Le 25 oct. 2010 à 19:05, Margaret Wasserman a écrit :
>
> Hi Remi and Keith (among others),
>
> On Oct 25, 2010, at 12:09 PM, Rémi Després wrote:
>> It seems you accept that it may do some "harm" in the residential case
>> (which is the case I discuss: unmanaged CPEs).
>
> Then we are in complete agreement. NAT66 isn't needed for most home users
To be a real agreement it has though to be disjoint from the next sentence
> -- a stateful firewall would serve the same purpose.
In my understanding, stateful firewalls aren't needed either in UNMANAGED CPEs.
> That doesn't say _anything_ about the NAT66 document we are discussing on
> this list, though, as it is intended to provide address independence for
> _enterprise_ networks.
If this is so, it should be clear in the document.
I suggest to have it at least in the abstract.
> When Chris talks about the people who are waiting for IPv6 NAT before they
> will deploy IPv6, he is talking about _enterprises_. Not ISPs, not home
> users. (I'm making an assumption here -- Chris, please correct me if I am
> wrong).
OK.
This is clear now, but had to be clarified.
>> IMHO, it is rather time that NAT addicts start to listen to the following
>> argument:
>> As soon as you have a FW in a customer site, you don't need to break the e2e
>> address preservation of IPv6 to protect this site.
>
>
> Most enterprise network managers are intelligent, well-educated,
> well-informed, rational members of our community.
No doubt from me on this!
> They are our peers, and we need to start treating them as such.
Never tried to do otherwise.
My sentence above was an answer to "It's time that the "anti-NAT" crowd starts
to accept that e2e is not a desirable property in some networks" (which BTW I
do accept, although I believe I was considered part of the "anti-NAT" crowd).
> There are valid (or at least defensible) _reasons_ why they make the
> trade-offs they make.
Never thought differently.
> Until you can see why so many of our peers use NAT in enterprise networks in
> IPv4, you can't even begin to make a well-founded statement that they aren't
> necessary in IPv6.
Does this mean that, because you suppose I ignore why enterprises have NAT44's,
my technical arguments wouldn't need to be looked at?
(I would appreciate to be also considered a peer, and treated as such.)
> Please consider three facts:
>
> - Firewalls existed in IPv4, too.
> - Many large enterprises have more than enough "swamp space" (AKA IPv4
> provider-independent addresses)
> - Many of _those_ enterprises use NAT (for remote sites, B-to-B network or
> their whole corporate networks)
Did I ever suggest anything against these well-know facts *in IPv4*?
> Until you can offer an insightful explanation of _why_ they use NAT in IPv4 ,
I have read, and I believe understood, what is said in RFC 4864:
2. Perceived Benefits of NAT and Its Impact on IPv4
2.1. Simple Gateway between Internet and Private Network
2.2. Simple Security Due to Stateful Filter Implementation
2.3. User/Application Tracking
2.4. Privacy and Topology Hiding
2.5. Independent Control of Addressing in a Private Network
2.6. Global Address Pool Conservation
2.7. Multihoming and Renumbering with NAT
To me, it covers well the subject.
If you have more insight to provide on what I should have understood, it will
of course be welcome.
> please stop telling them that they don't need NAT in IPv6...
They will do what they want anyway, but what they will want may be usefully
influenced by complementary explanations and new proposals.
That's why I try to explain that:
1. NAT66 (stateless or stateful) breaks the e2e address preservation that
facilitates various applications.
2. If these applications need to be barred, firewalls can do the job without
needing NAT66 translations
3. NAT66 doesn't completely solve the multi-cpe PA-based multihoming problem
(even with complex precautions as to which CPE is reached from where, it
remains incompatible with SHIM6)
4. There is with SAM an approach worth looking at, because does better in this
respect and can be incrementally deployed.
Yet, I acknowledge that NAT66 can work if:
- a site is single-homed or multihomed with an IPv6 PI prefix
- it is known that incoming connectivity may be barred for all hosts, and for a
long time,
What I don't quite see though, in this case, is why the site wouldn't stay
IPv4-only for the time being.
Regards,
RD
>
> Margaret
>
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
