What’s The Point of NAT66?


Frequent visitors to this site know of my crusade against all things Network Address Translation (NAT).  Despite its few useful properties and our current reliance on it with IPv4, I consider it to be a kludge at best.  However, some people see NAT as a necessity of modern networks and have begun working hard to ensure that NAT will live on with our shift to IPv6.

I realize that NAT is a necessary evil today.  The IPv4 Internet would have imploded long ago without translating the meager number of prefixes available into the large number of “private” devices sitting behind NAT gateways.  IPv4 is the duct tape that has held things together for the last ten years while we prep a long term solution like IPv6.  Alas, some people in the community think that since NAT has done such a good job fixing things for so long that it should be the all-in-one tool in their toolbox for every network problem.  Some people think it’s a great way to provide security for a network.  These people often confuse NAT with what a firewall does in conjunction with NAT.  NAT in and of itself provides no additional security beyond masking addresses.  NAT also adds in additional complexity when troubleshooting.  NAT boundaries break things like VoIP.  Packets hit the gateway device and get lost headed back to the source.  NAT does this for almost every form of end-to-end communication in the Internet.  If you add in Port Address Translation (PAT), where you translate a whole block of private addresses to one public IP address, you push the processor on your firewall to the breaking point.  I don’t have the hard numbers to prove my supposition, but I’d venture a guess that 50% of a firewall’s processor time is spent translating NAT/PAT rather than shuffling packets to their proper destinations.

IPv6 doesn’t currently have a concept of direct address translation.  Nor does it need one. There isn’t a dwindling pool of global addresses than need to be extended.  With the large amount of addresses available, the odds that two companies are going to have overlapping address spaces that will need to be translated in a merger are slim.  Right now, the only viable use case I can see for NAT used in relation to IPv6 is for translating the IPv6 addresses on a network to something that can access the IPv4 Internet without a dual-stacked router (NAT64).  Even this use case is rather dubious in my mind, but Ivan has managed to convince me that it’s useful in the short term.  So why do I still hear about RFC 6296? Why does Jeff Fry point out stories like this to me?  What is this world coming to?  Let me make this clear:

NAT on IPv6 is pointless and a bad idea.

There is no reason to implement native IPv6-to-IPv6 NAT (NAT66) in reality.  The address space is way too big to require translation in the foreseeable future of my lifetime or even that of my kids.  If you are really concerned about hiding your addresses or disguising your MAC address, you can look into the idea of Temporary Addressing.  In the middle of writing this post, Paul Regan asked me about using NAT to translate when you move from one provider to another.  That might be a good use case, and it happens to be the one that RFC 6296 is lined up to address, but if keeping your IPv6 space is so important when you move, why not sign up for a provider-independent block from your local Regional Internet Registrar (RIR) and run BGP to advertise it yourself?  If you switch ISPs often enough to keep switching IP schemes every few months, maybe you need to worry more about stability and less about chasing the lowest ISP price.  If your ISP keeps forcing you to switch addressing space that often, it might be time to shop around.

I truly believe that the people out there chasing the NAT66 sasquach are looking for a new security blanket.  They’ve dealt with NAT for so long in IPv4 that the idea of using IPv6 sans NAT makes them lie awake at night in a cold sweat.  Why else would you take something so unnecessary and bolt it on after the fact?  There’s no need to have NAT unless you take the position “it’s how we’ve always done it”.  The NAT66 proponents must think that NAT is needed simply because they’re unsure how to configure a firewall otherwise.  Obviously, without NAT the Internet breaks.  So we must have it in IPv6 or things won’t work right.  However, I think that having NAT66 will cause people to keep configuring their networks incorrectly and lead to confusion and problems down the road.  If IPv6 is going to require a shift in thinking like so many people keep telling me, why not truly shift our thinking away from things like NAT?  We’ve already done it once before with the concept of reserved local addresses.  RFC 1884 tried to define a site local address similar to what we think of with RFC 1918 addressing.  This was such a horrible idea that RFC 3879 came out and deprecated the whole idea (Yes, I know about RFC 4193.  I’m not talking about it.)

If there are people out there that think we still need to cling fervently to old ideas to help ease our transition to the Internet of the Future™, then I’m going to make my own proposal.  I think it’s time that we put the IP checksum field back into the IPv6 header.  Yes, I know that TCP has its own checksum and that the underlying packet must be good if the TCP checksum comes out okay.  Yes, I know that having a checksum in the IPv6 header is silly if there aren’t going to be any naked IP packets floating around anywhere.  However, I think that since it’s always been there in IPv4 it’s comforting to have it available in case I want to double check each of the packets moving into and out of my network.  Who cares if it introduces a small amount of latency to calculate?  I feel better knowing it’s still there.  Now, doesn’t that kind of thinking sound silly?  Yes, I purposely picked something totally trivial to make my point, but that’s how I feel about NAT.  If we want to move forward out of the IPv4 Dark Ages and into the realm of the IPv6 Renaissance, we need to leave behind childish things like the need to NAT IPv6 packets on IPv6 networks.  Let’s spend more time making the Internet work the right way and less time trying to make it work the way we think it should.

About these ads

66 thoughts on “What’s The Point of NAT66?

  1. Thanks for the mention and nice blog.

    I was thinking about for NAT66 for the SME that don’t have the skills or knowledge to qualify for a PI block, nor would they probably do a good job of being nice BGP neighbours. Big shops will have skills, small shops will be an easy switch.

    NAT66 abstracts the complexity of re-addressing. But breaks the utopia end to end visibility .. I can see what people are pushing.

    • Exactly. And it’s not just a matter of skills, either. If you’re multihomed to LocalCableCo and LocalDSLCo, they’re just not going to be willing to run BGP with you. Using multiple prefixes on the link is the ideal, but it just doesn’t work right yet, and the standards to fix it aren’t even ratified, much less implemented.

      • This is my biggest concern as well, NAT for the SMB market allows multihoming without the complexity of other designs. Without NAT we lose this ability to easily stand up a second Internet link. I’ve not seen a good answer to this yet from anyone and I’d be glad to see one if I’ve missed it. Using PA won’t work without a major pain each time the company wants to change ISPs and we all know how often they want to do that…

  2. I would love to see the end of NAT with the increasing adoption of IPv6. NAT, like VLANS (and chroot) is often used (badly, incorrectly) for “security”.

    Repeat after me: “NAT is not a security solution. NAT does more harm than good by breaking the fundamental end-to-end model of IP.”

    As the concept of “client” slowly goes away, we’ll see more and more need for inbound connections to all manner of devices, things that are typically only clients today. Anything peer to peer (which we need more of for scalability) is difficult with NAT. As people want to reach and control devices on their home networks while they are on the go, they will encounter the brokenness that is NAT. Instead of making simple firewall changes, they’ll be dealing with port redirection, “NAT traversal servers”, “NAT brokers” and other kludges.

    Death to NAT; it’s long past due.

  3. Pingback: IPv6 Philosophy: To NAT or not to NAT – that’s the question » IPv6 Friday

  4. What if you set up a private network whilst you did’t have a public range available, then need to set up a connection to a public network at a later date? I agree that NAT is bad, horrible thing that breaks things badly, and it over complicates networks, but why should we remove it from our toolkit when it can be useful?

  5. The university I’m studying at recently rolled out IPv6 some time ago, including the network connections used by student housing,
    However, their policy prohibits you from running a router or more than one device. I’m doing it anyway of course, as I want my smartphone and console to have internet access and they block traffic for two hours if the MAC address changes (and not all devices can spoof the MAC, for example consoles). That is what IPv4 NAT is for for me, not laziness or security.
    As you are only allowed to have one device, you only get ONE IPv6 adress too. That’s it.

    Without NAT66, I don’t have the capability to use IPv6 on additional network devices except when using application-level proxies.
    (NAT64 requires you to have multiple IPv6 adresses too.)

    If you look at mobile ISPs trying to block tethering, I can see normal ISPs trying to do this too.
    You only get one IPv6 adress. Want to use more devices? Pay more money!

    I don’t give a fuck about the most correct or pure implementation, policies, etc.. As a lowly end user, this shifts power anway from me.

    So fuck you.

    • Thanks for the comment. Always glad to hear from those making the leap to IPv6, especially one so youthful. Since you neglected to leave a real e-mail address in your comment, I’m going to call you “Nate”. Get it?

      Nate, to make sure I understand your quandry here, let me try to summarize my understanding. Your university has both IPv4 and IPv6 in place. They have a policy of handing out one address per network jack in the housing area, which is probably a 2-person room if I recall from my college days. You realized that this policy doesn’t meet your requirements of networking a computer, smartphone, gaming console, and who knows what else. Perhaps there is a university-wide wireless network, perhaps not. For whatever reason, you’ve decided to circumvent this policy restriction with a NATing router of your own. This router probably doesn’t handle NAT66, as most consumer grade equipment can’t do that at this point, and with you being in college, the discounted price of a device that can handle it is probably beyond both yours and your parent’s budgets.

      Nate, rather than examining the policy restrictions that your university has put in place to restrict IPv6 addresses to endpoints or postulating on the fact that the port security settings on the switchports facing your dorm room are probably set the way they are to prevent flooding or malicious attacks, you’ve decided that I’m to blame because I think NAT66 is a horrible idea. Allow me to say this then:

      Thank you.

      You’ve not only validated me insofar that I’m not the poster boy for the “I Hate NAT” movement, but you’ve helped me understand why I research these topics and decide the best course of implementation rather than leaving it up to “armchair” network rock stars.

      Nate, there are a multitude of reasons why NAT66 is a bad idea. Many of them revolve around things like smartphones and gaming consoles. Having IPv6 enabled everywhere without NAT will ease the complexity of getting your PS3 talking to someone else’s PS3 so you can play Call of Duty or whatever it is you kids play today. But that’s not really important, is it? What’s really at stake here is that your Internet device experience is hampered because of policy decisions, as well as the decisions to circumvent those policies.

      You should also understand that my position on this topic comes from an enterprise perspective where I trust my users to not bring XBoxes to the office. I don’t have to worry about my users doing things that might force me to lock down my switchports (except maybe in conference rooms or other public areas). In a college/higher education environment, the network admins have to lock down the user-facing ports to prevent stupid things like Bittorrent from crashing the whole core of the network and hampering silly things like educating students or doing critical research. In fact, I’d be shocked if the student housing wasn’t totally segregated off the main campus network. Limiting liability and all.

      There will come a day when we have a pure IPv6 network running most everywhere. Universities will be forced to reexamine their old policies about IP address allocation. They will likely conclude that just giving each residence hall a /64 is the easiest way to go. Then there will be all the addresses that you can handle, provided of course that you have a piece of equipment capable of connecting your gaming console, smartphone, desktop, laptop, or whatever all at once. This is likely because the university will have plenty of addresses, but they won’t run any additional cables due to expense. On the day that we start handing out lots of IPv6, then NAT66 will be a very moot point. But, of course, we aren’t there just yet.

      I can’t speak to the ISP drive to require more and more costs to connect devices. I mean, it’s not like their equipment is being impacted by each additional bandwidth consuming device that gets added into the network. I’m sure they’ll just break the conventions set forth in RFC 5375 for the sake of making a few extra dollars. Sure, it might drive off the more savvy tech users and cost the ISP dollars up front. Then again, maybe a lot of customers will get an XBox1080 or PS5 for Christmas and the parents will gladly pay any amount of money to get it connected to the Internet so their kids won’t whine. Who knows?

      Nate, in the end there are a ton of considerations that go into my dislike of NAT66 and NAT in general. They are colored by my experience as a network rock star and an architect of many advanced technolgies. I’m going to keep on disliking any technology that forces me to change the fundementals of the global Internet and makes things like SIP and end-to-end communications break simply for the sake of empowering end users that circumvent unpopular policies. Nate, you just go on disliking those policies. I’m sure things will work themselves out.

      Oh, and by the way, I’d encourage you to use this “good argument then insult” argument methodolgy when you finally graduate and get out into the real world. It works wonders on professionals.

      • And when someone self proclaims themselves as any kind of “rock star” in order to put down someone else’s opinion without actually helping them in any way or addressing their problem then we should feel free to disregard their position. The key point of the original posters point is that they are a consumer level network user and you respond by pitching enterprise needs. How about respecting both?

  6. I have been working with multiple Enterprise customers developing IPv6 addressing schemes and I can tell you that dual homing and asymmetric routing are REAL issues with PI space. For example if you have a /48 from ARIN and advertise that block out of multiple DC’s to the global Internet, there is the real possibility that inbound return traffic could come through a different link than outbound. This gets even more complicated when you have more than 2 DC’s (one customer I am working with has 4 US DC’s). Outbound can be influenced with BGP metrics, but inbound can be an issue.

    • Hey Robbie, yeah that is exactly my big problem with converting to IPv6. With NAT you can easily send a more specific route out from your regional firewalls and ensure that return traffic comes back into the same stateful firewall. The problem now with going to this especially over my MPLS VRF around the country for remote sites, the traffic can come into either of my two core sites in CO and MD for redundancy then exit through my firewalls to the internet but the return traffic can’t be controlled as to which firewall it comes back into. Without some way of controlling this routing (like via NAT) it will be broken if servers are not in the same area. So have you guys came up with a way to control this asymetrical routing problem???

  7. Exactly the kind of snobbery I have come to expect from some enterprise networking engineers – the whole article could be summarised as “I can’t see why I would ever need to use NAT66, so it’s a bad idea, and a lot of other people like me at the IETF agree”. It’s really not that helpful to those of us in small shops at the sharp end who are not “network rock stars”, who don’t work with Cisco kit all day and are just trying to get things to work.

    I particularly enjoy the way you take the time to lambast, at length, the one comment that we could probably all agree was a bit daft and uncalled for (from Guest), but none at all to help any of the other genuine commenters. Well done, you’ve reinforced a stereotype for me.

    You might want to have a read of this article, which says it better than I could.
    http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/

    • The primary argument seems to be multi-homing. While there may not be a perfect solution right now, I think that nearly every network engineer in the world would agree that a real solution is more preferable than a hack like NAT.

      D-Day isn’t here yet (and it seems to still be far off, despite the world’s best efforts). It may be crunch time, but the Internet isn’t broken yet. Full, complete IPv6 deployment is not here. Relax, hold onto your pants, and wait. A solution will be found–and preferably without NAT.

      Finally, and controversially, I will say that if a (small) business wants to pay for the reliability and uptime of multi-homing (which still has several single points of failure), then they should probably consider paying for a network engineer that can meet their requirements.

      To say that a business should pay for the support of an engineer that can actually meet their requirements is not being a snob.

      The people complaining seem to have two options. Increase their skill sets so that they can be that engineer, or risk becoming dated and irrelevant. If you want, you can even continue to charge the same prices once you’ve updated your skill sets so that you can continue to support the notion that small businesses can’t afford to pay for more expensive support. Or you can charge more because you know more and have an expanded skill set. In that case, you’re just being a hypocrite.

      IPv6 is coming. It will change the way engineers think about their jobs. It isn’t here yet, though. You still have time to update your skills. There is still time for a complete solution to multi-homing and other “issues” to be ratified.

      Just because you’ve been doing something the same exact way for the past 20 years doesn’t mean that the new way is wrong. It means that you need to update your skill set or become irrelevant. Networking–and IT in general–is about staying current, not about being afraid of the future.

      • So now SMEs are going to need engineers? This is really the point of SMEs.. they just want a simple system, even if it is less efficient.
        I currently live in NAT/PAT/”intelligent firewall” hell, so IPV6 in some ways is good for me, but certainly not for SMEs and consumers. We won’t get free unlimited IPs, you can count on that.

      • No, the issues for SME are MORE than that. Not a single “priest” confronts the issue of multiple IPv6 external connectivity management – not one.

        On a NAT’ed IPv4, the SME admin only has to debug, monitor and secure a single external IP access. One point of entry for the entire enterprise. If you are getting attacked, for example – one point of entry, one point of defense. One log. One device with all the rule sets. One device to debug and plug holes in.

        You IPv6 gurus miss the TRUE issue with SME’s, and that is MANAGING ALL THOSE EXTERNAL IP’s. Now, according to your principle, EVERY device on your LAN also has a IPv6 WAN-accessible component. Every device. So now, EVERY device must also have a firewall. EVERY device must have a rule set. EVERY device must then be administered regarding those rule sets, monitored for DDoS and spoofs, updated with the newest firewall technologies, granted unique authorizations for access/denial…AND given an internal IPv6 addy on top of all this!

        There is a term for this: “WHAT ARE YOU, NUTS????!”

        Truly, why would a V-SME (very SME) bother? As noted, the sysadmins for SME are doing this as a secondary or tertiary job description. They (OK, “I”) have my hands completely full doing my other jobs demanded of me without having HARDWARE demand yet more of my time simply because their IP addressing scheme now depends upon ‘proclamations’ from external forces (the IPv6 / DHCP services of the ISP) that grants every single device external access. “External access” must *also* mean “externally targetable”.

        By using a NAT, SME’s can more readily control their exposure to the outside world in terms of LABOR, regardless of how you priests want to discuss “security”. I am a ‘small fry’ in regards to network knowledge but here’s Common Sense talking: Excuse me, but stating that a multi-point access channel (true IPv6-integrated LAN) will be as inherently secure as a single-point channel (IPv4 w/NAT router) is hubris, at best. If, with consideration, one factors in the human condition (read: Human Failings) that will be experienced in configuring and managing the now much larger, and therefore more complicated, externally-available SME IPv6 address block.

        The network priest community is advancing a system that will multiply a SME administrator’s workload by multiple factors by using pure IPv6, and then stating that security will be equal. Not a rational claim, folks!!

        You puritanical network admins are fighting the same fight as other puritans across multiple topics, be it from energy to macroeconomics to politics, and missing the same points. Reality never meets theory because reality has more factors to deal with than your theoretical papers do. IPv6′s benefits sound good on paper but who is going to deal with the problems that IPv6 creates? You dismiss problems as negligible because you’re not the one dealing with them in any individual rollout, and indeed you can’t theorize every individual rollout because you’ve never BEEN in some of the situations where said rollout will be used. ISO-level top network gurus have never been in a SME of 5 people, never will, so their theoretical planning can never account for something they have no knowledge of.

