[arin-ppml] The role of NAT in IPv6
Roger Marquis
marquis at roble.com
Sat Apr 17 13:07:24 EDT 2010
Ted Mittelstaedt wrote:
> The point here is that the masses out there can ONLY implement
> solutions, and that INCLUDES nat, that are "black box" solutions
> built and sold by people who know a lot more than they do.
Good point.
> If those networking companies unilaterally reject IPv6 NAT, then your
> average admin WILL NOT deploy it. And I think this will certainly
> happen unless the major networking standards bodies support it.
The "customer is always wrong" model hasn't proven successful to-date. What are you
proposing that might change that equation?
> Besides the returns, the companies I named who ARE selling those solutions
> all have their fingers in networking applications that users run that would
> work BETTER on a NAT-less IPv6 Internet.
A majority of security professionals I've encountered over the years (not the same as
network professionals) are of the opinion that the statefulness required to secure
SIP-like protocols is essential, and, if absence of a NAT option enables and/or
encourages:
1) less robust stateful inspection (as expected of cheap CPE),
2) or it enables disabling or mis-configuration of stateful inspection
(as we've already seen is not uncommon)
then, from a security perspective, lack of a standardized NAT in IPv6 will result in
less security. Fewer options, less security, not a recipie for success.
> They will certainly sell IPv6 firewall boxes. Those boxes will
> certainly provide a layer of abstraction and obfuscation between their
> internal and external network architecture WITHOUT using IPv6 NAT.
That's an opinion of course, and one clearly made without taking note of field
testing. We have had 10 years of field testing, however, and the results are
unequivocal i.e., IPv6 adoption is being held up by the lack of a NAT standard. In
considering why we have no standardized NAT it is important to note that the
arguments against NAT are characterized by:
1) lack of concern that theories regarding the usefulness of NAT in IPv6 have not
been supported by field testing,
2) lack of concern that theories regarding the usefulness of NAT in IPv6 are not
supported by IT security professionals,
3) are notable by the repetition of general and non-technical statements like "a piece
of software that has a core group of fanatics who cannot understand",
4) are also notable by avoidance of discussions regarding low-level dissection of
the mechanisms by which NAT and stateful inspection are inseparable.
All of which indicates NAT-detraction is strongly driven by profit motives of those
holding and hoarding IPv4 addresses.
Roger Marquis
More information about the ARIN-PPML
mailing list