Fred, What you said about the application layer is entirely true. However, the whole point of the OSI model (As I understand it) is to allow people to deal with the layers in a somewhat modularized fashion. One can, presumably, address how much or how little information is revealed by a particular application in a discussion targeted at the applications function itself. If the network layer is revealing information itself...then nothing about how a particular application functions is relevant there.
To use an analogy, I can design an application that requires the use of strong passwords to control access to it. I can't design an application that would prevent an authorized user from telling every single person they encounter what thier strong password is. That would have to be addressed at the level of organizational security & acceptable use policy...not in application design. However, if the application design itself doesn't support the use of strong passwords.... then nothing I can do at the level of acceptable use policy can make them happen. On the network level, I basicaly want something that entirely abstracts my internal architecture from my external advertisement of services...and essentialy functions as a proxy/intermediary between my internal devices and thier external presence at the boundary between internal/external. NAT very handly does that currently in IPv4. From the discussions that I've had with alot of people involved with IPv6...and many of the people who have strongly argued against any sort of NAT in IPv6... they basicaly seem to be disagreeing not just with the particular method I want to use....but with my end goal itself. Christopher Engel > -----Original Message----- > From: Fred Baker [mailto:[email protected]] > Sent: Monday, May 03, 2010 12:46 PM > To: Keith Moore > Cc: Chris Engel; NAT66 HappyFunBall > Subject: Re: [nat66] Terminology: Definition for "IPv6 Realm"? > > > > On May 3, 2010, at 8:10 AM, Keith Moore wrote: > > >> James, > >> > >> I believe what I asserted was the following.... > >> > >> > >> "The factual thing that can be said about NAT is that it > obscures the > >> literal IP address assigned to an end device from a source on the > >> other side of the NAT boundary. For some that is a desired > effect for > >> others it's an undesirable problem....... > >> > >> ...... > >> > >> You are not going to achieve that level of "obscurity" > without some > >> form of address translation....and any solution that you > do provide > >> to achieve that obscurity will have much of the same side effects > >> that todays NAT does." > >> > > Actually, this seems like what IPv6 Privacy Addresses were made for. > > actually, no. > > privacy addresses obscure the EID, the lower 64 bits, but > don't obscure the locator information. Chris specifically > would like to obscure the locator. > > One could argue that NAT66 obscures the locator, in the sense > that the bits used inside the house are not the same as are > used outside the house. However, there is a 1:1 and onto > relationship between the inside and outside expressions. > That's not very obscure. > > At the end of the day, however, any application that > expresses an address in its content is overcoming any > obscurity one thinks one is getting at the network layer. > Consider the addresses in SMTP email; from this email that I > am responding to, I can determine that > [email protected] sends email to 173.136.67.67 > lust.indecency.org, which is a Mirapoint system, which as > m1.imap-partners.net [64.13.152.131] sends it on to someone > else - in this case, AMS operating on behalf of the IETF. Oh, > you obscured all that at the network layers? Pardon me... > > > _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
