On Mar 23, 2009, at 2:39 PM, Fred Baker wrote:
The simplest way to accomplish this in NAT66 will be for the DMZ to
hand it upstream to its ISP. In doing so, it converts the source
address to the DMZ's prefix. The ISP PE router turns it around and
sends it back, resulting in the translation of the destination
address. The target system's reply goes through a similar route.
The more appropriate case, called for in RFC 4787, might be to
recognize that this is about to happen and instead of changing the
source address, change the destination address. This results in the
target seeing a datagram from/to the ULA. One direction goes through
the DMZ, but the replies are direct.
I think that your second option is the right choice. I agree that the
NAT66 draft does not currently say this, and it should probably be
updated to do so.
IMHO, an even more appropriate solution would be to drop the
datagram and reply "Destination Unreachable", to cause the
originating host to do a better job of address selection. If the
system has both an internal and an external address, I don't see the
argument for not expecting the peer to use the appropriate one.
I think that hairpinning is supposed to handle the case where a node
only has a global address (perhaps from the DNS?) for a host that is
also behind the same NAT. While I agree that a host should choose the
local address if it is known, I think that will happen automatically
via longest prefix match.
Margaret
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
