[arin-ppml] Proposal - Remove Initial Small Assignment Requirements for IPv6

Mark Andrews marka at isc.org
Wed Sep 15 00:31:09 EDT 2021



> On 15 Sep 2021, at 13:28, Joe Maimon <jmaimon at chl.com> wrote:
> 
> 
> 
> Owen DeLong wrote:
>>> The point is that at this time, we should not have to justify nat in order to permit its standardization. Standardize it and let users figure it out.
>> Why? It’s a local application only technology not useful on the broader internet, so why bother to standardize it? Why waste time of the standards bodies?
> 
> Because the standard bodies exist to serve the needs of the users of the network and it would behoove them to remember that.
> 
> We have already learned from IPv4 NAT that having standards is better than not.
>> 
>>>> Nat also assumes that noone wants to run their own internet services. While many things like cameras use a remote server to bypass the NAT leading to vendor tiein, things are clearly cleaner if each workstation or other device like a camera can run its own publically accessable services. Note that this does not mean that firewalls cannot be in place to block things that are not intended to be world readable. NAT is NOT a substitute for a firewall.
>>> It is in IPv4. And lets not encourage camera server and devices to be globally accessible, we already know that is a disaster.
>> Actually, I’d suggest the following:
>> 	1.	NAT Is NOT a substitution for a firewall. It might be integral in the firewall in IPv4, but that’s not the same thing.
> 
> Reverse. The exact functionality of a firewall over an access list is state. Which is integral to NAT as deployed in IPv4.
> 
> The state serves to allow construction of restrictive access lists by amplifying their permissiveness, which are what actually provides the firewall security.
> 
> Without state, ACL's are not workable for general usage, and that includes the default deny all implicit rule that might or might not exist in the ACL.
> 
> In short, firewall state exists primarily to permit traffic, not to disallow it. As does NAT.
> 
> (I am sure you know this, but just in case anybody else is still reading this thread....)
> 
>> 	2.	Are cameras on the public internet a disaster because it was allowed,
> 
> As if there exists some process to allow or disallow certain devices to be connected to the public internet.
> 
> 
>>  or are they a disaster because MFRs were
>> 		able to assume that NAT would protect them from bad engineering and somehow everyone bought into the idea
>> 		that such an assumption and bad engineering was acceptable?
> 
> Neither, they are a disaster because a) security is not their manufactures (or users, or installers) strong suit or even focus and b) they dont get upgraded, just replaced.
> 
> Those championing IoT somehow think it will be better.
> 
> I think it more likely that expecting dual specialty, both in the particular application deployed and in the networking and securing of it is never going to realistically occur in any sort of widespread meaningful fashion.
> 
> And those whose specialty is networking and the securing of it would do well to take that into account.
> 
>> 	3.	I’d argue that switching the expectation from “Everything is behind NAT, so it’s OK to be security-careless” to
>> 		“Everything is publicly addressable and might be reachable, therefore security is important” would be very
>> 		good for the industry as a whole, not to mention end users. Yes, there will be some pain points as this
>> 		transition occurs, but the end result is highly desirable.
> 
> The only thing that will change, maybe, is that SOHO ipv6 routers will ship with default deny all. At least the responsible ones. Hopefully.
> 
> Or worse, is that they will choose to use ULA/NAT or similar and utterly disregard (as they have demonstrated already with IPv6 deployment that they are completely capable of doing so) what you or other standards bodies or anyone else have to say on the matter. Unless they are bringing their pocketbooks to the table.
> 
>>> I expect exactly that. I expect you to support peoples ability to make this choice, since the current alternative is
>> So you expect everyone else to put in effort to support your choice of technology because you don’t like our choice… Sounds a lot like your reasons earlier claiming we shouldn’t expect v6 to be widely deployed any time soon.
> 
> Reverse. I request you (and others of similar bend) stop putting in effort to hamper those who choose to, particularly and specifically when those efforts are born from ideologically preferences for choices already rejected by large portions of the internet.
> 
> If you choose to actually help, more power to you. And since I believe that better mechanisms could serve to boost IPv6 rate of adoption, perhaps you should. Since thats what you want. Unless you only want it on your terms, or not at all.
> 
>> 
>> You’ve successfully argued against yourself here. The advantage goes to v6 without NAT because it is further along in deployment than any effort to standardize NATv6 (fortunately).
>> 
>> Owen
>> 
> 
> My argument is that NAT in IPv6 is more likely to increase deployment of IPv6. Whatever your feelings towards NAT, I expect you would take the win and comfort yourself with hope that eventually those choosing or needing to use it will dwindle away and deliver your p2p utopia back unto you. Which I think is actually quite possible.

NAT exists in IPv6:

* IPv6-to-IPv6 Network Prefix Translation exists (RFC 6296, June 2011).

NATing between IPv6 and IPv4:

* Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (RFC 6146, April 2011)
* Mapping of Address and Port using Translation (MAP-T) (RFC 7599, July 2015)

Delivering a virtual IPv4 link over IPv6:

* Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion (RFC 6333, August 2011)
* 464XLAT: Combination of Stateful and Stateless Translation (RFC 6877, April 2013)
* Mapping of Address and Port with Encapsulation (MAP-E) (RFC 7597, July 2015)

As for firewalls see:

Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service (RFC 6092, January 2011)

Thousands of ISP’s are using these RFCs to deliver working IPv4 and IPv6 to their customers today.  Often the customer doesn’t even know they are using them.

Now if you don’t want to do a forklift upgrade deploy routers which support these RFCs as the old ones die and
slowly migrate to a IPv6-only IPV4AAS model.  Nobody has ever said that forklift upgrades where required.

Mark

> Joe
> 
> _____________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the ARIN-PPML mailing list