[arin-ppml] Just a reminder of some quick mathematicsfor IPv4that shows the long term impossibility of it

[Ted Mittelstaedt]

On 5/18/2011 6:33 PM, George Herbert wrote:
> On Wed, May 18, 2011 at 5:11 PM, Owen DeLong<owen at delong.com>  wrote:
>> [...]
>>
>> What utility does NAT offer other than conserving addresses that cannot be
>> better accomplished by other technologies if you don't lack addresses?
>>
>>         Security: Provably false. NAT does not improve security, stateful
>>                 inspection provides security.
>
> I've had this argument with Owen in person (and many others in
> person), but asymmetrical routability and NAT provide some benefits to
> security.  The statement "does not improve security" is provably
> false.
>
> Stateful inspection is MUCH BETTER - yes.  But even stateful
> inspection isn't perfect if there are application layer
> vulnerabilities that the stateful inspector is not aware of.  I
> remember the time before buffer overflow...
>
> At the very least, NAT and its ilk provide information limitations on
> potential attackers.  This is not absolute, but neither is any other
> aspect of security.
>
> Security (and many other IT problems, generalizing) are statistical
> games of time-variable exposure potential and probability of exploit
> on known and unknown exposures.  Anything which limits the attack
> space is of utility.
>
> How is this relevant to ARIN and policy?  Policy should not be
> dictating technical solutions.  I'm all for IPv6.  I'm also all for
> NAT.    Policy that attempts to exclude viable solutions at the
> technical level is unwise.
>

My original point in starting this thread was NOT to attempt to
dictate policy that excluded technical solutions.  I was merely
attempting to illustrate the sheer futility of spending so much time
on attempting to help keep IPv4 going in the long term.

I run NAT and RFC1918 numbers on my home network.  I also run IPv6
natively on my home network.  My home router - which is a FreeBSD system 
- routes IPv6 and does NAT on IPv4 just fine.  I even run
an IPv6 firewall on it.  And it is connected via DSL to the ISP
I run, which offers both IPv4 and IPv6.  And my systems behind my router 
- which are autoassigned and dual-stacked, including Windows XP systems 
- work perfectly on my network to access both IPv4 and IPv6 networks.

Speed of access of content providing sites that are either IPv6 or IPv4 
or dual-stacked on the Internet is the same.  Telnet and SSH access
to either IPv4 or IPv6 numbers of hosts at the ISP and on the Internet
works fine too.  If every location that I accessed on the Internet was
dual-stacked and I replaced my remaining Windows XP systems, I could 
drop IPv4 and not even miss it.

Nowhere am I running any form of IPv6 NAT, I'm not running any kind of
IPv6->IPv4 NAT or IPv4->IPv6 NAT.  My setup was not difficult to
put together and the only thing needed to duplicate it to a typical
end user is a IPv4/IPv6 CPE.

With my experience it is crystal clear to me that there is only ONE
reason that anyone would advocate continued usage of IPv4 on the
Internet, and that is that they want to allow content providers to
continue to provide content ONLY via IPv4.  However, I fail to see
why the masses of end users out there who are not on the Internet now,
but will be in the future, and who are never going to ever get a public
IPv4 address in their lifetime assigned to anything that they own,
should have to saddle themselves with weird IPv6->IPv4 NAT bridge
devices or CGN with private numbers handed to them, just to allow a
group of content providers to remain on the IPv4 network.

The real question is "why should we build a future Internet that is 
dependent in any way on IPv4"  We should not.  And in a future Internet
where all content providers are dual-stacked, a client
system will have no problems they would need IPv4 to solve.

Ted

>
>