Frequent visitors to this site know of my crusade against all things Network Address Translation (NAT). Despite its few useful properties and our current reliance on it with IPv4, I consider it to be a kludge at best. However, some people see NAT as a necessity of modern networks and have begun working hard to ensure that NAT will live on with our shift to IPv6.
I realize that NAT is a necessary evil today. The IPv4 Internet would have imploded long ago without translating the meager number of prefixes available into the large number of “private” devices sitting behind NAT gateways. IPv4 is the duct tape that has held things together for the last ten years while we prep a long term solution like IPv6. Alas, some people in the community think that since NAT has done such a good job fixing things for so long that it should be the all-in-one tool in their toolbox for every network problem. Some people think it’s a great way to provide security for a network. These people often confuse NAT with what a firewall does in conjunction with NAT. NAT in and of itself provides no additional security beyond masking addresses. NAT also adds in additional complexity when troubleshooting. NAT boundaries break things like VoIP. Packets hit the gateway device and get lost headed back to the source. NAT does this for almost every form of end-to-end communication in the Internet. If you add in Port Address Translation (PAT), where you translate a whole block of private addresses to one public IP address, you push the processor on your firewall to the breaking point. I don’t have the hard numbers to prove my supposition, but I’d venture a guess that 50% of a firewall’s processor time is spent translating NAT/PAT rather than shuffling packets to their proper destinations.
IPv6 doesn’t currently have a concept of direct address translation. Nor does it need one. There isn’t a dwindling pool of global addresses than need to be extended. With the large amount of addresses available, the odds that two companies are going to have overlapping address spaces that will need to be translated in a merger are slim. Right now, the only viable use case I can see for NAT used in relation to IPv6 is for translating the IPv6 addresses on a network to something that can access the IPv4 Internet without a dual-stacked router (NAT64). Even this use case is rather dubious in my mind, but Ivan has managed to convince me that it’s useful in the short term. So why do I still hear about RFC 6296? Why does Jeff Fry point out stories like this to me? What is this world coming to? Let me make this clear:
NAT on IPv6 is pointless and a bad idea.
There is no reason to implement native IPv6-to-IPv6 NAT (NAT66) in reality. The address space is way too big to require translation in the foreseeable future of my lifetime or even that of my kids. If you are really concerned about hiding your addresses or disguising your MAC address, you can look into the idea of Temporary Addressing. In the middle of writing this post, Paul Regan asked me about using NAT to translate when you move from one provider to another. That might be a good use case, and it happens to be the one that RFC 6296 is lined up to address, but if keeping your IPv6 space is so important when you move, why not sign up for a provider-independent block from your local Regional Internet Registrar (RIR) and run BGP to advertise it yourself? If you switch ISPs often enough to keep switching IP schemes every few months, maybe you need to worry more about stability and less about chasing the lowest ISP price. If your ISP keeps forcing you to switch addressing space that often, it might be time to shop around.
I truly believe that the people out there chasing the NAT66 sasquach are looking for a new security blanket. They’ve dealt with NAT for so long in IPv4 that the idea of using IPv6 sans NAT makes them lie awake at night in a cold sweat. Why else would you take something so unnecessary and bolt it on after the fact? There’s no need to have NAT unless you take the position “it’s how we’ve always done it”. The NAT66 proponents must think that NAT is needed simply because they’re unsure how to configure a firewall otherwise. Obviously, without NAT the Internet breaks. So we must have it in IPv6 or things won’t work right. However, I think that having NAT66 will cause people to keep configuring their networks incorrectly and lead to confusion and problems down the road. If IPv6 is going to require a shift in thinking like so many people keep telling me, why not truly shift our thinking away from things like NAT? We’ve already done it once before with the concept of reserved local addresses. RFC 1884 tried to define a site local address similar to what we think of with RFC 1918 addressing. This was such a horrible idea that RFC 3879 came out and deprecated the whole idea (Yes, I know about RFC 4193. I’m not talking about it.)
If there are people out there that think we still need to cling fervently to old ideas to help ease our transition to the Internet of the Future™, then I’m going to make my own proposal. I think it’s time that we put the IP checksum field back into the IPv6 header. Yes, I know that TCP has its own checksum and that the underlying packet must be good if the TCP checksum comes out okay. Yes, I know that having a checksum in the IPv6 header is silly if there aren’t going to be any naked IP packets floating around anywhere. However, I think that since it’s always been there in IPv4 it’s comforting to have it available in case I want to double check each of the packets moving into and out of my network. Who cares if it introduces a small amount of latency to calculate? I feel better knowing it’s still there. Now, doesn’t that kind of thinking sound silly? Yes, I purposely picked something totally trivial to make my point, but that’s how I feel about NAT. If we want to move forward out of the IPv4 Dark Ages and into the realm of the IPv6 Renaissance, we need to leave behind childish things like the need to NAT IPv6 packets on IPv6 networks. Let’s spend more time making the Internet work the right way and less time trying to make it work the way we think it should.
Thanks for the mention and nice blog.
I was thinking about for NAT66 for the SME that don’t have the skills or knowledge to qualify for a PI block, nor would they probably do a good job of being nice BGP neighbours. Big shops will have skills, small shops will be an easy switch.
NAT66 abstracts the complexity of re-addressing. But breaks the utopia end to end visibility .. I can see what people are pushing.
Exactly. And it’s not just a matter of skills, either. If you’re multihomed to LocalCableCo and LocalDSLCo, they’re just not going to be willing to run BGP with you. Using multiple prefixes on the link is the ideal, but it just doesn’t work right yet, and the standards to fix it aren’t even ratified, much less implemented.
This is my biggest concern as well, NAT for the SMB market allows multihoming without the complexity of other designs. Without NAT we lose this ability to easily stand up a second Internet link. I’ve not seen a good answer to this yet from anyone and I’d be glad to see one if I’ve missed it. Using PA won’t work without a major pain each time the company wants to change ISPs and we all know how often they want to do that…
I would love to see the end of NAT with the increasing adoption of IPv6. NAT, like VLANS (and chroot) is often used (badly, incorrectly) for “security”.
Repeat after me: “NAT is not a security solution. NAT does more harm than good by breaking the fundamental end-to-end model of IP.”
As the concept of “client” slowly goes away, we’ll see more and more need for inbound connections to all manner of devices, things that are typically only clients today. Anything peer to peer (which we need more of for scalability) is difficult with NAT. As people want to reach and control devices on their home networks while they are on the go, they will encounter the brokenness that is NAT. Instead of making simple firewall changes, they’ll be dealing with port redirection, “NAT traversal servers”, “NAT brokers” and other kludges.
Death to NAT; it’s long past due.
Pingback: IPv6 Philosophy: To NAT or not to NAT – that’s the question » IPv6 Friday
What if you set up a private network whilst you did’t have a public range available, then need to set up a connection to a public network at a later date? I agree that NAT is bad, horrible thing that breaks things badly, and it over complicates networks, but why should we remove it from our toolkit when it can be useful?
The university I’m studying at recently rolled out IPv6 some time ago, including the network connections used by student housing,
However, their policy prohibits you from running a router or more than one device. I’m doing it anyway of course, as I want my smartphone and console to have internet access and they block traffic for two hours if the MAC address changes (and not all devices can spoof the MAC, for example consoles). That is what IPv4 NAT is for for me, not laziness or security.
As you are only allowed to have one device, you only get ONE IPv6 adress too. That’s it.
Without NAT66, I don’t have the capability to use IPv6 on additional network devices except when using application-level proxies.
(NAT64 requires you to have multiple IPv6 adresses too.)
If you look at mobile ISPs trying to block tethering, I can see normal ISPs trying to do this too.
You only get one IPv6 adress. Want to use more devices? Pay more money!
I don’t give a fuck about the most correct or pure implementation, policies, etc.. As a lowly end user, this shifts power anway from me.
So fuck you.
Only losers post comments like that as a guest.
Only loser calls anybody a loser. He has a valid point. For example Uverse router gives only /64 … If I want to subnet on ./60 I can do it with a router behind. But Uverse router will drop the traffic. I already did Nat66 on Juniper SRX so I know it can work to allow 16 subnets behind the /64 prefix.
Thanks for the comment. Always glad to hear from those making the leap to IPv6, especially one so youthful. Since you neglected to leave a real e-mail address in your comment, I’m going to call you “Nate”. Get it?
Nate, to make sure I understand your quandry here, let me try to summarize my understanding. Your university has both IPv4 and IPv6 in place. They have a policy of handing out one address per network jack in the housing area, which is probably a 2-person room if I recall from my college days. You realized that this policy doesn’t meet your requirements of networking a computer, smartphone, gaming console, and who knows what else. Perhaps there is a university-wide wireless network, perhaps not. For whatever reason, you’ve decided to circumvent this policy restriction with a NATing router of your own. This router probably doesn’t handle NAT66, as most consumer grade equipment can’t do that at this point, and with you being in college, the discounted price of a device that can handle it is probably beyond both yours and your parent’s budgets.
Nate, rather than examining the policy restrictions that your university has put in place to restrict IPv6 addresses to endpoints or postulating on the fact that the port security settings on the switchports facing your dorm room are probably set the way they are to prevent flooding or malicious attacks, you’ve decided that I’m to blame because I think NAT66 is a horrible idea. Allow me to say this then:
You’ve not only validated me insofar that I’m not the poster boy for the “I Hate NAT” movement, but you’ve helped me understand why I research these topics and decide the best course of implementation rather than leaving it up to “armchair” network rock stars.
Nate, there are a multitude of reasons why NAT66 is a bad idea. Many of them revolve around things like smartphones and gaming consoles. Having IPv6 enabled everywhere without NAT will ease the complexity of getting your PS3 talking to someone else’s PS3 so you can play Call of Duty or whatever it is you kids play today. But that’s not really important, is it? What’s really at stake here is that your Internet device experience is hampered because of policy decisions, as well as the decisions to circumvent those policies.
You should also understand that my position on this topic comes from an enterprise perspective where I trust my users to not bring XBoxes to the office. I don’t have to worry about my users doing things that might force me to lock down my switchports (except maybe in conference rooms or other public areas). In a college/higher education environment, the network admins have to lock down the user-facing ports to prevent stupid things like Bittorrent from crashing the whole core of the network and hampering silly things like educating students or doing critical research. In fact, I’d be shocked if the student housing wasn’t totally segregated off the main campus network. Limiting liability and all.
There will come a day when we have a pure IPv6 network running most everywhere. Universities will be forced to reexamine their old policies about IP address allocation. They will likely conclude that just giving each residence hall a /64 is the easiest way to go. Then there will be all the addresses that you can handle, provided of course that you have a piece of equipment capable of connecting your gaming console, smartphone, desktop, laptop, or whatever all at once. This is likely because the university will have plenty of addresses, but they won’t run any additional cables due to expense. On the day that we start handing out lots of IPv6, then NAT66 will be a very moot point. But, of course, we aren’t there just yet.
I can’t speak to the ISP drive to require more and more costs to connect devices. I mean, it’s not like their equipment is being impacted by each additional bandwidth consuming device that gets added into the network. I’m sure they’ll just break the conventions set forth in RFC 5375 for the sake of making a few extra dollars. Sure, it might drive off the more savvy tech users and cost the ISP dollars up front. Then again, maybe a lot of customers will get an XBox1080 or PS5 for Christmas and the parents will gladly pay any amount of money to get it connected to the Internet so their kids won’t whine. Who knows?
Nate, in the end there are a ton of considerations that go into my dislike of NAT66 and NAT in general. They are colored by my experience as a network rock star and an architect of many advanced technolgies. I’m going to keep on disliking any technology that forces me to change the fundementals of the global Internet and makes things like SIP and end-to-end communications break simply for the sake of empowering end users that circumvent unpopular policies. Nate, you just go on disliking those policies. I’m sure things will work themselves out.
Oh, and by the way, I’d encourage you to use this “good argument then insult” argument methodolgy when you finally graduate and get out into the real world. It works wonders on professionals.
Simply amazing response! lol!!!
And when someone self proclaims themselves as any kind of “rock star” in order to put down someone else’s opinion without actually helping them in any way or addressing their problem then we should feel free to disregard their position. The key point of the original posters point is that they are a consumer level network user and you respond by pitching enterprise needs. How about respecting both?
@stuart, you need to read the rock star bit again… and again… and again until you go…. oh bugger.
Dude, you are ignorant.
I reply this with my full name.
