[Cryptography] peering through NAT
huitema at huitema.net
Fri May 10 23:06:56 EDT 2019
On 5/10/2019 4:23 PM, John Denker wrote:
> On 5/9/19 10:00 PM, Christian Huitema wrote:
>> The technique was standardized
>> by the IETF in STUN (RFC 5389, 2003).
> Somewhat off-topic, but less so than the rest of this thread....
It *is* off topic, wonder why the moderators are not cutting that off
> As ||ugh Daniel was fond of pointing out, NAT is an abomination.
> It is a sad commentary on the whole industry that we are even
> discussing it.
> There is a STUN RFC from 2003, but there is an IPv6 RFC from
> 1995. IPv6 was already widely supported in the early 00s
> e.g. by windows 2000.
> It should have been obvious for many years now that every box
> that does NAT should do native IPv6 if available, and should
> terminate 6to4 (or 6rd) tunnels otherwise. This his how
> every network I've set up in the last 15 years has done it.
> a) IPv6 makes a great many NAT-related questions moot.
> Every client on the subnet behind the NAT box can have
> its own globally-routable address.
> b) It also simplifies IPsec deployment.
> c) Note that (a) and (b) are not unrelated.
If I were king, that would have happened years ago. But you know, rough consensus and running code and all that. Perry tried to precipitate the movement with whisky shots and toasts to the universal deployment of IPv6, but that was not too successful either.
It took some time for IPv6 to ship on most platforms -- Windows only got a production ready version in 2003. In between, NAT became entrenched. Something to do with business models. NAT was giving you an immediate tangible benefit, connect several computers while paying just one ISP bill. The economic incentive were well aligned: customer shells out maybe $100 for a device, recovers the price in a few month by saving on the ISP bill. The economic incentives of IPv6 were much more "long term", to use an euphemism.
> When will NAT-box manufacturers get with the program?
> You'd think this would be a selling point.
> What in the name of Godot are they waiting for?
At this point, they are waiting for explicit requirements from ISP. It is getting there, because it turns out that Net 10 + Carrier Grade NAT does not work well if you have more than 16M customers. With IPv4, ISP cannot give a unique address to each of their customer premise equipment, and that makes network management very costly. Same thing is happening in big data centers.
But then, having a unique stable address/identifier for each device has some pretty nasty privacy implications. It is not hard to find privacy advocates who believe that Carrier Grade NAT is great, because it lets people hide.
-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography