> From: Fred Baker [mailto:[email protected]], Sent: Tuesday, October 26, 2010 > 10:37 AM > > On Oct 26, 2010, at 10:04 AM, Christian Huitema wrote:
>> The NAT66 draft enables NAT to rewrite the IPv6 header in a "checksum >> compatible" way. >> NAT66 don't have to go fetch the UDP or TCP header and whack the checksum. >> That is certainly >> a simplification, but it comes at a cost. Since there is a simple mapping >> between internal and >> external subnets, the external addresses carry information about the >> internal topology. >> How is that as a tradeoff? > > Yes, there is a 1:1 translation. It may even be the same value, if the > checksum update is being done in the EID. > > I guess my question is whether that's an issue. If folks would prefer a > stateful NAT, > we can obfuscate the source address further. We certainly can. We could for example use encryption to map the 64 bit internal EID to an encrypted 64 bit external EID, then compute the checksum differential on all bits of the address and remap the subnet ID. That would be almost stateless, the only state being the encryption key maintained by the NAT. Not that I am advocating that, I am just raising the issue to make sure it is considered. > But at least to my mind, topology obfuscation is a lost cause in the presence > of applications > that carry IP addresses - I can reverse engineer the parts of your network > that I care about > from the SMTP envelopes in your email, from information . For example, you > were using a > link local (169.254) address on your laptop when you sent the email, and the > email went > through three servers within Microsoft that are identified by DNS name and IP > address, and > then the message got to AMS (IETF) and finally Cisco. Yes, on the link from > your home or > your company to your upstream we can diddle with your source address. Is that > important? > What information do you actually think you're hiding, and from whom? There was a long thread about this issue when we discussed the simple security model, so I am pretty sure that some people do care. They may or may not be misguided. I am ready to believe that you know better than them. But then, there is a long history of know-nothing not following the IETF designs... > Heck. Who needs IP addresses. I'll fire up firesheep and become you at the > application > layer next time you access a site that uses http instead of https and pushes > cookies. I don't have a sheep in this race. I am just pointing out a tradeoff in the draft between simplicity and obfuscation. At a minimum, it would be useful to make that tradeoff explicit. -- Christian Huitema _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
