"Steven M. Bellovin" wrote:
> In message <[EMAIL PROTECTED]>, Ed Gerck writes:
> >
> >
> >"Steven M. Bellovin" wrote:
> >
> >> In message <[EMAIL PROTECTED]>, Ed Gerck writes:
> >>
> >> >
> >> >Actually, in the UK you can do just what you wish ;-)
> >> >You give a name to your house (say, "The Tulip") and
> >> >the post office knows where The Tulip is. If you move,
> >> >you can do the same at your new location, provided
> >> >there is no conflict. This seems to be more similar to the
> >> >notion of using an IP number as a name -- but isn't this
> >> >why we need DNS? ;-)
> >> >
> >>
> >> And if you move from London to Belfast, this will still work?
> >
> >In the UK, as I said. I would think that other countries may have
> >a similar system. Note that this is a natural example of NAT,
> >in which the post office is doing the address translation to a local
> >address that only that post office knows, but which is globally
> >reachable through that post office. And the post office does so
> >without changing the global addresses or the local addresses.
>
> Last I checked, Belfast was in the UK, though I realize that some folks
> wish it were not so.
It will work in the UK was my reply.
> But you missed my point -- as you note above, the
> house name is known to "that post office". In other words, there is
> hierarchy in the routing algorithm; it's not globablly known, or even
> known throughout the UK.
I disagreed with your point, not missed it. "The Tulip" together with *that*
post office's postcode (for example CM22 6SX, which they assign on a
geographical basis) is globally routable. Even from Belfast ;-)
> The same is true of the Internet, and it's why IP addresses aren't portable.
IP addresses are not portable simply due to a design choice. If IP numbers
were designed the way the UK designed their postal service long ago,
then IP numbers would be portable indeed.
> >IMO, it is thus artificial to try to block Internet NATs. Far better would be
> >to define their interoperation with other network components that we also
> >need to use, in each case.
>
> Block them? Not at all; I have no desire to do that. But we need to
> recognize that *with the current Internet architecture*, there are some
> inherent limitations. To use your analogy, suppose that senders
> sometimes wrote their house name on the letter enclosed in the envelope
> -- but they didn't include the post office name, so the recipient
> couldn't reply.
I see that we are in agreement with my post office example. "The Tulip"
together with the postal code (ie, the post office's "name") is globally
routable.
> Or imagine that the Post Office only kept track of
> house names when there was a recent outgoing letter.
These are security choices -- the time to live in a NAT could be unlimited,
with fixed port numbers. The address:port numbers could also be pre-registered,
before any message is sent. This is the current UK post-office model. Likewise, the
UK post-office model could only kept track of house names when there was a
recent outgoing letter, with "recent" defined by policy.
> That's the reality of NAT today.
IMO, this is simply a security choice -- NATs could work with the current UK
post-office model as well. But if the house owner only wants to allow the post
office to kept track of his house's name when there was a recent outgoing letter,
then who is going to say otherwise? After all, he may refuse to receive any
letter and just send them One way or another, the house (network) owner is
sovereign over his house (network). My network is my castle.
> Please pay careful attention to two things I did *not* say. I did
> *not* say that NATs were an irrational engineering choice in today's
> environment. In fact, they clearly are rational in some circumstances,
> despite their disadvantages.
I would say characteristics, not disadvantages. An apple is a bad orange.
> Second, I didn't say that one couldn't
> have designed an Internet architecture with nested addresses. Quite
> obviously, that could have been done.
In my view, this is already done. It works this way, although not engineered
this way. The Internet has its own dynamics is the lesson I see in this.
It routes around blocks ;-)
> But it wasn't, and we have an
> Internet that likes single, fixed-length addresses. NATs are at best
> an ugly add-on in such a world.
An alternative view is that we have an Internet that likes so much to work
with heterogeneous networks that it now supports NATs even though
NATs were not originally designed into it.
> (My personal techo-religion preaches
> that *all* successful systems run out of address space
;-) agreed, but only systems with finitary address space.
> , and that you're
> better off planning for it up front. I (among others) argued strongly
> for IPv6 addresses of 8, 16, 24, or 32 bytes, precisely to plan ahead.
> In fact, the penultimate design called for fixed-length, 8-byte
> addresses. The switch to 16 bytes was done to satisfy those of us who
> feared that that was not nearly enough.)
Going further with your line of thought, an extensible archictecture with open
addresses (the kind that heterogeneous networks make possible) would provide
the real solution to the address space problem -- because it is no longer finite.
NATs are an integral part of such design.
Cheers,
Ed Gerck
