[arin-ppml] Proposal - Remove Initial Small Assignment Requirements for IPv6

Joe Maimon jmaimon at chl.com
Tue Sep 14 23:28:52 EDT 2021



Owen DeLong wrote:
>> The point is that at this time, we should not have to justify nat in order to permit its standardization. Standardize it and let users figure it out.
> Why? It’s a local application only technology not useful on the broader internet, so why bother to standardize it? Why waste time of the standards bodies?

Because the standard bodies exist to serve the needs of the users of the 
network and it would behoove them to remember that.

We have already learned from IPv4 NAT that having standards is better 
than not.
>
>>> Nat also assumes that noone wants to run their own internet services. While many things like cameras use a remote server to bypass the NAT leading to vendor tiein, things are clearly cleaner if each workstation or other device like a camera can run its own publically accessable services. Note that this does not mean that firewalls cannot be in place to block things that are not intended to be world readable. NAT is NOT a substitute for a firewall.
>> It is in IPv4. And lets not encourage camera server and devices to be globally accessible, we already know that is a disaster.
> Actually, I’d suggest the following:
> 	1.	NAT Is NOT a substitution for a firewall. It might be integral in the firewall in IPv4, but that’s not the same thing.

Reverse. The exact functionality of a firewall over an access list is 
state. Which is integral to NAT as deployed in IPv4.

The state serves to allow construction of restrictive access lists by 
amplifying their permissiveness, which are what actually provides the 
firewall security.

Without state, ACL's are not workable for general usage, and that 
includes the default deny all implicit rule that might or might not 
exist in the ACL.

In short, firewall state exists primarily to permit traffic, not to 
disallow it. As does NAT.

(I am sure you know this, but just in case anybody else is still reading 
this thread....)

> 	2.	Are cameras on the public internet a disaster because it was allowed,

As if there exists some process to allow or disallow certain devices to 
be connected to the public internet.


>   or are they a disaster because MFRs were
> 		able to assume that NAT would protect them from bad engineering and somehow everyone bought into the idea
> 		that such an assumption and bad engineering was acceptable?

Neither, they are a disaster because a) security is not their 
manufactures (or users, or installers) strong suit or even focus and b) 
they dont get upgraded, just replaced.

Those championing IoT somehow think it will be better.

I think it more likely that expecting dual specialty, both in the 
particular application deployed and in the networking and securing of it 
is never going to realistically occur in any sort of widespread 
meaningful fashion.

And those whose specialty is networking and the securing of it would do 
well to take that into account.

> 	3.	I’d argue that switching the expectation from “Everything is behind NAT, so it’s OK to be security-careless” to
> 		“Everything is publicly addressable and might be reachable, therefore security is important” would be very
> 		good for the industry as a whole, not to mention end users. Yes, there will be some pain points as this
> 		transition occurs, but the end result is highly desirable.

The only thing that will change, maybe, is that SOHO ipv6 routers will 
ship with default deny all. At least the responsible ones. Hopefully.

Or worse, is that they will choose to use ULA/NAT or similar and utterly 
disregard (as they have demonstrated already with IPv6 deployment that 
they are completely capable of doing so) what you or other standards 
bodies or anyone else have to say on the matter. Unless they are 
bringing their pocketbooks to the table.

>> I expect exactly that. I expect you to support peoples ability to make this choice, since the current alternative is
> So you expect everyone else to put in effort to support your choice of technology because you don’t like our choice… Sounds a lot like your reasons earlier claiming we shouldn’t expect v6 to be widely deployed any time soon.

Reverse. I request you (and others of similar bend) stop putting in 
effort to hamper those who choose to, particularly and specifically when 
those efforts are born from ideologically preferences for choices 
already rejected by large portions of the internet.

If you choose to actually help, more power to you. And since I believe 
that better mechanisms could serve to boost IPv6 rate of adoption, 
perhaps you should. Since thats what you want. Unless you only want it 
on your terms, or not at all.

>
> You’ve successfully argued against yourself here. The advantage goes to v6 without NAT because it is further along in deployment than any effort to standardize NATv6 (fortunately).
>
> Owen
>

My argument is that NAT in IPv6 is more likely to increase deployment of 
IPv6. Whatever your feelings towards NAT, I expect you would take the 
win and comfort yourself with hope that eventually those choosing or 
needing to use it will dwindle away and deliver your p2p utopia back 
unto you. Which I think is actually quite possible.

Joe




More information about the ARIN-PPML mailing list