[arin-ppml] ARIN-2011-5: Shared Transition Space for IPv4 Address Extension - Last Call
owen at delong.com
Mon May 2 20:20:12 EDT 2011
On May 2, 2011, at 4:14 PM, William Herrin wrote:
> On Mon, May 2, 2011 at 4:39 PM, George, Wes E [NTK]
> <Wesley.E.George at sprint.com> wrote:
>> On Mon, Apr 25, 2011 at 8:46 AM, George, Wes E [NTK] <Wesley.E.George at sprint.com> wrote:
>>> IPv4 addresses used behind a NAT (inside pool) cannot be used for
>>> justification of new resources nor counted towards utilization
>>> calculations for existing resources.
>>> NRPM 4.10.x (Shared Transition Space) defines a specific non-unique
>>> block to be shared among multiple networks for this purpose.
>> I don't understand your example, specifically how a transfer would figure into the discussion. Please try to rephrase.
> Sorry, I was being snarky.
> Under your wording, once I have placed equipment behind a NAT, I can
> never move it out in front of a NAT because its existence doesn't
> justify addresses. You could probably fix that particular problem by
> saying "addresses _intended to be_ used behind a NAT."
> But there are more problems. For example, addresses behind a bastion
> host firewall would still qualify even though that's basically the
> same use as the NAT. That's fundamentally unfair, which violates a
> basic precept of any public policy process..
Uh, no, it's not at all unusual for addresses behind a bastion for some
purposes to be reachable directly for other purposes or to have direct
outbound access. I can think of many circumstances where things I
placed behind a bastion host needed globally unique addresses.
I cannot think of a situation where a host inside an overloaded NAT
needed (or had) globally unique addresses. In such a case, what
would be the point of using an overloaded NAT?
> And what about folks who decide to consume public addresses inside
> their stateful non-translating firewalls even though they've locked it
> down where the only thing that passes is outbound tcp? Is it fair that
> folks trying to conserve with NAT should pay an additional
> policy-level penalty while wasters don't?
I don't personally see a problem with this. If you choose to use NAT,
you're paying a number of penalties in functionality already, why
should you get rewarded with addresses you don't plan to use?
More information about the ARIN-PPML