Subject: Re: IPv6 Comment
To: None <>
From: Sean Doran <>
List: current-users
Date: 09/01/2000 19:10:43
| That is simply not true.  NAT, in order to map one to many or many to
| few, must translate based on address,some-other-key, which is generally
| "port number" for TCP and UDP.

Oh great, so now NAT is not just ALG, it is also PAT?

There is no particular reason to go one-to-many/many-to-few; what
NAT (and *STRICTLY* NAT) does is allows you to do three things:
	1/ rapid renumbering of everything "inside" the NAT
	   by changing "outside" addresses and causing all new
	   exchanges to use the new "outside" addresses.  Nothing
	   inside ever needs to know or adapt.
	2/ selectively hide or expose "inside" devices to the
	   outside world.  no mapping, no connectivity.
	   there are lots of little things in many networks
	   that don't need outside exposure.
	3/ as an extension of 1 & 2, you can compress your
	   address utilization down to _exactly_ the number
	   of things "inside" which need to talk to "outside".

No PAT, no ALG; we JUST rewrite IP headers.

What *you* are saying NAT does is added-feature stuff that is
often associated with devices which perform Network Address Translations,
since NAT is not very difficult or sexy, breaks some NAT-unfriendly 
protocols, and doesn't in itself allow for compressing address
utilization to LESS than the number of things "inside" which need
to communicate with the outside.

PAT is gross & ugly, but is driven by the inability to have the
"smtp" port number for one DNS name be different than the "smtp" 
port number for another host name from the perspective of a host 
doing a getservbyname(3) call.   Otherwise, you might see something
like     	     IN MX 1      IN  A IN PORT  25

It would be OK to have such an RR simply override a local default
(e.g., one's /etc/services file's contents), but no work has been
done on virtualizing this part of a connection name in EITHER
IPv4 or IPv6 (which is inherently hostile to separating name from location).

| ...and the rewriting of the IP header is also incompatible with
| integrity-ensuring protocols such as AH (which accounts for changes
| to e.g. the TTL field).

Right, but AH is stupid.