[arin-ppml] The role of NAT in IPv6

Matthew Kaufman matthew at matthew.at
Fri Mar 26 19:32:42 EDT 2010


Gary T. Giesen wrote:
> There have to be controls. Obviously the burden to renumber a few
> servers and half a dozen workstations is far less than an organization
> with 5,000 servers and 50,000 employees, so the bar has to be set
> somewhere. I'm just saying it should be set lower than it currently is.
>   
Much lower.

All companies with 5000 servers and 50000 employees started out as a few 
employees in a small office somewhere. And most startups with a few 
employees in a small office hope to grow into an organization with 5000 
servers and 50000 employees...

...and if one of those half-dozen people has ever been through the 
renumbering pain, they will insist, and rightly so, on ensuring that 
either through globally-unique routable address space or NAT that their 
new employer never must suffer through the same pain.

> But chances are a company of that size won't know the difference anyways
> and will accept whatever their provider hands them.
>   
The moment they have someone on staff who knows the pain of renumbering 
and knows that the bigger you get, the harder it is, they'll switch to 
NAT or GUA. One of the two.
> I'm not saying that developing the appropriate policy will be easy, but
> given the alternative (NAT), I vote to try. Not only that, my suggestion
> requires the development of exactly *zero* new
> protocols/implementations. This gives time for vendors to catch up
> without worrying about trying to hit a moving target. We've got the
> protocol now, and the mechanisms we need to deploy it. Let's not further
> delay adoption because we're clinging onto a bastardized hack which was
> designed only to prolong the life of the old protocol and is completely
> unnecessary in the new one.
>   
But that's the thing. It *isn't* "completely unnecessary in the new one" 
and *that very belief* is why we don't have such devices already on 
sale. I've pointed out two reasons already (masking MAC addresses from 
hosts that put them in the bottom 64 bits, and ensuring that users of PA 
space don't need to renumber), and I'll add one more: compliance with 
the checklist-style audits which have "internal topolgy is hidden from 
outside" as a checklist item for the Sarbanes-Oxley, HIPPA, and related 
law-driven auditing.
> Obviously you've never been on the other end of a call of a customer who
> has (mis)configured policy-NAT on their SMB gateway which shoots packets
> sourced from different IPs based on the the port and what day of the
> month it is. IPv6 was actually designed to be simpler than v4. Let's not
> change that.
>   
I've designed, built, and supported ISPs off and on since 1993. The IPv6 
community continues to be filled with people who insist on not meeting 
the reasonable demands of customers, and who are then surprised when 
adoption rates are low.

Matthew Kaufman




More information about the ARIN-PPML mailing list