        The world DOES need NAT66, regardless of your statement that is does not. The theory of IPv6 is quite sound – put every single device on a directly-addressable point on the internet – but the reality is far more complex than that. Until *someone* creates an exceedingly secure, fully cross-platform administration tool for ALL devices in a LAN, up to and including firewall rules and updating, SME and individuals will still prefer the much simpler to administer NAT topology.

      • Take your car to an oil change shop and ask them to diagnose and repair your transmission.

        This clearly is a better idea than taking your car to someone who specializes in transmission services and repair because the oil change shop would be a single point of service. It might also be cheaper because you have to spend less money on gas (you’re going to only one place) and you’re dealing with someone who is not a specialist.

        The world of IT is getting more and more complex every day. This isn’t an arbitrary complexity. Is the difference in complexity between the Model T and F-150 an arbitrary complexity? No. It’s a natural evolution of necessity.

        If car engineers and mechanics of the past could not keep up and stay modern, they would quickly find themselves outdated and irrelevant. Similarly, a “general” (typically oil change) shop can only do a few things. They have to refer customers to other, more specialized shops.

        Since you claim to be in IT supporting small businesses, you should know how vast the field of IT is. You can’t do it all, no matter how hard you try. You will fail at something. Sorry to burst your “I support everything” bubble. If you can’t do it (which you say you can’t), then you need to refer your customer (or boss) to someone who can. That’s the way it’s done in the car world, and that’s the way it works in IT. Sorry if you see your way of life disappearing because you can’t actually support anything in-depth. You can change oil filters, air filters, and re-fill anti-freeze. Maybe change some tires and breaks.

        Maybe you should actually step back and realize that you’re on a pretty high horse. Business needs are constantly changing, no matter how large or small the business is. They’re going to change when IPv6 finally rolls out, and the professionals supporting them will have to shift as well. Get used to it, deal with it, and welcome to networking. Or goodbye, if you can’t cope.

      • Wow, just…wow.

        OK, I am going to have to switch to being completely blunt here. You’re living in an arrogant technological fantasy land and just can’t wake up from the dream. Only blunt-force discussion will snap you out of it.

        SME’s and individuals will NOT hire an IT architect in order to design their IPv6 network topology in order to satisfy some technocrat’s idea of implementing the “perfect” network across the world. WILL NOT HAPPEN. Unless YOU, and your IT ilk want to pay for it, that is.

        SME’s ARE SME’s for a reason. They are small with commensurate small budgets. Their entire *existence* as been based on doing more with the resources available. If this WEREN’T true…they’d be expanding their business and become LESS of the “SME” appellation that is applied to them.

        The idea of the vast majority of SHO’s and SME’s will hire an IT professional to service their LAN is the utmost of arrogance. Most SHO / SME’s simply don’t have that in their budgets nor will they have it at any foreseeable time; for most small business owners, ‘free’ money such as what can be paid to an outside contractor (which is EXACTLY what the IT professional will be) should be used for other, more urgent matters. Again, you haven’t lived in the SME world, have you?

        A large majority of SME’s will NOT hire an IT professional. There are many reasons for this and they seem to slip by your pure technocrat ideology.

        - costs
        This is probably the major issue.

        - loss of in-house control
        This is an issue that you simply can’t recognize. The vast majority of small business owners are people of many skills, having their hand in almost all aspects of the business. If they aren’t doing it themselves, they have hired workers to do the work for them…but they, the owners, still expect to make the calls and be in the loop in regards to decisions and functions of the business. It’s THEIR business, their life and their lifeline. Their business is all that stands between food on the table or homelessness.

        A hired outside IT professional will design a network…that will seen (correctly or incorrectly) as being completely alien to every single person in the SME. Therefore, any problems that occur that interact with the topology or design must be corrected by the outside IT professional…**at their time schedule**. That might be an hour later…or that might mean 2 days later. An SME will NOT risk being down and depending upon the scheduling whims of an outside contractor. THAT’S WHY THEY DO ALL THEIR IT IN-HOUSE IN THE FIRST PLACE.

        Yes, I’ve done outside IT contracting for other SME’s. One owner was independently wealthy, due to inheritance, and had no issues with hiring the needed skill set. The other owners were on absolute shoestring budgets, referred to me by the wealthy owner, and really could not afford the work. I did the work at a massively discounted rate as a favor to my main client, as all the owners were friends. She (the main client) appreciated this and kept coming back to me for even the smallest issues as she saw I wanted to make her happy.

        Another business owner hired me for data recovery to restore a completely corrupted hard drive and recover his company’s information, a process I completed successfully at. He hired me because he had no choice in the matter. He *needed* that information, was desperate, but discovered he couldn’t afford the quotations given to him by the recovery laboratories. He heard of me through the grape vine and came to me with with heart in his hands.

        Two weeks ago I got a phone call from one of my current boss’s business associates to ask me for advice in buying a KSU / PBX system. I bought, fully installed and programmed the system currently used in our own office, which he liked the features of very much, and wanted me to help him purchase the ‘ideal’ system. His current phone implementation, one he made himself using the available SHO ‘modular’ telephones, has numerous issues and he needs more control over his business communications. He networked me in order to try to keep his budget in check; he was asking for advice and, *maybe*, some installation assistance as he hoped to be able to do a self-install to, again, keep his budget in check.

        In all instances there frankly was a pattern: desperation. All the business owners needed an professional because they had tried, *themselves*, to correct the issues but discovered that they could not. So they yelled for help. If the idea that SHO’s & SME’s should be so “desperate” that they need to hire an IT professional in order to maintain your IPv6 purity…you truly need your head (and IPv6′s goal) examined.

        You see…you’ve already LOST lost this argument. NAT66 is already HERE, NOW. Development continues as we speak. How would that be possible if the world was truly concerned about IPv6 topology purity?

        Frankly, they’re NOT.