I have been working with multiple Enterprise customers developing IPv6 addressing schemes and I can tell you that dual homing and asymmetric routing are REAL issues with PI space. For example if you have a /48 from ARIN and advertise that block out of multiple DC’s to the global Internet, there is the real possibility that inbound return traffic could come through a different link than outbound. This gets even more complicated when you have more than 2 DC’s (one customer I am working with has 4 US DC’s). Outbound can be influenced with BGP metrics, but inbound can be an issue.
Hey Robbie, yeah that is exactly my big problem with converting to IPv6. With NAT you can easily send a more specific route out from your regional firewalls and ensure that return traffic comes back into the same stateful firewall. The problem now with going to this especially over my MPLS VRF around the country for remote sites, the traffic can come into either of my two core sites in CO and MD for redundancy then exit through my firewalls to the internet but the return traffic can’t be controlled as to which firewall it comes back into. Without some way of controlling this routing (like via NAT) it will be broken if servers are not in the same area. So have you guys came up with a way to control this asymetrical routing problem???
Jason, we have not…..still working on it.
And here is an article from a guy who does not what he is talking about. He makes a wrong assumption and builds on that. http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/
What’s wrong with the Register article? You just hate NPT, or consider it a terrible solution?
Exactly the kind of snobbery I have come to expect from some enterprise networking engineers – the whole article could be summarised as “I can’t see why I would ever need to use NAT66, so it’s a bad idea, and a lot of other people like me at the IETF agree”. It’s really not that helpful to those of us in small shops at the sharp end who are not “network rock stars”, who don’t work with Cisco kit all day and are just trying to get things to work.
I particularly enjoy the way you take the time to lambast, at length, the one comment that we could probably all agree was a bit daft and uncalled for (from Guest), but none at all to help any of the other genuine commenters. Well done, you’ve reinforced a stereotype for me.
You might want to have a read of this article, which says it better than I could.
The primary argument seems to be multi-homing. While there may not be a perfect solution right now, I think that nearly every network engineer in the world would agree that a real solution is more preferable than a hack like NAT.
D-Day isn’t here yet (and it seems to still be far off, despite the world’s best efforts). It may be crunch time, but the Internet isn’t broken yet. Full, complete IPv6 deployment is not here. Relax, hold onto your pants, and wait. A solution will be found–and preferably without NAT.
Finally, and controversially, I will say that if a (small) business wants to pay for the reliability and uptime of multi-homing (which still has several single points of failure), then they should probably consider paying for a network engineer that can meet their requirements.
To say that a business should pay for the support of an engineer that can actually meet their requirements is not being a snob.
The people complaining seem to have two options. Increase their skill sets so that they can be that engineer, or risk becoming dated and irrelevant. If you want, you can even continue to charge the same prices once you’ve updated your skill sets so that you can continue to support the notion that small businesses can’t afford to pay for more expensive support. Or you can charge more because you know more and have an expanded skill set. In that case, you’re just being a hypocrite.
IPv6 is coming. It will change the way engineers think about their jobs. It isn’t here yet, though. You still have time to update your skills. There is still time for a complete solution to multi-homing and other “issues” to be ratified.
Just because you’ve been doing something the same exact way for the past 20 years doesn’t mean that the new way is wrong. It means that you need to update your skill set or become irrelevant. Networking–and IT in general–is about staying current, not about being afraid of the future.
So now SMEs are going to need engineers? This is really the point of SMEs.. they just want a simple system, even if it is less efficient.
I currently live in NAT/PAT/”intelligent firewall” hell, so IPV6 in some ways is good for me, but certainly not for SMEs and consumers. We won’t get free unlimited IPs, you can count on that.
No, the issues for SME are MORE than that. Not a single “priest” confronts the issue of multiple IPv6 external connectivity management – not one.
On a NAT’ed IPv4, the SME admin only has to debug, monitor and secure a single external IP access. One point of entry for the entire enterprise. If you are getting attacked, for example – one point of entry, one point of defense. One log. One device with all the rule sets. One device to debug and plug holes in.
You IPv6 gurus miss the TRUE issue with SME’s, and that is MANAGING ALL THOSE EXTERNAL IP’s. Now, according to your principle, EVERY device on your LAN also has a IPv6 WAN-accessible component. Every device. So now, EVERY device must also have a firewall. EVERY device must have a rule set. EVERY device must then be administered regarding those rule sets, monitored for DDoS and spoofs, updated with the newest firewall technologies, granted unique authorizations for access/denial…AND given an internal IPv6 addy on top of all this!
