Re: IPv6 NAT?

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 18 February 2008 00:01 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietfarch-ietf-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A52043A6BDA; Sun, 17 Feb 2008 16:01:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.842
X-Spam-Level:
X-Spam-Status: No, score=-0.842 tagged_above=-999 required=5 tests=[AWL=-0.405, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UU+WZTyDm0mn; Sun, 17 Feb 2008 16:01:43 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E945D3A6AEB; Sun, 17 Feb 2008 16:01:41 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B9733A6AEB for <ietf@core3.amsl.com>; Sun, 17 Feb 2008 16:01:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jqcQ2HZAldgM for <ietf@core3.amsl.com>; Sun, 17 Feb 2008 16:01:39 -0800 (PST)
Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185]) by core3.amsl.com (Postfix) with ESMTP id 472C13A6B86 for <ietf@ietf.org>; Sun, 17 Feb 2008 16:01:36 -0800 (PST)
Received: by rv-out-0910.google.com with SMTP id l15so1012703rvb.49 for <ietf@ietf.org>; Sun, 17 Feb 2008 16:01:34 -0800 (PST)
Received: by 10.141.78.14 with SMTP id f14mr3426718rvl.119.1203292894241; Sun, 17 Feb 2008 16:01:34 -0800 (PST)
Received: from ?10.1.1.4? ( [118.92.4.102]) by mx.google.com with ESMTPS id b34sm4434665rvf.22.2008.02.17.16.01.32 (version=SSLv3 cipher=RC4-MD5); Sun, 17 Feb 2008 16:01:33 -0800 (PST)
Message-ID: <47B8CAD8.5060602@gmail.com>
Date: Mon, 18 Feb 2008 13:01:28 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: IPv6 NAT?
References: <47B2B315.7050107@gmx.net> <158a01c86e3b$dbd9d0b0$6401a8c0@china.huawei.com> <D03E4899F2FB3D4C8464E8C76B3B68B001F2BBDF@E03MVC4-UKBR.domain1.systemhost.net> <873arvp8kv.fsf@mid.deneb.enyo.de> <1128DF92-CFB4-47A3-BBA3-DA86754630A0@muada.com> <249EE7D5-250E-446A-8B12-35DB0E8CD303@voxeo.com> <1203066396.4860.15.camel@fedora.centrala.partner-banka.hr>
In-Reply-To: <1203066396.4860.15.camel@fedora.centrala.partner-banka.hr>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

On 2008-02-15 22:06, Stjepan Gros wrote:
...
> All that said, what happens when organizations would like to use multihoming?
> In that case NATs create problems as flows have to use the same
> exit/entry point, and when one of the connections breaks all the flows
> going through the given connection will also be broken?
> 
> How is this problem solved in current IPv4 networks?

It isn't. That's one of the reasons why NAT causes undiagnosable
session disconnects.

On 2008-02-16 03:44, Paul Francis wrote:

> I wonder if standard approaches to NAT for IPv6 just isn't going to be much
> of an issue even if the IETF ignores it.  Since NAT for IPv6 is much simpler
> than for IPv4, a bunch of the issues associated with IPv4 NAT usage don't
> exist.  Like, there should be no need for port translation.  No need to time
> out mappings.  For the most part, NAT for IPv6 should be just a simple
> substitution of prefix A for prefix B.  What, exactly, are the range of
> choices that NAT vendors need to agree on?

Exactly. In other words the hardest issues that NATv4 hits simply don't arise in
IPv6, which I believe is isomorphic with the statement that NAT is logically
unnecessary in IPv6 (and that's why we wrote RFC 4864, to show how the
*perceived* benefits of NAT beyond address sharing can be provided
without NAT). Dan Wing is of course correct that this won't automatically
stop corporate IT folk asking for NAT.

On 2008-02-16 04:09, michael.dillon@bt.com wrote:

> Vendors need to agree on the timeout for mappings 

As Paul observed, no timeout is needed (as long as the
untranslated address remains valid).

> and on the
> method for substituting prefixes. 

Since this is a local operation, why is there anything
to standardise?

Even if ignoring port translation
> seems obvious, a vendor who is adapting/upgrading old code might
> include this in the absence of a standard. Also, an IPv6 NAT could
> include features that are not in v4 NAT such as using RFC 3041
> algorithms to generate the Interface ID portion of the mapped 
> address rather than passing the ID through unchanged.

It could, but all that is pointless - the host itself can use RFC 3041
if it wants. Why invent work for an unnecesary box?

> 
> An often used example of how IPv6 is better than IPv4, talks about
> how every device can have its own IPv6 address, so that just like
> a telephone set, every device can be "called" by any other device.
> But if you look into how the telephone system works, many telephone
> sets are not available to receive calls. Instead, they are in
> communication with a PABX which may or may not forward phone calls
> to the phone set. Since an IPv6 NAT device fills an analogous gateway
> role in the Internet, one wonders why there is no IPv6 NAT standard
> to cover things like local hosts registering with the NAT to receive
> packets on a certain port, or local hosts registering a forwarding
> address for packets on a certain port.

Because that has nothing to do with NAT. Those functions, if you
want them, are firewall functions.

On 2008-02-16 11:49, Jonathan Rosenberg wrote:
...
> So, I think it would be good to define IPv6 NAT behavior, and do so NOW 
> before its too late, and define it in a way that it would appeal to the 
> admins that have deployed IPv4 NAT today.

That's a terrible idea, because it would pander to the myths that
NAT is a security or policy tool. I think Paul Francis' comment
shows that there is almost nothing to define, and that if we
write anything, it should be absolutely minimal, and contain appropriate
MUSTs and MUST NOTs for all the things that should be done
differently in IPv6.

> Worst case, it doesn't get 
> used and we have this nice utopian NAT-free IPv6 network. 

No, that's the best case. The worst case is that it encourages vendors
to implement it and corporate IT folk to deploy it.

> Can you say 
> the same for the worst-case situation for NOT standardizing v6 NAT?

That's a very hard question to answer, because it depends very much
on how CPE and firewall vendors react in their product plans. Since they
all know that NAT isn't needed for IPv6, and product managers are not
known for funding unnecessary work, in the best case, it doesn't get
implemented. In the worst case, it gets implemented randomly.

    Brian


_______________________________________________
Ietf mailing list
Ietf@ietf.org
http://www.ietf.org/mailman/listinfo/ietf