[AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "

Mike Jones mike at mikejones.in
Thu Nov 6 12:13:12 EST 2014


On 5 November 2014 21:17, Jonathan Thorpe <jthorpe at conexim.com.au> wrote:
> NAT is not a firewall or a security feature and shouldn't be treated as such. At best, it helps abstract internal addressing to help against reconnaissance.
>
> On that basis, I'm happy to see NAT go with IPv6, however I've recently come across a few use cases where it does actually help in a non-security sense.
>
> For most CPE, you don't have the luxury of advertising BGP address space and managing failover in that manner. Instead, you have address/prefix assignments from the ISP and you can NAT traffic from the private address space.
>
> This works well on IPv4 with NAT because you don't have to worry about changing address space on the LAN and can go as far as using PBR to distribute different types of traffic across Internet connections.
>
> From what I've seen, there's currently no workable way to do this with IPv6 on a LAN as there's no NAT. While there's no NAT, we do apparently have NPTv6 (http://tools.ietf.org/html/rfc6296), but I'm yet to see any working implementations of this on any CPE or routing platform.
>
> With NPTv6, we get network address translation, but does so statelessly (not touching ports or host portion of the address), so overcoming some of the shortcomings of NAT. With the expectation of end-to-end consistency in IPv6 addressing however, I do fear that things will still break.
>
> Interesting times ahead.
>

In theory* it is quite the opposite... on IPv4 you need ugly hacks to
get redundancy, on IPv6 you shouldn't need to do anything special and
will get it automatically for free.

For redundant uplinks: IPv4 NAT based failover requires that you
terminate both uplinks on the device and have the device chose which
address traffic comes from, so you need a special router that supports
dual uplinks for this to work properly. IPv6 based failover you simply
advertise both prefixes and the client can chose which source address
to use (also meaning you can have different applications bind to
different interfaces if you want, so better as well as simpler).

For redundant routers: IPv4 Default gateway failover requires some
kind of "smarts" in the routers to detect when the other router goes
down and take over its IP address. For IPv6 you simply have both
routers plugged in at the same time, if one goes down it stops
advertising itself and clients stop using it.

In summary, IPv4 failover requires that you buy routers that support
failover then you configure them in a complex failover configuration.
IPv6 can give you full redundancy by simply getting a simple router
for each uplink and plugging them in at the same time. You can of
course terminate multiple uplinks on the same router if you want.

- Mike Jones

*In practice OS vendors made a small 'mistake' in not tying prefixes
to routes. With most ISPs doing uRPF you generally need to match the
source address to the uplink that packet is sent to which clients
don't do by default, so you in fact do need the router to do
additional work as well as being connected to all uplinks like IPv4,
just without the NAT. Hopefully this is something that will eventually
get fixed, and as soon as the update has been pushed to clients we can
start to take advantage of the improved IPv6 design to simplify
redundancy.


More information about the AusNOG mailing list