[arin-ppml] Use of "reserved" address space.
James Hess
mysidia at gmail.com
Tue Jun 29 21:43:22 EDT 2010
On Tue, Jun 29, 2010 at 5:30 PM, Roger Marquis <marquis at roble.com> wrote:
> Ted Mittelstaedt wrote:
>> On 6/26/2010 9:54 PM, James Hess wrote:
>>> As far as I can tell , the internet is not on course for a
>>> well-implemented transition to IPv6. It is on a collision course with IP
>>> exhaustion, and the fallout of the crash is NAT hell.
> NAT hell for some, but not those of of us with NAT experience and
> security responsibilities. We would be happy to deploy more NAT,
I'm sorry.. I didn't fully indicate exactly what I meant by NAT hell.
The WHOIS directory becomes almost worthless, when every network is
behind a 1:many NAT.
Or perhaps a SWIP or other option could be provided to indicate
that certain IP addresses are NAT, and the address of an IDENT
server to connect to, to get a RFC1918 IP address (associated
with a source port), for abuse reporting purposes?
It's hell, if NAT actually becomes an alternative to V6, because the
End-to-End principal will die; it becomes more like broadcast mediums
such as Television, where only "licensed" hosts that got public
IPs can publish websites. Precisely tracking and locating abuse of
network resources will become impossible. Blacklisting, banning,
or rate limiting one IP address (for example, a bot crawling a web
site), may effect thousands of legitimate users.
How many resources are the ISPs really going to consume to try to help
you track down and stop the source of a malicious packet, small
scale DDoS, or spam streak?
We should know we are on the road to NAT hell if we see a low rate of
IPv6 adoption (as we can observe rather plainly), AND:
(1) NAT overloading across organizational boundaries becomes more
widespread (for example, a residential ISP, sharing one IP address
with thousands of customers)
Also, if large enterprises start using private addressing and small
numbers of public IPs.
While at the same time either NOT offering any IPv6 connectivity, or
not providing V6 capable CPE.
..AND (2) Multiple one-to-many NAT setups without V6 connectivity
become widespread. Multiple NAT being N>1 hops of translation to
new private networks, they share a public IP.
Example scenario being: an Enterprise has installed their own
"router" product that implements RFC1918 addressing for the LAN side.
ISP provides a CPE that gives the enterprise an RFC1918 address on
the WAN side (which is assigned using DHCP).
(And by the way, could conflict with the customer's LAN addressing --
in that case, the customer will have to negotiate with the ISP, add
yet another NAT device, or renumber their LAN to accomodate their
ISP's lack of IPs)
--
-JH
More information about the ARIN-PPML
mailing list