There is a term for this: “WHAT ARE YOU, NUTS????!”
Truly, why would a V-SME (very SME) bother? As noted, the sysadmins for SME are doing this as a secondary or tertiary job description. They (OK, “I”) have my hands completely full doing my other jobs demanded of me without having HARDWARE demand yet more of my time simply because their IP addressing scheme now depends upon ‘proclamations’ from external forces (the IPv6 / DHCP services of the ISP) that grants every single device external access. “External access” must *also* mean “externally targetable”.
By using a NAT, SME’s can more readily control their exposure to the outside world in terms of LABOR, regardless of how you priests want to discuss “security”. I am a ‘small fry’ in regards to network knowledge but here’s Common Sense talking: Excuse me, but stating that a multi-point access channel (true IPv6-integrated LAN) will be as inherently secure as a single-point channel (IPv4 w/NAT router) is hubris, at best. If, with consideration, one factors in the human condition (read: Human Failings) that will be experienced in configuring and managing the now much larger, and therefore more complicated, externally-available SME IPv6 address block.
The network priest community is advancing a system that will multiply a SME administrator’s workload by multiple factors by using pure IPv6, and then stating that security will be equal. Not a rational claim, folks!!
You puritanical network admins are fighting the same fight as other puritans across multiple topics, be it from energy to macroeconomics to politics, and missing the same points. Reality never meets theory because reality has more factors to deal with than your theoretical papers do. IPv6’s benefits sound good on paper but who is going to deal with the problems that IPv6 creates? You dismiss problems as negligible because you’re not the one dealing with them in any individual rollout, and indeed you can’t theorize every individual rollout because you’ve never BEEN in some of the situations where said rollout will be used. ISO-level top network gurus have never been in a SME of 5 people, never will, so their theoretical planning can never account for something they have no knowledge of.
The world DOES need NAT66, regardless of your statement that is does not. The theory of IPv6 is quite sound – put every single device on a directly-addressable point on the internet – but the reality is far more complex than that. Until *someone* creates an exceedingly secure, fully cross-platform administration tool for ALL devices in a LAN, up to and including firewall rules and updating, SME and individuals will still prefer the much simpler to administer NAT topology.
Take your car to an oil change shop and ask them to diagnose and repair your transmission.
This clearly is a better idea than taking your car to someone who specializes in transmission services and repair because the oil change shop would be a single point of service. It might also be cheaper because you have to spend less money on gas (you’re going to only one place) and you’re dealing with someone who is not a specialist.
The world of IT is getting more and more complex every day. This isn’t an arbitrary complexity. Is the difference in complexity between the Model T and F-150 an arbitrary complexity? No. It’s a natural evolution of necessity.
If car engineers and mechanics of the past could not keep up and stay modern, they would quickly find themselves outdated and irrelevant. Similarly, a “general” (typically oil change) shop can only do a few things. They have to refer customers to other, more specialized shops.
Since you claim to be in IT supporting small businesses, you should know how vast the field of IT is. You can’t do it all, no matter how hard you try. You will fail at something. Sorry to burst your “I support everything” bubble. If you can’t do it (which you say you can’t), then you need to refer your customer (or boss) to someone who can. That’s the way it’s done in the car world, and that’s the way it works in IT. Sorry if you see your way of life disappearing because you can’t actually support anything in-depth. You can change oil filters, air filters, and re-fill anti-freeze. Maybe change some tires and breaks.
Maybe you should actually step back and realize that you’re on a pretty high horse. Business needs are constantly changing, no matter how large or small the business is. They’re going to change when IPv6 finally rolls out, and the professionals supporting them will have to shift as well. Get used to it, deal with it, and welcome to networking. Or goodbye, if you can’t cope.
OK, I am going to have to switch to being completely blunt here. You’re living in an arrogant technological fantasy land and just can’t wake up from the dream. Only blunt-force discussion will snap you out of it.
SME’s and individuals will NOT hire an IT architect in order to design their IPv6 network topology in order to satisfy some technocrat’s idea of implementing the “perfect” network across the world. WILL NOT HAPPEN. Unless YOU, and your IT ilk want to pay for it, that is.
