On Fri, Apr 30, 2010 at 1:40 PM, Chris Engel <[email protected]> wrote: > Ok, Keith I'll bite how do we route traffic from my machine to your machine > while not informing you of the actual IP address assigned to my machine, > without using some iteration of Address Translation and without causing the > exact same sort of side effects that NAT currently causes? >
One way is using an encapsulation mechanism such that the endhost knows the IP address that will be exposed. Imagine putting Mobile-IP style home agents at your network border: a host maintains (or creates as needed) a tunnel to that border host when it needs to reach an endpoint outside the local galumbit; the home agent would also presumably be permitted to reach hosts inside the galumbit when administrative rules for that have been satisfied. There are other trade-offs, of course, but it looks to me that existing technology enable you to design a network border with the security properties you desire without NAT. You get a very short-legged triangle route (similar to mobile IP's triangle, but with much less practical effect), but this has a pretty different impact from NAT. [I'm using the term "galumbit" above because realm, zone, and domain are off-limits and Fred doesn't want to talk about reachability. I hope you know the galumbit when you see it, as the thing inside those borders] Just my opinion, of course, regards, Ted _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
