Subject: status of RSIP? was Re: Bridge support added to NetBSD-current
To: None <current-users@netbsd.org>
From: Danny Thomas <D.Thomas@its.uq.edu.au>
List: current-users
Date: 08/24/2001 13:33:09
>> On Sun, Aug 19, 2001 at 02:31:08PM -0400, James Sharp wrote:
>> > I don't have the IP space to burn. A /28 at home, 16 addresses, 14
>> > usable, 13 machines running. Adding a FDDI/ethernet router would burn 6
>> > of those addresses for network, broadcast, and router interface addresses.
>>
>> Is there some reason that NAT won't fix this problem?
>
>Yes. Kerberos doesn't play well with NAT. There's ways around it, but
>they're ugly and kludgy. There's also the fact that these machines are
>production web/mail/DNS/file/cvs servers that bring in quite a chunk of
>change every month and I don't feel like trying to set up some really
>hairy NAT forwarding rules to put them behind NAT.
RFC 3027 covers protocols, like kerberos, which are not NAT-friendly
one approach which hasn't even made it to an RFC yet, is RSIP (Realm
Specific IP), in which the host uses a temporary public address while
creating/using a connection, so no NATting is required
see
draft-ietf-nat-rsip-framework-05.txt
draft-ietf-nat-rsip-ipsec-04.txt
draft-ietf-nat-rsip-protocol-07.txt
draft-ietf-nat-rsip-slp-00.txt
from your local internet-drafts mirror
I've seen some interest from IPv6 people towards RSIP, because you can't
gain the address-space advantage of IPv6 while requiring dual-stacks, ie
public IPv6 & IPv4 addresses. Of course some of the NAT-unfriendly
protocols aren't(?) yet specified for IPv6
unfortunately, RSIP is the thing I didn't finish learning-up on while
writing my overview of IPv6 for a local networking conference.
http://uqnet.its.uq.edu.au/IPv6/IPv6_Overview.html
So I'd be grateful hearing from people who knows how it's going
cheers,
Danny Thomas