[153794] in North American Network Operators' Group
Re: IPv6 /64 links (was Re: ipv6 book recommendations?)
daemon@ATHENA.MIT.EDU (Masataka Ohta)
Wed Jun 13 01:49:26 2012
Date: Wed, 13 Jun 2012 14:47:35 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
To: davehart_gmail_exchange_tee@davehart.net
In-Reply-To: <CAMbSiYBP73eshQxXbki9XTYdBDC3KHkHKKnyoXH9voQZEBi+QA@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dave Hart wrote:
> It is
> not transparent when you have to negotiate an inbound path for each
> service.
I mean, for applications, global address and global port
numbers are visible.
> UPnP
> is inadequate for carrier NAT due to its model assuming the NAT trusts
> its clients.
UPnP gateway configured with purely static port mapping needs
no security.
Assuming shared global address of 131.112.32.132, TCP/UDP port
100 to 199 may be forwarded to port 100 to 199 of 192.168.1.1,
port 200 to 299 be forwarded to port 200 to 299 of 192.168.1.2,
...
> When TCP headers are being rewritten, it's a strong hint that
> transparency has been lost, even if some communication remains
> possible.
UPnP provides information for clients to restore IP and TCP
headers from local ones back to global ones, which is visible
to applications.
See the following protocol stack.
UPnP capable NAT GW Client
+---------+
| public |
| appli- |
| cation |
information +---------+
+------+ for reverse translation | public |
| UPnP |-------------------------->|transport|
+---------+---------+ +---------+
| public | private | | private |
|transport|transport| |transport|
+---------+---------+ +---------+ +---------+
| public | private | | private | | private |
| IP | IP | | IP | | IP |
+---------+-----------------------+-----------------------+
| privatte datalink | private datalink |
+-----------------------+-----------------------+
Masataka Ohta