        They, the people both developing AND screaming for NAT66, are more worried about real-life, everyday issues than theoretical papers. They aren’t concerned in the least about what high-level IT designers care about, they are worried about THEIR concerns…and NAT appears to offer them answers

        In blunt-force terms, your concerns have ALREADY been completely ignored. Your IPv6 ideological purity has ALREADY been compromised for the perceived greater good of it’s actual USERS. A network design that may require large numbers of HOME users and very small businesses to consult with professionals should be seen as a failure, not a ‘bonus’, and patches like NAT66 will be applied as seen necessary by it USERS to repair any perceived issues.

        Maybe one day, when the devices themselves are smart enough to handle rules handling and exceptions, IPv6 / v7 / v8 / v20 et al. purity will be the norm. That day isn’t here yet and, for the foreseeable future thanks to the ubiquity of dumb devices that require human administration, not coming for quite a while.

    • I thought about reading your entire post. I honestly did. About two or three paragraphs in, though, I realized that this is definitely a case of tl;dr.

      The bottom line is that you get what you pay for. Don’t pretend that small businesses don’t make a profit. You keep trying to make them out to be a not-for-profit or an organization that just barely scrapes by. If they’re barely making it, then they have more issues to worry about than their network and they should probably reconsider their services, business model, or–worst case scenario–everything.

      I’m sure you’re panicking inside because you’re seeing your profession slip away. You clearly don’t have the necessary skills to implement solutions to a business’s IPv6 problems. Maybe you can still make a living installing ISA cards in legacy machines. I’m sure you’re still arguing that PCI cards are too expensive for small business…let alone PCI Express.

      Update your skills. Quit crying. Considering you probably don’t know what I do for a living, or what my work history is, I would suggest that you stop saying I’ve never done work for small businesses. I doubt you know what anyone’s work history is. We clearly know you’re a hardware junkie. And that’s okay. Except when you’re still trying to insist on DDR1 or, god forbid, SDR SDRAM as a memory solution.

      I’m finished talking to you. You’re boring.

      • What is really ammusing to me is that everyone that is anti-NAT is railing against techies saying that they are lacking skills. What has that to do with anything? Such comments only strengthen the pro-NAT arguments in bystanders mind.

      • So, let me get this straight; you’re saying people against NAT66 are primarily against it because they “lack skills”.

        Is that an admission that a NAT66 implementation would make IPv6 easier to work with?
        I would think this would be favourable to businesses of any sort, as well as any average home user that just wants something they can plug in and just work.

        Abstraction and simplification is almost always desirable to most users.

        That’s why OOP is used by most people instead of procedural languages.

        OOP, in theory, will give lower performance than procedural languages (or even assembly, provided you have the time and skills to actually use it properly). But compilers have become so good these days that any performance difference is negligible to nonexistent; and it’s just not worth the time and hassle to use procedural (or assembly).

        I think the same sort of thing applies to NAT. Yes, it will add latency. But the processors used in even consumer routers these days are quite fast anyway. And the abstraction it provides makes things easier.

        Anyway, basically, the argument of “you just need to update your skills” is a poor argument for higher complexity.
        A better argument would be listing any technical advantages.

        You say that it ruins the end-to end model.
        I don’t see why it’s necessary to dictate that the entire internet needs to work as a pure end-to-end model. The internet is a hybrid of client/server as well as peer-to-peer.
        And it’s not like NAT66 is proposed as a mandatory feature that everybody must use (not like IPv4, which is technically optional, but kind of necessary; IPv6 has more than enough addresses for it to be truly optional). You would use NAT66 if it’s appropriate for your particular network.

        In other words; don’t like NAT66? don’t use it. But it can still be there for those that do want it and have a use for it.

        As far as security goes: Yes, I’m aware that NAT is not the same as a firewall. But it does provide obfuscation.
        Security through obscurity does work. Although obviously it’s a bad idea to rely solely on obscurity, it is one additional layer that can be good to have.

  8. Pingback: IPv6 networking: Bad news for small biz | Technology News

  9. Pingback: maccad » IPv6 networking: Bad news for small biz

  10. Pingback: IPv6 networking: Bad news for small biz | Leomoo.com

  11. Pingback: NAT is Coming to IPv6. Whether We Like It Or Not.

  12. I question the need for NAT66 for SME’s when NPTv6 (or RFC 6296) is in place to address the multi-homed no BGP situation many SME’s seem to do and does not require the use of PI space at all. Additionally, it even allows the use case of running everything internal on ULA and running prefix translation to your single ISP who has given you PA space.
    I do sympathize with those that are being hampered by policy rules that were clearly developed in an IPv4 centric world such as limiting the number of addresses assigned per switchport but that is a policy problem not a functional one of the protocol. IPv6 has more than enough addresses to assign out in a single /64 than most any organization will ever need. It does not seem rational to port overload an IPv6 address when you can simply provide an additional address at no cost. My 2 cents.

      • I’m sorry…but your “replies” are a joke.

        Every “anti-NAT66″ argument put up comes down to the *technical* aspects, “IPv6 has enough address space for everyone”.

        Your arguments COMPLETELY fail when it comes to the topic that [us] SME’s are CONSTANTLY bringing up – “Who’s gonna PAY for all this and WHAT positive benefit/cost ratio does IPv6 give to me?”!

        For the SME community, there pretty much is NO positive BCR to making the switch to IPv6 in their infrastructure. SME systems are currently working *fine* in v4 yet you gurus suggest spending unknown dollars…just to switch to IPv6 in order to satisfy the *desire* for end-to-end IP connectivity. For many SME’s the idea of of E2E is a MOOT point – they don’t need it. If they DID need it, **they already have it**.

        So, you suggest a wholesale change-up of their entire infrastructure for, what benefit then, exactly?

        The POINT: You’re trying to stand on your high horse as a technophile> But, SME’s stand on the platform of BUSINESS. *Currently*, there is very little cost rationale to force a change across an SME’s topology simply because other people have “said so”. The proof is in the pudding – IPv6′s implementation ratio is WAY, WAY below expected, isn’t it? And the “World IPv6 Days” aren’t really changing that, are they?

        In business, action is taken based upon benefits versus cost analysis. If technophiles can explain to the common SME owner and/or IT manager the benefits of switching to v6 for the cost that will be incurred…you’ll have a winning formula for success. But, as of now, all discussion points of making the switch is “Because it’s here, because it’s new, and because it will be the standard” but that fails all tests in stating that their *current* implementation will cease to work, *today*. Therefore, and quite simply…they won’t switch – until they MUST.

