|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Overloaded semantics (was Re: moving to IPv6)
[email protected] (Ran Atkinson) writes: > At the risk of stating the obvious, an observation about > NAT and security... > The problem is that IP addresses have overloaded semantics. > Security needs an identifier. NAT and routing need locators. > At present IP addresses serve both functions. We need to > move to a world where locating a node is decoupled from > identifying a node. In such a world, NAT could happen without > causing IPsec to get broken by the NAT function. > The overloaded semantics are broken. Noel has probably been > the most outspoken in making this observation, but others > have also noted the issue. The notion of separating identifiers from locators most certainly would make *SOME* things easier to do. But doing so also creates *NEW* and *DIFFERENT* problems in other places in the TCP/IP architecture. It is not at all obvious to me that those other problems are any easier to deal with in practice. They certainly aren't trivial to deal with, in any case. Consider Mike O'Dell's 8+8 proposal made to the IPv6 group a year ago or so. That proposal was a partial step in doing such a separation. There were some practical reasons why 8+8 was not adopted. See draft-ietf-ipngwg-esd-analysis-01.txt for more details, especially Section 4. Thomas
|