[arin-ppml] The role of NAT in IPv6

Scott Leibrand scottleibrand at gmail.com
Fri Mar 26 17:20:14 EDT 2010


On Fri 3/26/2010 1:55 PM, Roger Marquis wrote:
>
> It isn't just network security professionals who won't give up NAT,
> end-user consumers also won't.  If anything is clear from the past few
> year's field trials it's that IPv6 has received a vote of no confidence
> from consumers.  It has received that thumbs down primarily because it
> lacks address translation.

Are you talking about NAT66, NAT64, or something else?  I personally 
have not seen this backlash against NAT-less IPv6 by end users.  There 
have been some complaints about the insecurity of enabling a new 
protocol by accident, but I haven't seen anyone maintaining that NAT66 
is a security requirement for home users.  I will agree that a stateful 
firewall needs to be built in to home IPv6 routers to disallow incoming 
IPv6 connections by default, except where allowed by the user (or by 
something like uPNP).  That doesn't require NAT66, though, at least in 
the simple home environment.

> IMO there's no painless way to transition to IPv6 without NAT.

I assume you're talking about NAT-PT here?

>   Compound that with the security issues created by the lack of NAT 
> and, well, you
> have where we are today.

Up 'til now we've mostly been talking about NAT66 (IPv6 inside, IPv6 
outside), rather than the various flavors of NAT-PT (NAT64 or NAT46 for 
example).  We also haven't been very specific about whether we're 
talking 1:1 NAT66, or some sort of overloaded 1:many NAT (like we 
usually use in IPv4 NAT).

Leaving aside NAT-PT and v4-v6 transition for the moment, can you 
clarify how you would like to deploy NAT in an IPv6-only environment?

Thanks,
Scott



More information about the ARIN-PPML mailing list