Overloaded semantics (was Re: moving to IPv6)

rja@corp.home.net (Ran Atkinson) writes:

At the risk of stating the obvious, an observation about
NAT and security...

The problem is that IP addresses have overloaded semantics.
Security needs an identifier. NAT and routing need locators.
At present IP addresses serve both functions. We need to
move to a world where locating a node is decoupled from
identifying a node. In such a world, NAT could happen without
causing IPsec to get broken by the NAT function.

The overloaded semantics are broken. Noel has probably been
the most outspoken in making this observation, but others
have also noted the issue.

The notion of separating identifiers from locators most certainly
would make *SOME* things easier to do. But doing so also creates *NEW*
and *DIFFERENT* problems in other places in the TCP/IP
architecture. It is not at all obvious to me that those other problems
are any easier to deal with in practice. They certainly aren't trivial
to deal with, in any case.

Consider Mike O'Dell's 8+8 proposal made to the IPv6 group a year ago
or so. That proposal was a partial step in doing such a separation.
There were some practical reasons why 8+8 was not adopted. See
draft-ietf-ipngwg-esd-analysis-01.txt for more details, especially
Section 4.