If I have problems with the NAT66 algorithm, it is the set of cases in
which it can be defeated. Both of these have to do with routing.
In the first, if Alice served by Bob and Bobby, it is probable that
Alice's administration lists both the Alice-via-Bob and the Alice-via-
Bobby address in DNS. If Carol seeks to connect to Alice, Alice will
pick among those addresses at random unless she has a good explicit
reason to have an affinity to one of them. However, routing within
Alice's network may choose a different exit gateway than the ingress
gateway Carol in effect chose when she chose an address to use for
Alice. Thus, when Carol sends a SYN to Alice-via-Bob, the SYN-ACK
might come from Alice-via-Bobby. One hopes that Carol would eventually
retry Alice-via-Bobby and get through.
Coming back to Keith's question of referrals, there is a security
issue in hairpins. Let's imagine that in DNS Alice's administration
also lists Alice-via-ULA, the request is from Alicia, and both
Alicia's and Alice's nearest exit gateway is Bobby. If Alicia chooses
to contact Alice-via-Bobby, the argument is that the NAT66 should
either do or do something externally equivalent to translating it to
Bobby's network, turning the packet around, and translating it back
into Alice's network. But if Alicia chooses Alice-via-Bob, the packet
will exit to Bob, change ISPs, and attempt to enter at the NAT66
between Alice and Bob. While this would functionally work, it would
violate my company's, and I presume many company's, information
security rules - internal traffic is not allowed to go externally.
Hence, they are likely to filter traffic to both Alice-via-Bob and
Alice-via-Bobby at both NAT66 systems, with a view to forcing Alicia
to use Alice-via-ULA. Alice can refer to her heart's content, but only
using addresses that conform to the corporate security rules.
That said, I think both of these have trivial solutions.
To the first point, I need to prove this, but I think it would be
anomalous for such communication exchanges to not settle down to a
pair of addresses that work. If both Alice and Carol are using their
egress gateways of choice, the setup of sessions would have the effect
of selecting a pair of addresses that work. I can construct a case in
which that is not true, but I have to work pretty hard.
To the second case, I have two observations. First, while this is
unpopular with those who design DNS, those who run DNS usually have
different DNS databases internally and externally. If the internal
database uses ULA addresses and the external database uses Bob/Bobby
addresses, and the application uses names rather than addresses, the
issue largely falls out. Second, even if there is a common DNS, I
would be amazed to find Alicia trying to access Alice-via-Bob or Alice-
via-Bobby in preference to Alice-via-ULA, since Alicia and Alice have
addresses from the same prefix, and RFC 3484 would tell Alicia to
select that prefix.
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
