[6bone] Network Address translation question

Stig Venaas Stig.Venaas at uninett.no
Thu Jun 23 06:42:51 PDT 2005 

On Thu, Jun 23, 2005 at 02:43:57PM +0200, Iljitsch van Beijnum wrote:
> On 22-jun-2005, at 14:51, Mohacsi Janos wrote:
> 
> >>>>The trouble is that there is no clear way to force the use of  
> >>>>internal
> >>>>addresses for internal stuff and external addresses for external  
> >>>>stuff.
> 
> >>>This is easier, if you setup RFC3484 style address selection. You  
> >>>give
> >>>higher priority to your local addresses.
> 
> I'm not sure how you envision this. My understanding was that the  
> address with the longest matching prefix would be used. So when I  

Yes, as I understand dest. addr. sel. rule 9 it should have
prefered 2001.

More below

> connect to my server which has both a 2001:: and a 3ffe:: address  
> (sequoia.muada.com for those of you who want to try) my system at  
> home with a 2001:: address would use the 2001:: address. However,  
> that's not what happens.
> 
> MacOS 10.4:
> 
> % telnet sequoia
> Trying 3ffe:2500:310:2::1...
> 
> FreeBSD 4.9:
> 
> # telnet sequoia
> Trying 3ffe:2500:310:2::1...
> 
> Red Hat 9 Linux:
> 
> # telnet sequoia
> Trying 3ffe:2500:310:2::1...
> 
> (Well, acutally they pick an address non-deterministically.)
> 
> Windows XP was the only one that used the 2001:: address each time.  
> (But this could be because of DNS caching, no way to tell except for  
> rebooting more times than I care to do right now.)

I think XP might be the only with the complete implementation of
3484. I've heard that others have source address selection according
to 3484, but not so sure they have implemented destination address
selection which of course requires changes in getaddrinfo()
implementation.

> But that's not the real problem. The real problem is that always  
> choosing the same address is a bad thing: that way, applications that  
> don't cycle the address list themselves can easily get stuck retrying  
> a non-working address and ignoring a working alternative.

Well, I would say it's another reason why applications should, or
even must, cycle addresses.

> (And this would also require two-faced DNS all over the place as  
> you'd try to connect to other people's unique site locals otherwise.)

But you can make it work by installing some policy. I believe 3484
may need to be updated with a different standard policy to cope with
ULAs properly. This is one example. The other I mentioned is with
multicast.

> The bottom line is that there is no way to do the right thing with  
> only a priori information. You need at least _some_ measurement info  
> to make reasonable decisions.
> 
> >I think pretty large number of hosts potentially can support RFC3484.
> >Windows XP/2003 fully supports it. All *BSD systems also fully  
> >supports it.
> 
> So how do I install a policy?

No idea. Don't know if any implementations allow it, and how is
implementation dependent. Would be quite interesting to know how
much of 3484 is implemented in different systems, and also how
to change policy if possible.

The most likely to have a way of installing policy is perhaps XP.

Stig

> _______________________________________________
> 6bone mailing list
> 6bone at mailman.isi.edu
> http://mailman.isi.edu/mailman/listinfo/6bone

More information about the 6bone mailing list