[arin-ppml] The role of NAT in IPv6
scottleibrand at gmail.com
Fri Mar 26 17:20:14 EDT 2010
On Fri 3/26/2010 1:55 PM, Roger Marquis wrote:
> It isn't just network security professionals who won't give up NAT,
> end-user consumers also won't. If anything is clear from the past few
> year's field trials it's that IPv6 has received a vote of no confidence
> from consumers. It has received that thumbs down primarily because it
> lacks address translation.
Are you talking about NAT66, NAT64, or something else? I personally
have not seen this backlash against NAT-less IPv6 by end users. There
have been some complaints about the insecurity of enabling a new
protocol by accident, but I haven't seen anyone maintaining that NAT66
is a security requirement for home users. I will agree that a stateful
firewall needs to be built in to home IPv6 routers to disallow incoming
IPv6 connections by default, except where allowed by the user (or by
something like uPNP). That doesn't require NAT66, though, at least in
the simple home environment.
> IMO there's no painless way to transition to IPv6 without NAT.
I assume you're talking about NAT-PT here?
> Compound that with the security issues created by the lack of NAT
> and, well, you
> have where we are today.
Up 'til now we've mostly been talking about NAT66 (IPv6 inside, IPv6
outside), rather than the various flavors of NAT-PT (NAT64 or NAT46 for
example). We also haven't been very specific about whether we're
talking 1:1 NAT66, or some sort of overloaded 1:many NAT (like we
usually use in IPv4 NAT).
Leaving aside NAT-PT and v4-v6 transition for the moment, can you
clarify how you would like to deploy NAT in an IPv6-only environment?
More information about the ARIN-PPML