        And, by the time they “must”, things will be quite different anyway. More, and cheaper, v6 routers, firewalls and other devices, along with a lower dependence on legacy OS’s with ‘questionable’ v6 support, will make the switch in the future easy and smooth (as compared to today).

        You want IPv6 implementation? Then tell me why the cellular 3G and 4G systems haven’t been forced into IPv6, considering that (in the United States especially) they have a completely captive audience in regards to hardware control. The cellular network could much more easily rollout v6 on a network that they have full control of. Doing so would free millions of v4 addresses for land-based ISP’s. Add in v6 rollout across the backbone and that will also free up millions of addresses more.

        You’re being idealistic. Try being profit-oriented pragmatic for a change, and you’ll see the world through a small business owner’s eyes.

  13. “The people complaining seem to have two options. Increase their skill sets so that they can be that engineer, or risk becoming dated and irrelevant” So we all have to pay for training in this one area of IT or become irrelevant? In a previous response to a comment you pointed out how wide a field IT is and now you are saying that I risk becoming irrelevant unless I learn IPv6? Actually we have 3 options, get training (oh wait that is really expensive), become irrelevant (hello dole line) or 3 pay someone like you to come to our rescue (oh wait that is really, really expensive).

    SME’s do not have limitless budgets to provide training or pay for consultants and these types of considerations are usually way down the list when the budget comes to be decided. Please do not make the assumption that because people are concerned about the amount of money changing their existing setup would cost they either lack technical knowledge or are unwilling to learn new skills, personally I do not know enough about IPv6 yet but I know that if I ask for training I will be turned down, especially when I have been turned down for training that is directly related to the job that I do..

  14. Pingback: IPv6, NAT, and the SME – A Response | The Networking Nerd

  15. I am very against nat66 from a philosophical perspective. But I believe that as long as at least one other person who believes in it can also invent it, then it will come to be. I have since halted my evangelical crusade because it’s just a waste of my own energy.

    You can’t control what other folks do with their packets. Might as well just accept it, as frustrating as it is.

  16. Pingback: Start Menus and NAT – An Experiment | The Networking Nerd

  17. Pingback: SME IT guy

  18. HEY GUYS LETS LET ALL OUR PORTS BE OPEN! LETS LET ALL THE WINDOWS COMPUTERS IN THE WORLD BE ONLINE WITHOUT A FIREWALL! I DONT HAVE ANY DOUBT THAT CONSUMER HOME NETWORKS WILL BE PROPERLY CONFIGURED! DOWN WITH NAT66 HACK THE PLANET FTW! Not having NAT – worst idea of all time. If there are no ipv6 nat ip address provisions I’m just going to take a block by the toe and set it up as my internal nat. I prefer to control my own network, quit telling me what I can and cannot do with my network, thanks.

    • P.S. I don’t care how you feel about NAT66. How you feel doesn’t matter. We just need an allocation for internal usage. My network is not subject to your ‘feelings’.

      • Please tell me how I can link my 2 houses over vpn both of whom have multi-homed dsl/cable links so I can replicate my AFS cluster, and share common networking infrastructure between my houses without using nat or PI assignments. Please explain why I would want to do this without NAT. I do already have PI assignments for other uses, but do you think my DSL isps are going to give me a BGP feed/push abilities on a 40$/month account?

      • Keep in mind, there are 4 different uplinks and ISPs involved here.

      • IPV4 with nat this setup is no problem. I can control my routing and outgoing packets how i see fit over multiple links without needing PI space. My houses appear as one big lan. I can see all my resources and life is good. Give it up and support NAT. Just because you can’t think of use for internal or private networks, doesn’t mean there aren’t uses for it.

      • Hank, I know right? It’s like people don’t remember the days of “netbus” and “backorifice”. This new IT generation all high and mighty thinking that people will properly configure their firewalls. It’s like the 1990s, and the things learned from that time period, didn’t even happen.

      • Ah you guys were having fun in twitter. No wonder I got no serious replies. Just another reinforcement of what has already been said 10x in this post (That you’re a pompous piece of shit). If you guys are going to IETF and helping to create standards for the future, I worry for the internet as we know it. All of your replies in this thread do nothing but attack the posters, I’ve yet to see you post anything of substance as to why there shouldn’t be a NAT provision; other than, your “feelings” that it shouldn’t exist. Oh well, at least I got to vent my IPV6 rage. Back to trying to get something to work, that should just, work.

      • Bullet, I was content to let you say your peace on this matter. However, it appears that you came looking for a fight. Okay, I’ll bite…

        So, you’ve got four consumer-grade ISPs running between your two houses to sync an AFS cluster for some reason. And you don’t want to upgrade to a business class connection that would give you the ability to multihome? Why is that? You’re already running PI space. You could configure NPT on the link. You could continue to run IPv4 and IPv6 dual stacked to provide for your corner case. Or, you could run multiple IPv6 addresses on the links and source your VPN connection from a loopback adapter so it will automatically fail over in the event that your ISP connection goes down. I don’t really have a good solution to your quandry because I have one ISP at my house running an Airport that uses IPv6 tunneling back to HE.net, since my ISP won’t likely support IPv6 on my consumer grade connection for a few more years at best. Of course, I could upgrade to a business connection if I really needed that kind of connectivity.

        I get it. I’m pompous because I don’t think of the little guys. I don’t like NAT66. I like making people’s live insecure and needlessly complicated. I also kick puppies in my spare time.

        Or maybe perhaps it’s because NAT is a broken concept that causes fundemental end-to-end connectivity between nodes on the Internet to break and not work as it should. Address translation causes asymmetric routing issues. NAT breaks VoIP return call paths. NAT doesn’t provide security. I’m holding off implementing a /48 at my office because I’m not sure how it will interact with our existing firewall. Security is first and foremost on my mind. NAT introduces a false sense of security, as a matter of fact. It makes firewall configuration twice as complicated as it needs to be.

