[arin-ppml] IPv4 Depletion as an ARIN policy concern

William Herrin bill at herrin.us
Wed Oct 28 13:54:33 EDT 2009


On Wed, Oct 28, 2009 at 12:58 PM, Steven E. Petty
<spetty at iconnect-corp.com> wrote:
>  You may want to do a little more research into IPv6.

Steven,

To what end? Chris E's points 1, 3 and 4 are spot on about the utility
of NAT in a way that transcends the differences between IPv4 and IPv6.
My only quibble is that I wouldn't describe his point 4 as "address
conservation." Address conservation should be a fifth point that only
applies to IPv4. I'd describe Chris' point 4 as "address management
overhead."



On Wed, Oct 28, 2009 at 1:02 PM, Chris Grundemann <cgrundemann at gmail.com> wrote:
> On Wed, Oct 28, 2009 at 10:50, Chris Engel <cengel at sponsordirect.com> wrote:
>> 1) [NAT] acts as an insurance policy against FW misconfigurations.

> Create a default rule in your firewall to deny all inbound
> non-established connections to all internal devices and then poke

And when the misconfiguration is that the default rule is accidentally
erased or is overridden for a non-trivial number of cases? The NAT
firewall in the common scenario fails closed. You really have to work
at getting it to fail open in the inbound direction. The non-NAT
firewall tends to fail open so that unintended inbound communication
is allowed.


>> 3) NAT allows you to abstract your internal infrastructure
>> from the external services you present.

> I would use a different three letters for that: DNS

Then you don't know as much about the DNS as you think you do. The DNS
TTL is functionally indefinite (which is to say: ignored) for many
common protocols and applications including Firefox and Internet
Explorer. Chris E is correct that the use of virtual IPs (VIPs) is
necessary for a 100% working abstraction between internal
infrastructure and externally presented services. Though NAT is not
strictly required to use VIPs, NAT inherently offers extra useful
capability here such as splitting each VIP by layer-4 port number and
delivering to different back-end machines.


>> 4) Simply put, it is far easier to manage 12 public IP addresses then 300.
>
> I don't understand this argument at all.  If you only have 12 IPs that
> need external access, then you only have 12 IPs that need DNS/RDNS/FW
> Rules/Usage Tracking, etc - whether the other 288 are rfc1918 IPv4
> addresses or globally unique IPv6 addresses... ???

Scope. It's about management overhead for equipment whose addresses
are in different scopes. Addresses in a private, local scope are much
easier to manage than addresses in a global scope. NAT allows
addresses in the private scope to access global systems without
increasing their management overhead to the level required if they had
global scope addresses.

Regards,
Bill Herrin



-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the ARIN-PPML mailing list