On Fri, 1 Sep 2000, Sean Doran wrote:

# is writes:
# 
# | Yes, but changing the address means more complex protocols are broken.
# | FTP through NAT boxes only works via a special hack in the NAT.
# 
# Hopefully I can clarify rather than just repeat.
# 
# Your "NAT" is a device, a computer that is often general-purpose.
# 
# In the computer there is a process which translates network addresses
# algorithmically from "inside" ones to "outside" ones, rewriting only
# the IP addresses and nothing else.  "Network Address Translation" = "NAT".

The problem is that if you have NAT = "Network Address Translation",
you're doing a one-to-one mapping between external and internal addresses.
Most people don't have a /29, let alone a /24, to use for that kind of
scaling.  Thus NAT has turned into the PAT/ALG solution we see it used
for, instead of the internal <--> external mapping for which, I assume,
it was originally intended.

# In the computer there may ALSO be other processes which do other things.
# For example, the "special hack" needed for FTP is a process called an ALG,
# which performs translations of things other than the IP header, or even 
# does an intercept/terminate/proxy, engaging in two separate conversations.

This is just wrong, IMHO.  Not your statement, but the concept and practice
in general.

# | talk through NAT boxes doesn't work to my knowledge, unless somebody 
# | has implemented the special hack for talk.
# 
# That's right, Application-Layer Gateways are by their nature 
# application specific.

So a NAT box is really a gateway.  Hmm.

# | IRC dcc through NAT boxes ... etc etc. 
# 
# Again, another application (IRC), another ALG.
# 
# | Not to talk about protocols which aren't invented yet.
# 
# Anyone who develops NAT-unfriendly protocols in this day
# of a NAT-filled Internet is terribly ignorant or terribly stubborn.

Anyone who thinks that relying on NAT will solve their addressing issues
with no after-effects has just had cider squirted in their ear[*].
"TANSTAAFL."

# | NAT simply isn't part of the solutions, but of the problem.
# 
# NAT breaks NAT-unfriendly protocols, like talk/IRC dcc/ftp, which
# encode IP addresses in the data stream, rather than DNS names.
# 
# ALGs are indeed hacks one can use to make such NAT-unfriendly 
# process work in the presence of NAT.
# 
# My contention is that NAT-unfriendly protocols are broken,
# and should be fixed to use DNS names rather than IP addresses
# in the data stream.

That is inherently insecure since someone can possibly inject a name-
server-switcheroo into the route somewhere.  It also has the possiblity
of causing security problems for programs that insist on doing reverse
name lookups for authentication (IRC happens to be one of them; many
sites who use the 128-bit https stuff are other examples).  Maybe I'm
thinking of traffic in the wrong direction, I could be, I don't know.
On the Internet, reference by name as opposed to reference by value
is, in general, not widely regarded as being too bright.

I, for one, wish that IPv6 would make an earthshaking appearance so
we can settle this thing once and for all.  If I'm not mistaken,
128 bits wide of address space could give every person and their pet
on the planet their own /84, at least, and still have plenty left over
for when 95% of the planet's surface is covered with people.

Now all we'd have to do is keep an org like ARIN or RIPE from glomming on
to all the addresses and charging an arm and a leg for an individual /64
space.

# 	Sean.

				--*greywolf;
--
My other computer runs BSD