        I won’t deny there are use cases for NAT44. What I have a problem with is that IPv6 was designed at a time when NAT44 wasn’t being used prevalently. IPv6 was designed to use point-to-point communications between end nodes. The address space was allocated so that we wouldn’t run out of addressable space any time soon so that we could assign addresses to anything that could want them, and that was at a time before IP addressed phones and Xboxes and washing machines. The decision to split the network and host portion of an IPv6 address down the middle at 64-bits was specifically so that the network portion of the address could be changed quickly without much impact to the end host.

        You say that my replies in this post were attacks on people. Then, you post a strange use case that maybe four other people in the world will have and then accuse me of being a “pompous piece of shit” when I don’t respond to your post with a clever solution. Ask yourself why you need to upgrade to IPv6. Why are you chasing functionality that you obviously have sorted out?

        I’m not a member of the IETF. I was approached and I turned it down. I’m not an architect. I don’t spend hours upon hours arguing the mathematic simplicity of header values and TLV extensions. I’m a grunt. I program switches and implement protocols on networks. I work almost exclusively in the SME environment that I’ve been accused of ignoring. I want things to work easily without overhead that causes people to spend needless time troubleshooting things that should “just work.”

        You did inspire me to write another post on IPv6 and NAT though. Because it does appear there are people that the IETF needs to contact to get these strange problems solved. I’ll be sure to forward your email address to them so they can argue with you about your particular problem. If you think I’m being pompous, I can promise you that some of the people on that mailing list really will have you reaching for the bullets.

      • I wasn’t looking for a fight specifically. I was looking for information on nat66 and ipv6 in general as I do once a year to see if it’s made it to some sort of usable incarnation yet. This page is the #2 result for “nat66″. So when I’m looking for information on NAT66 and the second google result is telling me about how I don’t need NAT66, I was a little incensed.

        I knew my test case required NAT, PI spacing, or some form of private network. I was actually looking at being able to give vpn clients static addresses based on their user id regardless of the location they connect to. If they connect to London, they would get the same address on their interface as if they connected to New York. This would allow me to easily manage users regardless of their connected location. Then map these users onto the network in 1:1 nat pool at those locations (which should not be an issue with currently available tools in IPv6).

        But, with regards to my test case.. The business DSL connections are lower bandwidth than the residential connections. If I were to upgrade to the business connectivity I would receive less bandwidth for more money (which I wouldn’t mind if they sold business connectivity as SDSL, but it’s just normal ADSL). I’m not sure if you’re suggesting I should use PI space in my house, but all of these 5 man companies with 2 internet connections that would be pushing BGP scares me. It’s bad enough that we’ve got small unknown chinese ISPs pushing bad ipv4 routes to the internet taking sites offline globally, or at least, regionally. Do you really want mom and pop in there fiddling with their BGP routes? (But i guess that says more about trust between uplinks than anything)

        Sure, I’m probably the only person in the world with this configuration. But it’s mine, so why can’t I just have my internal network and run it as I see fit? There are n billion of people in the world. There will be people doing odd stuff on their network for no other reason than just for the sake of doing it. Just because NAT would exist, doesn’t mean that people would need to, or be required to use it default out of the box. There’s no reason that consumer grade routers would use it default. Just because not everyone would use it or it’s unneeded, is no reason for it to not exist. Only a small portion of people actively/knowingly use/setup anycast, maybe we should get rid of that spec too, since not everyone needs it, and there are other ways to accomplish the same thing.

        The thing that scares me most with regards to NAT and security. Yes sure, it breaks the end-to-end model. But you don’t have to worry about tons of non-updated windows systems being internet facing with only their windows firewall flapping in the breeze to save them. When a new network is being deployed at someone’s house, I don’t have to worry about if their computer will have proper firewall setup (if any firewall at all). With NAT, I can be assured they have no incoming connections. It’s bad enough that we’ve got people on the internet dumb enough to fall for email virii. The last thing we need is these people being responsible for maintaining their home firewalls. You can search google for “(videogamehere) port forwarding” asking about how to configure port forwarding in their router. You’re talking about asking people who can’t figure out how to forward a port to manage their home security. And these are gamers, the people most likely, within the consumer community, to know how to do these things. I’m sure there will be some companies shipping home ipv6 routers with the router in a default deny configuration. But i’d be willing to wager there will be more than 1 that ships it with nothing, or default allow configured for default firewall rules. This is what reminds me of the 1990′s wild west days of the internet. All of those IPv4 dial up clients with no nat or firewall configurations on the ISPs end or the consumers end. I thought this was what Hank was referring to when he was talking about netbios. Numerous hard drives just being available for anyone to access at any time. I don’t think I ever had to pay for an internet connection when I was in highschool. I would just have to port scan one of the local ISPs for common netbus ports and read their computer’s DUNS info. When you tell me that people are going to be running consumer grade hardware at home without NAT, this is the first thing that pops into my mind. Sure, a small fraction may have properly configured routers, but the vast majority will not. I wonder how many of these routers will ship with default passwords and administration consoles/interfaces open to the world (which already happens in IPv4 land, but not as common).

        If consumers weren’t bad enough, network admins are just as lazy. I can’t even count the number of core cisco routers I’ve found over the years with default or “qwerty123″ passwords over the years. Even best are the networks that process localhost. Dropping your local interface so the loop back address is routed to the next hop up where it connects locally to the DSLAM or host device. In fairness, I only had that happen once with a dial up ISP that didn’t properly restrict routes on their modem banks.

        I also wonder when the first time I will turn on the news and hear about some guy’s life being destroyed because his wifi handed a routed IP to someone who cracked his WEP key and hosted a kiddie porn site off the line. It’ll be inevitable. Well, I guess it’s his fault for not having a properly configured firewall and not being a network engineer, huh?

        IPv6 in general is a botnet admin’s wet dream and a nigerian email spammers Jannah.

    • “If consumers weren’t bad enough, network admins are just as lazy.” should read “If consumers weren’t bad enough, network admins are just lazy.”

  19. My last comment on this post:

    With NAT you can only ever have TCP or UDP as your L4 protocol. Why? Because that is how PAT and overloading an interface works. You map original source port of the private address space to a new source port of the globally routable address. The reason I am such a huge advocate for a no-nat Internet is because of the possibility of someone designing a new L4 protocol that might solve a lot of problems we face in the networking world today. Perhaps someone can design something with a proper session layer? If we continue to use NAT the chances of that happening are nil.

