[153804] in North American Network Operators' Group
Re: IPv6 /64 links (was Re: ipv6 book recommendations?)
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jun 13 09:41:49 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4FD82977.20904@necom830.hpcl.titech.ac.jp>
Date: Wed, 13 Jun 2012 06:34:49 -0700
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: nanog@nanog.org, davehart_gmail_exchange_tee@davehart.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 12, 2012, at 10:47 PM, Masataka Ohta wrote:
> Dave Hart wrote:
>=20
>> It is
>> not transparent when you have to negotiate an inbound path for each
>> service.
>=20
> I mean, for applications, global address and global port
> numbers are visible.
>=20
Showing that you don't actually understand what everyone else means when
they say "end-to-end".
>> UPnP
>> is inadequate for carrier NAT due to its model assuming the NAT =
trusts
>> its clients.
>=20
> UPnP gateway configured with purely static port mapping needs
> no security.
>=20
> Assuming shared global address of 131.112.32.132, TCP/UDP port
> 100 to 199 may be forwarded to port 100 to 199 of 192.168.1.1,
> port 200 to 299 be forwarded to port 200 to 299 of 192.168.1.2,
> ...
>=20
No carrier is going to implement that for obvious reasons.
Besides, that's not transparent end-to-end, that's predictably opaque
end-to-end.
>> When TCP headers are being rewritten, it's a strong hint that
>> transparency has been lost, even if some communication remains
>> possible.
>=20
> UPnP provides information for clients to restore IP and TCP
> headers from local ones back to global ones, which is visible
> to applications.
>=20
But it doesn't work across multiple layers of NAT.
> See the following protocol stack.
>=20
> UPnP capable NAT GW Client
> +---------+
> | public |
> | appli- |
> | cation |
> information +---------+
> +------+ for reverse translation | public |
> | UPnP |-------------------------->|transport|
> +---------+---------+ +---------+
> | public | private | | private |
> |transport|transport| |transport|
> +---------+---------+ +---------+ +---------+
> | public | private | | private | | private |
> | IP | IP | | IP | | IP |
> +---------+-----------------------+-----------------------+
> | privatte datalink | private datalink |
> +-----------------------+-----------------------+
Now, redraw the diagram for the real world scenario:
host <-> UPnP NAT <-> Carrier NAT <-> Internet <-> Carrier NAT <-> UPnP =
NAT <-> host
Tell me again how the application signaling from UPnP survives through =
all that and comes up with correct answers?
Yeah, thought so.
Owen
