Re: NAT etc. (was: Spam Control Considered Harmful)
"Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us> writes:
This is a question of _trust_, and if I don't wish to allow the operator of a NAT box to proxy my trust in a nameserver operator, there really isn't any good way around that.
You could change your connectivity such that there is no NAT between you and the set of nameservers from which you feel you must have untouched responses. In a "NAT Everywhere" world with a sufficiently large set of such nameservers this may be completely impractical. Given that not trusting the DNS is the default mode of operation for the current Internet, the question is whether the advantages of NAT justify a constraint on DNSSEC or whether the advantages of DNSSEC justify a constraint on NAT. The problem seems simpler with a "NAT in some places" model, especially where "some places" is mostly at the borders of big corporations, however strings of NATs do and will happen, and there will be these trust issues to deal with in some places anyway. I would perfer to avoid constraining the problem just because it makes the NIMBY folks more quiescent, to be honest, since it rankles as much the concept of "only some people have to renumber to conserve address space and preserve the scalable properties of hierarchical routing. we won't, we're privileged (or too big or too understaffed)". Like renumbering, NAT is out there, and making it seamless and easy strikes me as a good and useful goal, even if it complicates other good and useful goals. One of the ways to make it and renumbering seamless is to understand that IP addresses are subject to change over time and topological distance. Sean.
On Mon, Nov 03, 1997 at 01:49:13PM -0500, Sean M. Doran wrote:
One of the ways to make it and renumbering seamless is to understand that IP addresses are subject to change over time and topological distance.
Wel, yes... <sigh>, but as I've noted before, that's an assumption that the current design of the Internet does _not_ require. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
Jay,
On Mon, Nov 03, 1997 at 01:49:13PM -0500, Sean M. Doran wrote:
One of the ways to make it and renumbering seamless is to understand that IP addresses are subject to change over time and topological distance.
Wel, yes... <sigh>, but as I've noted before, that's an assumption that the current design of the Internet does _not_ require.
Quoting RFC2101 ("IPv4 Address Behavior Today") Section 4.2: To summarize, since the development and deployment of DHCP and PPP, and since it is expected that renumbering is likely to become a common event, IP address significance has indeed been changed. Spatial uniqueness should be the same, so addresses are still effective locators. Temporal uniqueness is no longer assured. It may be quite short, possibly shorter than a TCP connection time. Yakov.
On Mon, Nov 03, 1997 at 11:27:41AM -0700, Yakov Rekhter wrote:
On Mon, Nov 03, 1997 at 01:49:13PM -0500, Sean M. Doran wrote:
One of the ways to make it and renumbering seamless is to understand that IP addresses are subject to change over time and topological distance.
Wel, yes... <sigh>, but as I've noted before, that's an assumption that the current design of the Internet does _not_ require.
Quoting RFC2101 ("IPv4 Address Behavior Today") Section 4.2:
To summarize, since the development and deployment of DHCP and PPP, and since it is expected that renumbering is likely to become a common event, IP address significance has indeed been changed. Spatial uniqueness should be the same, so addresses are still effective locators. Temporal uniqueness is no longer assured. It may be quite short, possibly shorter than a TCP connection time.
Um, the RFC notwithstanding, there are _acres_ of stacks out there that keep track of a connection by an {IPaddr, protocol, port} tuple, and don't expect to have to rewrite any of that during a connection. Can anyone document a stack that _does_ deal correctly with an IP address changing during a connection session? Between sessions sure... but during? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
Yakov, I think were at least I run into Sean's well summarized position is not in the temporal non-uniqueness, but with the topological non-uniqueness. Note that temporal non-uniqueness is currently very large granularity and generally non-survivable. Topologically non-unique addresses appear to me to compromise a fundamental principle of the Internet, and an intrinsic component of what makes it valuable. Can anyone speak to why topological non-uniqueness works and preserves the value of the system without adding so much additional per packet complexity as to collapse under its own load at high volumes and rates? Having to contend with seperate "useage spaces" seems to me to be somewhat like being taken off the power grid - it can be done, and it will work, but it tends to require devices that are large, complex and service many people (ie. private power stations and corporate firewalls). Eric Carroll eric.carroll@acm.org Tekton Internet Associates
participants (4)
-
Eric M. Carroll -
Jay R. Ashworth -
Sean M. Doran -
Yakov Rekhter