On 10/21/10 6:38 PM, Owen DeLong wrote:
On Oct 21, 2010, at 3:42 PM, Jack Bates wrote:
On 10/21/2010 5:27 PM, Joel Jaeggli wrote:
Announce your gua and then blackhole it and monitor your prefix. you can tell if you're leaking. it's generally pretty hard to tell if you're leaking rfc 1918 since your advertisement may well work depending on the filters of your peers but not very far.
This is always the argument I hear from corporate customers concerning wanting NAT. If mistake is made, the RFC 1918 space isn't routable. They often desire the same out of v6 for that reason alone.
the rfc 1918 space is being routed inside almost all your adjacent networks, so if their ingress filtering is working as expected, great, but you're only a filter away from leaking.
Given the number of times and the distance over which I have seen RFC-1918 routes propagate, this belief is false to begin with, so, removing this false sense of security is not necessarily a bad thing.
this happened this morning in a pop we have in the far east... packets ended up in atlanta. what's more, the return path was natted.
I personally could understand the fear of wondering if your stateful firewall is properly working and doing it's job and how a simple mistake could have disastrous effects that NAT systems usually don't have. ULA w/ NAT very well may become the norm.
I tend to doubt that it will... Hopefully there will be enough proper deployments that developers will not eschew improvements that depend on an end-to-end model and there will be real features unavailable to any network that deploys such relatively quickly.
The tragedy won't be networks deploying NAT. I'm all for allowing you to buy a gun, ammunition, and aim at your foot or head as you wish.
The tragedy will be if enough networks do this to hobble development of truly useful tools that depend on a NAT-free environment to work.
Owen