IMO, a minimum requirement for any v6 NAT approved by IETF is that hosts/apps MUST have a way to determine the external/global addresses associated with a connection without needing an external server in global address space for ICE or similar tricks. This mechanism MUST be the same mechanism for all standard NATs. People need to stop insisting that hosts and apps don't need to know their addresses.
On Oct 27, 2010, at 5:38 AM, Rémi Després wrote: > > Le 27 oct. 2010 à 08:27, S.P.Zeidler a écrit : > >> Thus wrote Rémi Després ([email protected]): >> >>> Yet, I acknowledge that NAT66 can work if: >>> - a site is single-homed or multihomed with an IPv6 PI prefix >> >> The entire point of NAT66 use cases is to gain some benefits of >> a PI prefix without incurring the associated cost. > > > As I tried to explain in a previous mail on this list: > - If a private-site network has two CPEs giving access to two ISPs with PA > prefixes, the CPE via which a packet goes to the Internet depends on the > intra-site routing. > - If intra-site routing DOESN'T make sure that all packets from a given host > always go to the same CPE, then TCP connections will be broken because: > . packets that go via a CPE different from that traversed by the the SYN > packet will be received with a different source address > . they will then be discarded at their destination because they have a > different source address than that of the 5-tuple that identifies the > connection. > . the available tool to work with several source addresses, SHIM6, can't > help because, due to NAT66, hosts don't know their global addresses. > - If intra-site routing DOES make sure that all packets from a given host > always go to the same CPE, incoming connection that come via the other CPE > will be broken because outgoing packets will never have the right global > source address. > > > This being said, I do agree that there is a small window of opportunity for > NAT66 in multihoming sites with multiple PAs, namely IF: > - No incoming connection to any host is intended to be desirable in IPv6 > - There is a need that some hosts do reach IPv6-only servers > - Intra-site routing is such that outgoing packets of a hosts always go to > the same CPE, at least in the absence of ISP-access failure. > - There is no intention that any host can use SHIM6 as a tool to maintain > connections when an ISP access fails. > > I find these conditions extremely restrictive but, clearly, one is free to > accept them. > > Technical comments on the above are welcome. > If this is wrong, explaining why will be a progress. > If this is right, these limitations should IMHO be documented, e.g. in the > applicability section of the NAT66 document. > > > Regards, > RD > > > > > > > > >> ... >> NAT66 when you have PI is supremely pointless. > > To be remembered. > > >> >> regards, >> spz >> -- >> [email protected] (S.P.Zeidler) > > > _______________________________________________ > nat66 mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/nat66 _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
