[AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "

Nathanael Bettridge nathanael at prodigy.com.au
Thu Nov 6 09:12:52 EST 2014


I'm all on board with the whole "NAT is not security" bit. 
However.
The abstraction that port based NAT provides though can be a really useful tool - Computer Science is all about abstraction so it's strange it's so hated in this case.

I like and regularly use the ability to remap ports between disparate machines or to different ports transparently, without having to use a port proxy.
I like and regularly use the ability to present an arbitrary number of addresses as one to another network, or map between different address structures.
These are really handy tools to have to solve problems.

The end-to-end argument against NAT I've always found spurious too - applications should be treating IP addresses and dns names as opaque and separate from the data they pass down to the next layer - not directly depending on particular values. Applications that pass that kind of data between different protocol streams (SIP/RTP and FTP for example) are fundamentally broken in design anyway.

So bring on port based nat and masquerading for IPv6 I say.


Nathanael Bettridge
Prodigy Communications Pty Ltd
Mobile: +61 (0)4 1048 0170
Office: +61 (0)2 8214 8920
Fax:    +61 (0)2 9427 4203
Email:  nathanael at prodigy.com.au
Web:    www.prodigy.com.au 



-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Jonathan Thorpe
Sent: Thursday, 6 November 2014 8:18 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "

NAT is not a firewall or a security feature and shouldn't be treated as such. At best, it helps abstract internal addressing to help against reconnaissance.

On that basis, I'm happy to see NAT go with IPv6, however I've recently come across a few use cases where it does actually help in a non-security sense.

For most CPE, you don't have the luxury of advertising BGP address space and managing failover in that manner. Instead, you have address/prefix assignments from the ISP and you can NAT traffic from the private address space.

This works well on IPv4 with NAT because you don't have to worry about changing address space on the LAN and can go as far as using PBR to distribute different types of traffic across Internet connections.

>From what I've seen, there's currently no workable way to do this with IPv6 on a LAN as there's no NAT. While there's no NAT, we do apparently have NPTv6 (http://tools.ietf.org/html/rfc6296), but I'm yet to see any working implementations of this on any CPE or routing platform.

With NPTv6, we get network address translation, but does so statelessly (not touching ports or host portion of the address), so overcoming some of the shortcomings of NAT. With the expectation of end-to-end consistency in IPv6 addressing however, I do fear that things will still break.

Interesting times ahead.

Kind Regards,
Jonathan

-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Scott Weeks
Sent: Wednesday, 5 November 2014 10:07 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "




> I may be opening a can of worms here, but for a bit of fun    I like 
> NAT.  It solves a lot more problems that it causes (for me)

I am truly scared of a world with eleventy-billion unpatched, unprotected, vulnerable/exploitable devices suddenly "directly reachable" by all those malware-infected, script-kiddies etc.
--------------------------------------------------


When you can't find the mole where're you gonna whack?

scott
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list