Ok, Keith I'll bite how do we route traffic from my machine to your machine while not informing you of the actual IP address assigned to my machine, without using some iteration of Address Translation and without causing the exact same sort of side effects that NAT currently causes?
I can assure you that my deploying NAT on my own network boundary does you no more harm then my eating pork or having sex out of wedlock would. There may be some negative side effects for me, but that's my bagage to deal with. There may even be some negative side effects for those who choose to interact with me...but that choice of interaction is entirely voluntary. Furthermore I accept the fact that if I really want to interact with those idividuals the onus is on me to put together an acceptable work around. So what "harm" is my deployment of NAT causing you? - You can't initiate access to any devices on my network unless I explicity advertise them as an external service. Guess what, I don't want you to...and you don't have a right to....even without NAT, that would be prevented by my firewall filter rules. - Certain communication protocols/applications won't work between us unless I've made specific provisions for those protocols/applications to function across my NAT boundary (ALG's).... guess what, I don't want them to....and you don't have a right to expect them to do so. In the absense of NAT I would still make my best effort to prevent arbitrary applications/protocols from functioning across my network boundary without some sort of specific provision to enable them. - You aren't able to easly profile my internal network. Again, I don't want you to...nor do you have a right to. You have no more right to know the IP address of any particular device on my network then you do to know who I bought it from or how much I paid for it. - You DO have a right to know that packets coming in to your network are coming from my network. My use of NAT in no way prevents that from occuring. You do have a right not to recieve packets from my network if you request me not to send them. My use of NAT in no way prevents that either. So I'm still waiting to hear the ACTUAL "harm" my deployment of NAT is causing you? Christopher Engel > -----Original Message----- > From: Keith Moore [mailto:[email protected]] > Sent: Friday, April 30, 2010 3:45 PM > To: Chris Engel > Cc: 'Fred Baker'; [email protected] > Subject: Re: [nat66] Terminology: Definition for "IPv6 Realm"? > > > Well, perhaps if you view the IETF as a "religion" and > NAT as something which violates it's dogma that analogy makes sense. > > > Religions are at their best when they give people practical, > achievable ways to live their lives well, and in such a way > as to benefit not only themselves, but also others. > > Similarly, IETF is at its best when it tells people > practical, achievable ways to build and run networks in such > a way that not only the enterprise network works well, but > the whole Internet supports a wide diversity of applications > for everyone's benefit. > > > > Here is the thing, not everyone agree's on a common > defintion of "harm". Is sex out of wedlock "harm"? How bout > eating pork? Drinking wine? It all depends upon the > "religion" of the person you ask. > > Regardless of that, the scientificaly responsible thing > for organizations that are concerned with public health > issues to do is talk about condom use (including the fact > that they are not foolproof). It isn't going to cause people > who regard sex out of wedlock as "sinful" from going wild... > and isn't going to stop people who don't from engaging in > that activity. It's just going to mitigate some of the more > negative side effects that behavior might cause. > > > So fine. If you can figure out how to tell people to have > NATs in their networks without their doing signfiicant harm, > by all means do so. But nobody has figured this out yet, and > NATs have been around for 15+ years by now. > > I've tried to do that myself with NAT-XC, and while I think > that NATs that are explicitly controlled by their endpoints > are a lot better than those that try to outsmart their > endpoints, I certainly wouldn't say that they don't still do > harm. I can only justify them as a transition mechanism to > get to pure IPv6, and as a band-aid to allow the occasional > legacy IPv4 only host or app to work for a bit longer. > > The people who still claim that NATs do little harm are > either in denial, malicious, or both. > > > > > > The factual thing that can be said about NAT is that it > obscures the literal IP address assigned to an end device > from a source on the other side of the NAT boundary. For some > that is a desired effect for others it's an undesirable problem. > > You're grossly understating the harm caused by NATs, and you > know it. > > > Where you fall on that spectrum is more akin to religion. > > Where I fall on the spectrum is practicality. I've done the > analysis for large numbers of use cases and I know which way > works better overall. There's really no comparison. > > Of course religion has a dark side too. The worst aspect of > religion is when it reinforces prejudices that do harm. > Which is a very good description of what promoting NATs does. > > > IETF is never going to get people to reconcile thier > conflicting interests there. > > > Perhaps not, but that's not an excuse for IETF to be > deliberately dishonest or to promote harmful practices. > > > > You are not going to achieve that level of "obscurity" > without some form of address translation... > > Incorrect. There are lots of ways to route traffic within an > enterprise without exposing the internal network hierarchy in > the address. > > > Keith > > > _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
