[arin-ppml] CGN multiplier was: RE: Input on an article by Geoff Huston (potentially/myopically off-topic addendum)

Owen DeLong owen at delong.com
Thu Sep 15 12:07:42 EDT 2011

Sent from my iPad

On Sep 15, 2011, at 10:04, "Michel Py" <michel at arneill-py.sacramento.ca.us> wrote:

>> Owen DeLong wrote:
>> But the barrier to getting PI in IPv6 is so low that
>> I really think PI is preferable to NAT.
> Not always. I was reading the exchange with Matthew, and he wins the
> argument. You start to sound like Keith Moore ;-)
> For the small fish, there are 5 needs:
> 1. Basic and idiot-proof firewall.

There's no difference here between NAT and no NAT. The stateful inspection firewall portion is identical.

> 2. No renumbering when switching providers.

PI does this at least as well, if not better than NAT.

> 3. Some kind of fault tolerance.

PI does this better than NAT.

> 4. Some kind of load-balancing.

NAT actually makes this harder. PI makes it easier.

> 5. Cheaper than dirt.

This is the one place where NAT currently has an advantage.

> NAT provides all these. PI does not. And I see all the time companies
> with PI and full BGP that also use NAT.
Only in IPv4 and only because of IPv4 address shortage (or ignorance).

Yes, PI is currently more expensive than NAT. However, that additional cost is largely artificial and primarily centers around the convenience of the providers and the implications of IPv4 address shortage that are built into the design assumptions of current access networks.

There is no reason that needs to remain the case.

In reality, the hardware to deploy a full multi homed solution, including tunnel terminating routers for 2 colos can be had for about $600. You can find 1U colo slots for around $40/month or less, including transit.

While it's not "cheaper than dirt", it is a vastly superior solution and it's not that much more expensive. If you're willing to use free tunnel brokers instead of running your own tunnel termination in a colo, then you can do it for very close to the same price as the NAT based solution, needing only a slightly more sophisticated router (such as a Mikrotik or SRX-100) than your basic NAT box.

> So, we still haven't found the Holy Grail that provides all of these
> features without the inconveniences of NAT.

We're pretty close. It's just a matter of cost. IMHO, you get what you pay for is the adage that applies here.

FWIW, I think of my house as being pretty equivalent in its needs to a multi homed SMB. I went the colo router+tunnels route because it was the most cost effective mechanism to achieve multi-homed IPv4 access. It's been working quite well and I'm very happy with it. I do not run NAT at home for IPv4 or IPv6. I am multi homed primarily for exactly the reasons outlined in Matthew's earlier post (cable is unreliable, DSL is slow, etc.)

The only reason I end up fiddling with the configuration is when my cable IP address changes because I'm not willing to give Comcast $60/year for a static address. Otherwise, it's been fire and forget and quite reliable.


More information about the ARIN-PPML mailing list