Le 28 oct. 2010 à 14:50, Keith Moore a écrit : >> Keith, >> >> A complete comparison would include that, if you have a NAT66, having it >> stateful provides *more* privacy to users, and provides topology hiding. > > true, but there are better ways than NAT of discouraging address tracking.
Maybe so, but this is not the subject here. (The only stateless NAT66 I consider is that proposed in draft-mrw-nat66-00.) > a stateless NAT can still hide topology. nothing says that a stateless > mapping has to be one where the prefix bits in the internal address have to > be a fixed offset from those in the external address. you could generate an > invertable/stateless mapping by encrypting/decrypting those bits with a > constant key and symmetric cipher. the mapping would still be stateless, but > the externally visible addresses would have an apparently random relationship > with the internal addresses. > >> Besides, until a convincing scenario showing that, where IPv6 FWs are >> available, the pros of any NAT66 outweighs the cons, I keep doubts that >> deploying NAT66 is a good choice. > > I share those doubts. Good to hear. > But it's hard for every email message about the topic to encompass the > entire range of concerns that necessarily weigh into this discussion. Sure, no problem. > >> Yet, if some *users* have firm plans to deploy NAT66 anyway, some with >> stateful NATs, some with stateless NATs, that's up to them. >> Under this assumption, their wish to standardize theses NATs is obviously >> legitimate. > strongly disagree. the desire to standardize mechanisms that are known to do > harm to applications is not legitimate. nor is this consistent with > long-established IETF standardization criteria. I was implicitly assuming that their proposed design wouldn't break anything for any user of their very specific sites (no incoming connections foreseen...), and wouldn't break anything for users of other sites. Note that, if I detect that a proposed specification breaks something that works today, like the NAT66-6to4 combination does break current uses of 6to4, I do argue against it (see the "Reasons not to endorse NAT66/6to4" discussion in v6ops.) In summary we seem to agree more than we disagree, right? Regards, RD > > Keith > _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
