[arin-ppml] Proposal - Remove Initial Small Assignment Requirements for IPv6
Joe Maimon
jmaimon at chl.com
Tue Sep 14 23:28:52 EDT 2021
Owen DeLong wrote:
>> The point is that at this time, we should not have to justify nat in order to permit its standardization. Standardize it and let users figure it out.
> Why? It’s a local application only technology not useful on the broader internet, so why bother to standardize it? Why waste time of the standards bodies?
Because the standard bodies exist to serve the needs of the users of the
network and it would behoove them to remember that.
We have already learned from IPv4 NAT that having standards is better
than not.
>
>>> Nat also assumes that noone wants to run their own internet services. While many things like cameras use a remote server to bypass the NAT leading to vendor tiein, things are clearly cleaner if each workstation or other device like a camera can run its own publically accessable services. Note that this does not mean that firewalls cannot be in place to block things that are not intended to be world readable. NAT is NOT a substitute for a firewall.
>> It is in IPv4. And lets not encourage camera server and devices to be globally accessible, we already know that is a disaster.
> Actually, I’d suggest the following:
> 1. NAT Is NOT a substitution for a firewall. It might be integral in the firewall in IPv4, but that’s not the same thing.
Reverse. The exact functionality of a firewall over an access list is
state. Which is integral to NAT as deployed in IPv4.
The state serves to allow construction of restrictive access lists by
amplifying their permissiveness, which are what actually provides the
firewall security.
Without state, ACL's are not workable for general usage, and that
includes the default deny all implicit rule that might or might not
exist in the ACL.
In short, firewall state exists primarily to permit traffic, not to
disallow it. As does NAT.
(I am sure you know this, but just in case anybody else is still reading
this thread....)
> 2. Are cameras on the public internet a disaster because it was allowed,
As if there exists some process to allow or disallow certain devices to
be connected to the public internet.
> or are they a disaster because MFRs were
> able to assume that NAT would protect them from bad engineering and somehow everyone bought into the idea
> that such an assumption and bad engineering was acceptable?
Neither, they are a disaster because a) security is not their
manufactures (or users, or installers) strong suit or even focus and b)
they dont get upgraded, just replaced.
Those championing IoT somehow think it will be better.
I think it more likely that expecting dual specialty, both in the
particular application deployed and in the networking and securing of it
is never going to realistically occur in any sort of widespread
meaningful fashion.
And those whose specialty is networking and the securing of it would do
well to take that into account.
> 3. I’d argue that switching the expectation from “Everything is behind NAT, so it’s OK to be security-careless” to
> “Everything is publicly addressable and might be reachable, therefore security is important” would be very
> good for the industry as a whole, not to mention end users. Yes, there will be some pain points as this
> transition occurs, but the end result is highly desirable.
The only thing that will change, maybe, is that SOHO ipv6 routers will
ship with default deny all. At least the responsible ones. Hopefully.
Or worse, is that they will choose to use ULA/NAT or similar and utterly
disregard (as they have demonstrated already with IPv6 deployment that
they are completely capable of doing so) what you or other standards
bodies or anyone else have to say on the matter. Unless they are
bringing their pocketbooks to the table.
>> I expect exactly that. I expect you to support peoples ability to make this choice, since the current alternative is
> So you expect everyone else to put in effort to support your choice of technology because you don’t like our choice… Sounds a lot like your reasons earlier claiming we shouldn’t expect v6 to be widely deployed any time soon.
Reverse. I request you (and others of similar bend) stop putting in
effort to hamper those who choose to, particularly and specifically when
those efforts are born from ideologically preferences for choices
already rejected by large portions of the internet.
If you choose to actually help, more power to you. And since I believe
that better mechanisms could serve to boost IPv6 rate of adoption,
perhaps you should. Since thats what you want. Unless you only want it
on your terms, or not at all.
>
> You’ve successfully argued against yourself here. The advantage goes to v6 without NAT because it is further along in deployment than any effort to standardize NATv6 (fortunately).
>
> Owen
>
My argument is that NAT in IPv6 is more likely to increase deployment of
IPv6. Whatever your feelings towards NAT, I expect you would take the
win and comfort yourself with hope that eventually those choosing or
needing to use it will dwindle away and deliver your p2p utopia back
unto you. Which I think is actually quite possible.
Joe
More information about the ARIN-PPML
mailing list