    I believe solutions are there to allow SMB/SMEs to multihome without the need for BGP or NAT. Are they easy? Perhaps not…but once they make their way into the Linksys/Netgear/Sonicwall gear that’s being installed in most small environments I imagine they’ll be a simple check box. I don’t consider people that install only those types of equipment to be “network engineers.” (Just being honest.)

    I think the main problem anti-nat folks are facing is primarily an education problem. If you could see the benefits of a no-nat network perhaps you would change your stance. Hear me on this though: I don’t think NAT66 should be wiped from the books. I imagine there is some corner case that could potentially need it…I’m advocating that there is no need for NAT66 in most every use case, and EVERY option should be exhausted before finally implementing NAT66 (while crying).

  20. Pingback: The Failing Crusade Against NAT | Keeping It Classless

  21. Pingback: The Five Stages of IPv6 and NAT | The Networking Nerd

  22. This post is so old now, I doubt the author (or even the commenters) are even monitoring this anymore.

    But, what the heck…since I am just *now* gearing up my learning about IPv6, I’ll throw my 2 cents worth into the wild abyss of this probably-not-even-read internet article…

    Please note, I am just playing “Devil’s Advocate” here. As they say in the south, “I have no dog in this hunt.” In other words, I really don’t care one way or another about the IPv6 implementation of NAT *itself*. What I care about is my right to CHOOSE whether or not I utilize NAT on my network(s).

    I do not understand the pure hatred of NAT, and your obvious push to do away with it. I am not going to argue the technical merits one way or the other, or quote RFCs because to be honest, I would be speaking out of sheer ignorance. But in the grand “big picture” of things, I think the author is making “much ado about nothing”.

    You mention basically it is a “kludge” or a “band aid” designed to overcome the IPv4 address shortage; True. It has also been mentioned that NAT was never considered in the original internet specifications. True. But I imagine services like NetFlix, Xbox Live, and e-commerce, etc weren’t considered in the original design, either (did they even have SSL specifications back then?). So just because the initial specifications weren’t written when the internet was first gearing up, I don’t think is a valid argument to do away with it.

    Although I can’t find the direct quote now, I read above somewhere that NAT essentially “breaks end-to-end communications”. But really, doesn’t a firewall do the same thing? I mean that is the whole intended purpose of a firewall! (And I do understand the different between NAT and a firewall).

    Above, you had also mentioned that NAT gives people a false sense of security, and really provides no real protection beyond masking addresses. That is not entirely true. (but you are correct about NAT itself giving people a false sense of security). Provided there are no security holes in the NAT device itself, NAT makes it impossible for unsolicited inbound traffic to transverse the NAT device and reach any internal devices. (But the problem with NAT is, once an outbound connection is initiated, say from a piece of malware on an infected device, then whatever protection you thought you had with NAT has just been circumvented, and you might as well have no protection at all). So it at least provides protection from unsolicited inbound traffic.

    Getting completely off subject, I consider this “controversial issue” just like I do most others. Lets take the current hot topic of firearms. I do not own a gun. I can count on one hand the number of times I have fired a firearm in my life. I do not see the *NEED* for guns. After all, slaughter houses [to the best of my knowledge] do not use firearms to kill the animals we prepare as food. In my eyes, guns serve no real useful purpose. However, there are those that like to shoot for sport, or hunt as a hobby. And you know what? That is perfectly okay by me. Although I do not see the *NEED* for firearms, that doesn’t mean that I want to see the production or sale of firearms outlawed. Although personally, I do not *WANT* to own a gun, I do want the *RIGHT* to own a gun if I should so choose.

    I see the same thing with an IPv6 implementation of NAT: If you do not like it, then do NOT use it. But like so many other issues of today, just because you have a disdain for it, you want to essentially take away everyone else’s right to choose it basically because you know what is better for everyone else’s network than they do. I say go ahead and write in the specifications for an IPv6 implementation of NAT, and leave the decision whether to implement it or not up to the end users.

    In closing, again I am not PRO IPv6NAT, nor am I ANTI IPv6NAT. What I am for is PRO CHOICE of whether I use it or not.

    -Alan

    • If you want to know all the ways that NAT can be bad, and why it doesn’t belong in an IPv6 network, you should review the presentations from the North American IPv6 Summit, and INET Denver, also this past week. There was even a presentation that shows that CGN is more expensive than dual-stack.

      My main gripe with NAT is actually aimed at CGN. It’s going to break my customers’ online experience, and send them to my 800 number to complain, about something that we’ll have no ability to correct because the ISP broke the net.

      Owen has a good note on this: http://www.datacenterknowledge.com/archives/2013/02/06/carrier-grade-nat-a-look-at-the-tradeoffs/

    • I do hate NAT.

      At work we have servers with 2 Nat IPS and a “native one”, just for service (same thing for console and backup).

      Not only is it a PAIN to connect 12 servers + 10-12 external systems, it is also VERY resource intensive for the routers and firewalls. And then they get overloaded, you rstart losing packets/dropped connections and it is very difficult to sort it out.
      And connecting to these servers to manage them is also quite complicated.

      I would LOVE to have ipv6 and get rid of all this nonsense.. having hundreds of servers is difficult enough.. having 6 ips for each one…and some not being reliable…

  23. Pingback: CCIE Version 5: Out With The Old | The Networking Nerd

  24. I’m curious about the ipv6 implications and how it affects security. I understand that NAT wasn’t made with security in mind. I understand that end-to-end connectivity is a nice thing to have, If I have an ipv6 environmnet what could I use to prevent my ipv6 address to be public routable? Temporary address, link-local or a stateful firewall that will allow only established sessions ?

  25. I’m curious about the ipv6 implications and how it affects security. I understand that NAT wasn’t made with security in mind. I understand that end-to-end connectivity is a nice thing to have, If I have an ipv6 environmnet what could I use to prevent my ipv6 address to be public routable? Temporary address, link-local or a stateful firewall that will allow only established sessions ?

  26. I want to be able to translate link local addresses so I don’t have to assign globally routable IPs to devices on the inside of my network. That is a perfectly valid use case.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s