Fred > The simplest way to accomplish this in NAT66 will be for the DMZ to hand > it upstream to its ISP. In doing so, it converts the source address to > the DMZ's prefix. The ISP PE router turns it around and sends it back, > resulting in the translation of the destination address. The target > system's reply goes through a similar route. > > The more appropriate case, called for in RFC 4787, might be to recognize > that this is about to happen and instead of changing the source address, > change the destination address. This results in the target seeing a > datagram from/to the ULA. One direction goes through the DMZ, but the > replies are direct.
Maybe I missed it but I don't see how RFC 4787 imposes a burden on hosts or apps to do address selection. > IMHO, an even more appropriate solution would be to drop the datagram > and reply "Destination Unreachable", to cause the originating host to do > a better job of address selection. See, now you're asking the host or the app to do the network's job. The apps are supposed to send packets to their peers without worrying about how to get them there. The network is supposed to make a best effort to deliver them, modulo policy. As soon as the network says "sorry, I won't deliver this because you didn't use the right (source or destination) address for this realm" ... it has abandoned the "best effort" model and the separation of function between the host and the network. And the implications of that are huge. e.g. - It forces hosts and apps to try to be aware of addressing realms, and to make decisions about how to not only route packets but how to do referrals to peers which may or may not be in the same realms as they are. - Because the host or app doesn't know why the traffic is blocked, it encourages hosts and apps to interpret such restrictions as network failures or damage (even if they're caused by policy) and route around them. etc. > If the system has both an internal > and an external address, I don't see the argument for not expecting the > peer to use the appropriate one. 1. Because apps in general don't know which addresses are appropriate, and "appropriate" is highly dependent both on the needs of the applications and the way in which those addresses are used. The fact that an address has a ULA prefix doesn't mean that it's somehow more appropriate than a global address. 2. Because address selection for referrals is even harder than address selection for connection establishment. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
