[arin-ppml] The role of NAT in IPv6

David Farmer farmer at umn.edu
Fri Mar 26 19:46:27 EDT 2010 

Matthew Kaufman wrote:
> Scott Leibrand wrote:
>> On Fri 3/26/2010 2:54 PM, Matthew Kaufman wrote:
>>> Please explain how you intend to eliminate manual renumbering for 
>>> corporate internal networks every time they change ISPs.
>>>
>>> (And note that RA and even DHCP6 don't fix all the manual setup of 
>>> things like "what is the address of the intranet web server".)
>>>
>>> There is a real cost to this, and the cost of a NAT device is pretty 
>>> much paid off the first or second time you're forced to renumber.
>>>
>>> Matthew Kaufman
>>
>> Matthew,
>>
>> So it sounds like you're describing something like private IPv6 
>> addresses on the inside, NAT66 at the edge, doing 1:1 mapping of the 
>> inside private IPv6 prefix to the currently-active outside public IPv6 
>> prefix?
>>
>> Does that accurately describe this use case?
>>
>> Thanks,
>> Scott
> That should be sufficient, yes. And of course I'd want my private IPv6 
> to come from a range I was sure nobody I ever acquired or was acquired 
> by was using.
> 
> Address overloading is probably not necessary.
> 
> A nice side effect is that I can have my NAT tweak the bottom 64 bits in 
> case my hosts insist on exposing details of their MAC address there 
> (which I consider to be a security problem).
> 
> Matthew Kaufman

While I would rather just have GUA-PI on all of my hosts and do stateful 
firewall if I feel the need, I'm not opposed to this at all.

Also, if you stay with 1:1 NAT, you could do the NAT with a stateless 
process.  Many people will still want a stateful firewall, but having 
the option is useful.  And you could NAT and firewall in separate 
places,  Like NAT at your Internet Border and stateful firewall closer 
in, maybe even at the subnet level.

It would also be useful if NAT66 was designed with a way to inform the 
inside host of the NAT translation, this way it could be do in a way 
more friendly to the applications.

So if a network operator want to use NAT66, it is not from us(ARIN) to 
them NO.  And, I believe the network operator should have the choice of 
GUA-PI, ULA-C, or ULA-L.  I believe ARIN Policy should leave it up to 
the network operator to chose.

I could see any of the following, as reasonable way to use NAT66. And, 
I'm not sure why policy shouldn't allow any of these, if that is what a 
network operator wants to do.

Outside-to-Inside:
GUA-PA NAT66 GUA-PI
GUA-PA NAT66 ULA-C
GUA-PA NAT66 ULA-L
GUA-PI NAT66 ULA-C
GUA-PI NAT66 ULA-L

However, do believe that GUA-PI NAT66 GUA-PI, as a single entity, by 
requesting two separate GUA-PI blocks would be a policy violation. So 
unless GUA-PI NAT66 GUA-PI was being done between two separate entities 
this is probably a policy violation.  And, I'm not sure why you wouldn't 
just route and have stateful firewall if needed.

Again ULA-C NAT66 ULA-C is probably policy violation and just silly 
similar to GUA-PI NAT66 GUA-PI.

ULA-L NAT66 ULA-L wouldn't be a policy violation, but in most cases it 
would be silly.  Unless, you were unlucky and merged with someone using 
the same ULA-L prefix as you.

Anyone doing GUA-PA NAT66 GUA-PA should just be put in front of a firing 
squad, that is beyond silly.  But, I'm sure it is going to happen.

So, while I would rather live in a universe without NAT66, in reality we 
will need it.

I think NAT66 is mostly outside of PPML, the important part for PPML is 
we should provide an addressing solution that enables those that want to 
operate their network in this way to do it.

How we got to the Internet we have today, creating both the good and 
bad, is we let multiple solutions flourish.  Solutions were allowed to 
live and die on on there own, with as little dictates from any central 
authority as possible.  It generally has worked.

We can argue all we want about which solution is better, but unless a 
something about a particular solution will endanger the whole, then it 
should be given the chance to flourish.

So lets find a way to make ULA-C work, I think we are getting close.

-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota	
2218 University Ave SE	    Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

More information about the ARIN-PPML mailing list