moving to IPv6

"Sean M. Doran" <> writes:

The thing that amazes me about people who are fans of IPv6
is that they have realized that NAT is THE fundamental
scaling technology for the Internet.

I would prabably be tarred as being a fan of IPv6, and this
realization is news to me.

What I do think is clear is that NAT has some very immediate
short-term benefits. What I am very much less clear about is what
happens long term. NAT "fixes" some immediate problems by pushing
those problems elsewhere (e.g., your observation later that higher
layers better not violate certain assumptions). Whether the problems
that crop up elsewhere are easier to solve than the current ones
(e.g. CIDR-style forced renumbering) is IMO an open question.

The technical goal is that end to end services will work,
period, in all cases. This is possible provided that the
higher order protocols do not make invalid assumptions
about the transport layer. Most importantly, just as CIDR
requires that protocol implementations respect that IP
addresses may change over time, NAT as THE new fundamental
scaling technology requires that protocol implementations
respect that IP addresses may change over space as well.

OK. So IPSec and most other security protocols are botched?
Fundamentally, security likes the idea that it trusts no one other
than the originator of data and the ultimate destination of data. That
means no one in between should be able to examine the data, much less
modify any of it. That includes NATs rewritting addresses. IPSec (and
DNSSEC) do not allow addresses to be rewritten in packets. Full Stop.


Not to be contentious, but there are valid reasons why
"addresses" should be very visible to the network and
potentially subject to modification. Just offhand,
the ability to prevent malacious attacks and hunt down
fraud are valid reasons on their own for visibility
for network operations.

I agree 100% when it comes to payload, but network
addresses serve the network as much as the packet.
To the extent that we start deploying networks with
more functionality (such as mail relaying and web
caching), then the same logic applies to DNS names.


It might be usefull to take into account where the explosion
in IP addressable devices is supposed to come from.

Embedded devices don't usually need globally unique addresses,
i.e. my house might have a globally unique address, but my toaster
won't. And my VCR can just go through NAT go update its TV
schedule at night.

Web servers no longer need globally unique addresses for
every virtual website. These addresses will become available
again in the next couple years.

Web browsers certainly don't need globally unique addresses.

My guess is that IPv4 will tie us over until photonic routing
changes the rules of the game in 5-10 years anyways.


At the risk of stating the obvious, an observation about
NAT and security...

The problem is that IP addresses have overloaded semantics.
Security needs an identifier. NAT and routing need locators.
At present IP addresses serve both functions. We need to
move to a world where locating a node is decoupled from
identifying a node. In such a world, NAT could happen without
causing IPsec to get broken by the NAT function.

The overloaded semantics are broken. Noel has probably been
the most outspoken in making this observation, but others
have also noted the issue.