On Jan 28, 2009, at 6:41 PM, Tony Hain wrote:
I will argue that a technology that enables the routing system to
have a number of prefixes comparable to the number of transit
networks in the world and enables any system to address a peer
anywhere else achieves the user's probable intent regardless of
whether the technology in question rewrites the locator.
It can't be open-loop, so if rewriting is supposed to occur it would
make more sense for the network to inform the end system to send the
packet that way to begin with using SCTP's multiple address
capability. At least with that approach, SCTP-aware firewalls would
have a chance of keeping up.
You may recall that I proposed something like that at one point; that
in a shim6-like network with overlaid prefixes, if A, which had
addresses a' and a", addressed B and the datagram went through the
wrong DMZ, the DMZ would reply "repeat this request using this
address". I suspect that there are attacks in that; a mis-configured
DMZ might literally send the wrong address.
But more to the point, the other reason that shim6 is DOA is the level
of complexity it imposes on the edge administrator. Administrations I
talk with tell me that they are unwilling to manage that level of
complexity as they don't see it buying them anything, and oh by the
way take a walk through RFC 3582's goals and ask how many shim6 meets.
I would argue that the opinions of the actual end user and/or his
agent on his machine is only one part of the "user's intent" question.
Another part is the administration that supplies his Internet service.
Now if he is supplying his own service, that's one thing. But for most
of us, the service is in fact something we hire an IT department to
supply for us or contract with an access ISP, and the agreement with
that administration gives them a certain level of voice in that "end
user intent". So discussions that bring every nitty-gritty point back
to "I want the network to ask my mother-in-law her opinion" pretty
quickly become nonsense; she doesn't know and she doesn't care. She
has an ISP or an IT department and expects them to take care of that.
There is one further, and in my mind very fundamental, point I'm
making here. We really do need the ability to have a discussion on GSE
or other uses of the technology, knowing and understanding that you
and others don't find such uses compelling and consider all
administrations to be attacking their users rather than supplying SLA-
guaranteed services to them. If you can tell me how to address the
concerns you raise in a way that administrations that might use it
would consider acceptably straightforward, I'm all ears. But the
discussion that continually recurs in this area doesn't sound
constructive. It has the effect of a DOS - it prevents us from having
any other discussion than "Tony and others don't like NATs and will
filibuster every use of the word to stop them".
I need for these discussions to lead in a constructive direction.
"Don't do that" isn't constructive. Neither is "I can imagine a
complete melt-down in which some idiot designs a network poorly and
nothing works". Yes, but is that really the norm? "I have these issues
and would consider them addressed if the following requirements were
met" is constructive, and would be both helpful and interesting.
Am I making sense?
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
