[arin-ppml] The role of NAT in IPv6
Matthew Kaufman
matthew at matthew.at
Fri Mar 26 19:32:42 EDT 2010
Gary T. Giesen wrote:
> There have to be controls. Obviously the burden to renumber a few
> servers and half a dozen workstations is far less than an organization
> with 5,000 servers and 50,000 employees, so the bar has to be set
> somewhere. I'm just saying it should be set lower than it currently is.
>
Much lower.
All companies with 5000 servers and 50000 employees started out as a few
employees in a small office somewhere. And most startups with a few
employees in a small office hope to grow into an organization with 5000
servers and 50000 employees...
...and if one of those half-dozen people has ever been through the
renumbering pain, they will insist, and rightly so, on ensuring that
either through globally-unique routable address space or NAT that their
new employer never must suffer through the same pain.
> But chances are a company of that size won't know the difference anyways
> and will accept whatever their provider hands them.
>
The moment they have someone on staff who knows the pain of renumbering
and knows that the bigger you get, the harder it is, they'll switch to
NAT or GUA. One of the two.
> I'm not saying that developing the appropriate policy will be easy, but
> given the alternative (NAT), I vote to try. Not only that, my suggestion
> requires the development of exactly *zero* new
> protocols/implementations. This gives time for vendors to catch up
> without worrying about trying to hit a moving target. We've got the
> protocol now, and the mechanisms we need to deploy it. Let's not further
> delay adoption because we're clinging onto a bastardized hack which was
> designed only to prolong the life of the old protocol and is completely
> unnecessary in the new one.
>
But that's the thing. It *isn't* "completely unnecessary in the new one"
and *that very belief* is why we don't have such devices already on
sale. I've pointed out two reasons already (masking MAC addresses from
hosts that put them in the bottom 64 bits, and ensuring that users of PA
space don't need to renumber), and I'll add one more: compliance with
the checklist-style audits which have "internal topolgy is hidden from
outside" as a checklist item for the Sarbanes-Oxley, HIPPA, and related
law-driven auditing.
> Obviously you've never been on the other end of a call of a customer who
> has (mis)configured policy-NAT on their SMB gateway which shoots packets
> sourced from different IPs based on the the port and what day of the
> month it is. IPv6 was actually designed to be simpler than v4. Let's not
> change that.
>
I've designed, built, and supported ISPs off and on since 1993. The IPv6
community continues to be filled with people who insist on not meeting
the reasonable demands of customers, and who are then surprised when
adoption rates are low.
Matthew Kaufman
More information about the ARIN-PPML
mailing list