moving to IPv6
narten at raleigh.ibm.com
Mon Nov 3 18:23:18 UTC 1997
"Sean M. Doran" <smd at clock.org> writes:
> The thing that amazes me about people who are fans of IPv6
> is that they have realized that NAT is THE fundamental
> scaling technology for the Internet.
I would prabably be tarred as being a fan of IPv6, and this
realization is news to me.
What I do think is clear is that NAT has some very immediate
short-term benefits. What I am very much less clear about is what
happens long term. NAT "fixes" some immediate problems by pushing
those problems elsewhere (e.g., your observation later that higher
layers better not violate certain assumptions). Whether the problems
that crop up elsewhere are easier to solve than the current ones
(e.g. CIDR-style forced renumbering) is IMO an open question.
> The technical goal is that end to end services will work,
> period, in all cases. This is possible provided that the
> higher order protocols do not make invalid assumptions
> about the transport layer. Most importantly, just as CIDR
> requires that protocol implementations respect that IP
> addresses may change over time, NAT as THE new fundamental
> scaling technology requires that protocol implementations
> respect that IP addresses may change over space as well.
OK. So IPSec and most other security protocols are botched?
Fundamentally, security likes the idea that it trusts no one other
than the originator of data and the ultimate destination of data. That
means no one in between should be able to examine the data, much less
modify any of it. That includes NATs rewritting addresses. IPSec (and
DNSSEC) do not allow addresses to be rewritten in packets. Full Stop.
More information about the NANOG