[AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "

Jonathan Thorpe jthorpe at Conexim.com.au
Thu Nov 6 08:17:36 EST 2014


NAT is not a firewall or a security feature and shouldn't be treated as such. At best, it helps abstract internal addressing to help against reconnaissance.

On that basis, I'm happy to see NAT go with IPv6, however I've recently come across a few use cases where it does actually help in a non-security sense.

For most CPE, you don't have the luxury of advertising BGP address space and managing failover in that manner. Instead, you have address/prefix assignments from the ISP and you can NAT traffic from the private address space.

This works well on IPv4 with NAT because you don't have to worry about changing address space on the LAN and can go as far as using PBR to distribute different types of traffic across Internet connections.

From what I've seen, there's currently no workable way to do this with IPv6 on a LAN as there's no NAT. While there's no NAT, we do apparently have NPTv6 (http://tools.ietf.org/html/rfc6296), but I'm yet to see any working implementations of this on any CPE or routing platform.

With NPTv6, we get network address translation, but does so statelessly (not touching ports or host portion of the address), so overcoming some of the shortcomings of NAT. With the expectation of end-to-end consistency in IPv6 addressing however, I do fear that things will still break.

Interesting times ahead.

Kind Regards,
Jonathan

-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Scott Weeks
Sent: Wednesday, 5 November 2014 10:07 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "




> I may be opening a can of worms here, but for a bit of fun    I like 
> NAT.  It solves a lot more problems that it causes (for me)

I am truly scared of a world with eleventy-billion unpatched, unprotected, vulnerable/exploitable devices suddenly "directly reachable" by all those malware-infected, script-kiddies etc.
--------------------------------------------------


When you can't find the mole where're you gonna whack?

scott
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list