain.
The restriction that is immediately obvious and well known is that 0xffff
and 0x0000 are both zero as in, adding one of these to any number using
one's complement arithmetic don't change the number, so you can use
only one of these but not both, because you'll never know -which- zero
it was, unless you forbid one of them from occurring. The draft does that
by forbidding ffff as subnet.
> Yet, I agree that, if some vendors can make clear they have customers that,
> after looking at all alternatives (including those without any NAT66), do
> prefer to use algorithmic NAT66, then having an IETF documented specification
> for this NAT66 variant should be useful.
Why should that be restricted to vendors? As far as I remember it's
private persons that take part in IETF, with their experience, granted,
but not as spokesperson of a legal body.
regards,
spz
--
[email protected] (S.P.Zeidler)
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
