On Oct 30, 2010, at 4:22 PM, Keith Moore wrote: > If the authors can see their way to putting in some sort generalizable > support for letting hosts/apps find out their external/global addresses (by > generalizable, I mean a protocol that can be extended for stateful NA[p]T and > NA[p]T between v4 and v6 also), I'm inclined to support it.
I'm not at all opposed to doing that, and have already contacted the behave chairs for advice. I actually do think that's a protocol, separate from the function of the translator, but I have no problem with its existence. I do have a question why; from statements made in this forum, the reason seems to be "in order to populate dynamic dns correctly" and "in order to know the external address(es) of a peer that I will refer sessions to". Is that a correct summary? I do have a problem with one aspect of that, though, which is that you want the mechanism to be the same for stateful translators that will potentially come up up with a different TCP four-tuple per session AND apply to the stateless (configured but no dynamic state, with no port translation) version. With NAT66 as specified, you can do this once and know the values until you have a change of hardware or your company has a change of contract. If you're doing NA(P)T and the NAT is configured with a set of addresses on its public side, you have to do it per session. I'm not convinced you want the same solution for both. I understand why you would like me to provide one, but I'm honestly not sure you really want one. Think that assymetry through and tell me that you really want to design your software so that something you can do daily or weekly has to be done for each of the 10-20 sessions that potentially open when you click on a web link, and I'll think about that. I continue to wonder - if remote systems find it adequate to do a reverse DNS lookup to validate an IP address by associating it with a DNS name, why local systems can't do a DNS query "once and know the values until the peer has a change of hardware or your company has a change of contract" to find what addresses that name might have associated with it. No, not a great idea per session. But I'm not looking at something that changes per session. If that's not adequate - and no, I don't accept "it's not adequate" as an answer, I'd really like an explanation, because I don't see why not in the stateless case - then I find myself thinking in terms of ICMP or something akin to it. If I could send a datagram that would follow the same path to the same DMZ, perhaps as an anycast or multicast, and get zero or more responses saying "I would have changed your source address to []", would that be adequate? _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
