On Wed, 15 Dec 2010 10:37:04 +0100
"t.petch" <ietfc@btconnect.com> wrote:

> ----- Original Message ----- 
> From: "Toru Kuboshiki" <toru.kuboshiki@wata-lab.meijo-u.ac.jp>
> To: <v6ops@ietf.org>
> Sent: Wednesday, December 15, 2010 8:46 AM
> 
> > Hello, everybody.
> > My name is Toru Kuboshiki, the student of Meijo University in JAPAN.
> > This is the first time I post on this mailing list.
> > 
> > I am studying how we can familiarize IPv6.
> > I think that one of reasons, why IPv6 does not become popular, is that
> > IP addresses in the local network are seen from the outside. In IPv4,
> > NAT conceals a whole network and this gives the network manager
> > security. 
> 
> <more emotion than engineeering>
> 
> Put forward this point of view on some lists, the main IETF one for 
> example, and, judging by past experience, you will get a firestorm of 
> protest that NAT adds no security.  I think that the truth is closer to
> that than you say, that NAT adds a little security, but not much.  I have
> worked with a number of managers who are convinced that it adds 
> a lot, and I think that that is a dangerous position to take.
> 

NAT topology hiding is functionally equivalent to camouflage. It
provides a minimal defence in depth mechanism, however anything that
uses it also a big gun, can run fast, can kick hard, or bite savagely
to resort to when the camouflage fails. People who seem to vehemently
defend topology hiding seem to be coming from a position that there is
no need for any other prevention or response mechanisms, which is quite
false.


> At the same time, you will see a lot of support for the view that NAT
> destroys end-to-end communication, which I personally think untrue
> in almost all cases.

I don't think you fully understand what "end-to-end" is referring to.

The nature of the Internet is supposed to be, and was originally 
peer-to-peer. A peer-to-peer network architecture means that if a
node has an network address, it has an equal ability to directly send or
receive packets to any other node that also has an address and is
attached to the same network. What the end-nodes, and more
specifically, what the applications put in those packets was irrelevant
to the newtork. The roles of "client" or "server" are only supposed
to be relevant to application architecture and roles. A node attached
to a peer-to-peer architecture network should be able to concurrently
run client or server components of applications without any network
imposed limitations - it was exclusively an end-nodes choice as to what
application role it wanted to play, not the network's. Also,
because the network doesn't care about what applications
it was being used for, the network doesn't need to be upgraded
before new applications can be deployed.

NAT has broken the peer-to-peer nature of the Internet. The
consequences have been that some end-nodes can't directly send traffic
to other end-nodes, so they have relay the communications via another
intermediary node that is visible to both the end-nodes. This
intermediary node then becomes another possible failure point, an
possible traffic interception point and a potential performance
bottleneck point. Applications that are forced to use an intermediary
become less reliable, less naturally secure and less scalable. Yet
there is no other choice if the end-nodes cannot directly send packets
towards each other. That is the limitation that NAT has imposed on
end-nodes. NAT exists because there aren't enough IPv4 addresses to
give all end-nodes unique addresses, and therefore not all remote-end
nodes that local end-nodes might want to send packets to are uniquely
identifiable and therefore reachable. Giving every end-node a network
unique Internet address (i.e. an IPv6 one), will give them back their
ability to exclusively choose what role they want to play in the
application architecture.

>  The protocols used by the vast mass of Internet
> users overcame NAT years ago, and there are just a few protocols,
> unknown to almost everybody in the world at large, which have not,
> but for most people, that is irrelevant.

NAT boxes "overcame" those limitations be incurring the hidden costs of
forcing public intermediary servers to exist, and application
developers to have develop client-server applications where a
peer-to-peer application architecture would have been far more
reliable, secure and scalable. The costs of dealing with a network
layer problem, namely lack of IPv4 addresses, has been shifted onto the
application developers and ultimately the end-users of those
applications. People have accepted them because there is no other
choice an an IPv4/NAT scenario - but with the deployment of IPv6
without NAT those costs can disappear. So we'll have more reliable, more
naturally secure and more scalable applications at less cost.

> 
> So, roll on NAT! we won't need it to in IPv6 as an address proxy, 
> and it won't add security, but I still expect it to happen.
> 

Returning to the original question, for the comparative advantage of
network camouflage, verses the other costs NAT incurs, I'm willing to
go without it.

Regards,
Mark.