Re: NATs as firewalls

To: John C Klensin <john-ietf at jck.com>
Subject: Re: NATs as firewalls
From: Douglas Otis <dotis at mail-abuse.org>
Date: Thu, 1 Mar 2007 17:35:50 -0800
Cc: Paul Hoffman <paul.hoffman at vpnc.org>, ietf at ietf.org
In-reply-to: <40ABFFF0B895D1604E37B8D1@p3.JCK.COM>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <198A730C2044DE4A96749D13E167AD3701147914@MOU1WNEXMB04.vcorp.ad.vrsn.com> <tslk5y25jcw.fsf@cz.mit.edu> <45E691DD.6060107@cisco.com> <p0624088dc20ca7f426d1@[10.20.30.108]> <40ABFFF0B895D1604E37B8D1@p3.JCK.COM>


On Mar 1, 2007, at 9:57 AM, John C Klensin wrote:

I continue to believe that, until and unless we come up with models that can satisfy the underlying problems that NATs address in the above two cases and implementations of those models in mass-market hardware, NATs are here to stay, even if we manage to move to IPv6 for other reasons. And, conversely, the perceived difficulties with NATs will be sufficiently overcome by the above issues to prevent those difficulties from being a major motivator for IPv6, at least for most of the fraction of the ISP customer base who cannot qualify for PI space.

One of the "features" contained within Microsoft Vista is a stack terminating an IPv6 address encapsulated using RFC4380 Teredo (IPv6 over IPv4 UDP). This also works in conjunction with their new name resolution protocol offering address structures for navigating through Teredo compliant NATs and firewalls.

While this may require rather heavily lifting track the UDP traffic, this constrains the growth of router tables and helps retain the viability of IPv4 addressing. At the same time, offers a transition into the IPv6 address space which moves a bit closer to the end-to- end ideals by leveraging compliant NATs and Firewalls. Whether Teredo proves secure or PRNP functions well, the PNRP name resolution service represents a proprietary solution that appears to be without IETF IPR statements. Is this good or bad? It is concerning.

-Doug

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- RE: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC
  - From: Hallam-Baker, Phillip
- Re: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC
  - From: Sam Hartman
- Re: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC
  - From: Eliot Lear
- NATs as firewalls
  - From: Paul Hoffman
- Re: NATs as firewalls
  - From: John C Klensin

Prev by Date: Re: AW: Last Call: draft-ietf-geopriv-radius-lo (Carrying LocationObjects in RADIUS
Next by Date: Re: NATs as firewalls
Previous by thread: Re: NATs as firewalls
Next by thread: Re: NATs as firewalls
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: NATs as firewalls

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.