[arin-ppml] IPv6 Non-connected networks

Lee Dilkie Lee at Dilkie.com
Thu Mar 25 12:32:19 EDT 2010


On 3/25/2010 1:21 AM, Roger Marquis wrote:
> Lee Dilkie wrote:
>> Is no one concerned that NAT breaks a lot of networking, especially
>> peer-to-peer, and forces some really inefficient technologies, like
>> SBC's, to exist?
> Statements like this make me wonder if they don't teach the value of
> field testing in networking curriculums.  Without field testing you
> wouldn't know if the packet filtering that will be needed to replace the
> privacy and security NAT provides are worse than NAT itself.  Field
> testing would also show that consumers don't want to register their
> internal IPs, don't want end-to-end transparency, and don't want to give
> a free pass to badly designed protocols (like SIP) that they require deep
> packet inspection to work well with NAT.

I feel like I've been patted on the head. Thanks old timer!

> ...
> I don't see that.  I see quite the opposite.  My own VOIP sites for
> example, which work seamlessly with NAT.  It just works because the
> firewalls do deep inspection where they have to (SIP) and we use well
> designed protocols (IAX2) where we can.
> Roger Marquis

Indeed. You must be servicing sites that are either large enough, rich
enough, or have no choice but to accept your firewalls to be installed,
with it's "deep inspection". I don't have that luxury, my sites are
either too small or won't pay for an expensive CRE firewall. Many use
very low end devices.

And on "deep packet inspection", how does your firewall handle SIP TLS
to negotiate a secure media stream (SRTP)? How are you able to inspect
that encrypted SIP and SDP? Mine works because it relies on technologies
like SBC's to backhaul medai streams to solve the (dumb)NAT issue. Which
was the whole point of my original post, NAT makes things less efficient
and less reliable because it introduces the need for rendezvous servers
(and, for the most part, protocol specific ones at that). I was just
voicing the concern that bringing NAT into ipv6 is not a good way to
proceed. My own product supports both ipv4 and ipv6 VoIP and I really
like being able to get two ipv6 endpoints to stream media directly to
each other while ipv4 ones must make use of my SBC. It makes engineering
(network load) a whole lot easier (not to mention a lot cheaper).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20100325/f767c921/attachment-0001.html>

More information about the ARIN-PPML mailing list