【正文】 serve that when interconnecting routing realms with overlapping addresses, the set of operations on the work and transport header performed by a NAT forms a (proper) subset of the set of operations on the work and transport layer performed by a transparent ALG. By definition a NAT does not understand syntax and semantics of an application data stream. Therefore, a NAT cannot support applications that carry IP addresses at the application layer (., FTP with PORT or PASV mand [RFC959]). On the other hand, a NAT can support any application, as long as such an application does not carry IP addresses at the application layer. This is in contrast with an ALG that can support only the applications coded into the ALG. One can conclude that both NATs and ALGs have their own limitations, which could constrain their usefulness. Combining NAT and ALG functionality in a single device could be used to overe some, but not all, of these limitations. Such a device would use the NAT functionality for the applications that do not carry IP addresses, and would resort to 共 6 頁 第 9 頁 the ALG functionality when dealing with the applications that carry IP addresses. For example, such a device would use the NAT functionality to deal with the FTP data connection, but would use the ALG functionality to deal with the FTP control connection. However, such a device will fail pletely handling an application that carries IP addresses, when the device does not support the application via the ALG functionality, but rather handles it via the NAT functionality. Communicating through either ALGs or NATs involves changes to the work header (and specifically source and destination addresses), and to the transport header. Since IP Security authentication headers assume that the addresses in the work header are preserved endtoend, it is not clear how one could support IP Securitybased authentication between a pair of hosts municating through either an ALG or a NAT. Since IP Security, when used for confidentiality, encrypts the entire transport layer endtoend, it is not clear how an ALG or NAT could modify encrypted packets as they require to. In other words, both ALGs and NATs are likely to force a boundary between two distinct IP Security domains, both for authentication and for confidentiality, unless specific enhancements to IP Security are designed for this purpose. Interconnecting routing realms via either ALGs or NATs relies on the DNS [RFC1035]. Specifically, for a given set of (interconnected) routing realms, even if work layer addresses are no longer unique across the set, fully qualified domain names would need to be unique across the set. However, a site that is running a NAT or ALG probably needs to run two DNS servers, one inside and one outside the NAT or ALG, giving different answers to identical queries. This is discussed further in [kre]. DNS security [RFC2065] and some dynamic DNS updates [dns2] will presumably not be valid across a NAT/ALG boundary, so we must assume that the external DNS server acquires at least part of its tables by some other mechanism. To summarize, since RFC1918, we have not really changed the spatial uniqueness of an address, so much as recognized that there are multiple spaces. . each space is still a routing realm such as an intra, possibly connected to other intras, or the Inter, by NATs or ALGs (see above discussion). The temporal uniqueness of an address is unchanged by RFC1918. . Addresses are no longer all temporally unique Note that as soon as address significance changes anywhere in the address space, it 共 6 頁 第 10 頁 has in some sense changed everywhere. This has in fact already happened. IPv4 address blocks were for many years assigned chronologically, . effectively at random with respect to work topology. This led to constantly growing routing tables。 it can never serve as an identifier as defined in this document, since 共 6 頁 第 11 頁 it does not uniquely identify host. In this case, the effective temporal uniqueness, or useful lifetime, of an IP address can be less than the time taken to establish a TCP connection. Here we have used TCP simply to illustrate the idea of an association many UDP based applications (or other systems layered on IP) allocate state after receiving or sending a first packet, based on the source and/or destination. All are affected by absence of temporal uniqueness whereas only the routing infrastructure is affected by spatial uniqueness changes. . Summary Due to dynamic address allocation and increasingly frequent work renumbering, temporal uniqueness of IPv4 addresses is no longer globally guaranteed, which puts their use as identifiers into severe question. Due to the proliferation of Intras, spatial uniqueness is also no longer guaranteed across routing realms。 2. 外文原文應(yīng)以附件的方式置于