SME’s ARE SME’s for a reason. They are small with commensurate small budgets. Their entire *existence* as been based on doing more with the resources available. If this WEREN’T true…they’d be expanding their business and become LESS of the “SME” appellation that is applied to them.
The idea of the vast majority of SHO’s and SME’s will hire an IT professional to service their LAN is the utmost of arrogance. Most SHO / SME’s simply don’t have that in their budgets nor will they have it at any foreseeable time; for most small business owners, ‘free’ money such as what can be paid to an outside contractor (which is EXACTLY what the IT professional will be) should be used for other, more urgent matters. Again, you haven’t lived in the SME world, have you?
A large majority of SME’s will NOT hire an IT professional. There are many reasons for this and they seem to slip by your pure technocrat ideology.
This is probably the major issue.
– loss of in-house control
This is an issue that you simply can’t recognize. The vast majority of small business owners are people of many skills, having their hand in almost all aspects of the business. If they aren’t doing it themselves, they have hired workers to do the work for them…but they, the owners, still expect to make the calls and be in the loop in regards to decisions and functions of the business. It’s THEIR business, their life and their lifeline. Their business is all that stands between food on the table or homelessness.
A hired outside IT professional will design a network…that will seen (correctly or incorrectly) as being completely alien to every single person in the SME. Therefore, any problems that occur that interact with the topology or design must be corrected by the outside IT professional…**at their time schedule**. That might be an hour later…or that might mean 2 days later. An SME will NOT risk being down and depending upon the scheduling whims of an outside contractor. THAT’S WHY THEY DO ALL THEIR IT IN-HOUSE IN THE FIRST PLACE.
Yes, I’ve done outside IT contracting for other SME’s. One owner was independently wealthy, due to inheritance, and had no issues with hiring the needed skill set. The other owners were on absolute shoestring budgets, referred to me by the wealthy owner, and really could not afford the work. I did the work at a massively discounted rate as a favor to my main client, as all the owners were friends. She (the main client) appreciated this and kept coming back to me for even the smallest issues as she saw I wanted to make her happy.
Another business owner hired me for data recovery to restore a completely corrupted hard drive and recover his company’s information, a process I completed successfully at. He hired me because he had no choice in the matter. He *needed* that information, was desperate, but discovered he couldn’t afford the quotations given to him by the recovery laboratories. He heard of me through the grape vine and came to me with with heart in his hands.
Two weeks ago I got a phone call from one of my current boss’s business associates to ask me for advice in buying a KSU / PBX system. I bought, fully installed and programmed the system currently used in our own office, which he liked the features of very much, and wanted me to help him purchase the ‘ideal’ system. His current phone implementation, one he made himself using the available SHO ‘modular’ telephones, has numerous issues and he needs more control over his business communications. He networked me in order to try to keep his budget in check; he was asking for advice and, *maybe*, some installation assistance as he hoped to be able to do a self-install to, again, keep his budget in check.
In all instances there frankly was a pattern: desperation. All the business owners needed an professional because they had tried, *themselves*, to correct the issues but discovered that they could not. So they yelled for help. If the idea that SHO’s & SME’s should be so “desperate” that they need to hire an IT professional in order to maintain your IPv6 purity…you truly need your head (and IPv6’s goal) examined.
You see…you’ve already LOST lost this argument. NAT66 is already HERE, NOW. Development continues as we speak. How would that be possible if the world was truly concerned about IPv6 topology purity?
Frankly, they’re NOT.
They, the people both developing AND screaming for NAT66, are more worried about real-life, everyday issues than theoretical papers. They aren’t concerned in the least about what high-level IT designers care about, they are worried about THEIR concerns…and NAT appears to offer them answers
In blunt-force terms, your concerns have ALREADY been completely ignored. Your IPv6 ideological purity has ALREADY been compromised for the perceived greater good of it’s actual USERS. A network design that may require large numbers of HOME users and very small businesses to consult with professionals should be seen as a failure, not a ‘bonus’, and patches like NAT66 will be applied as seen necessary by it USERS to repair any perceived issues.
Maybe one day, when the devices themselves are smart enough to handle rules handling and exceptions, IPv6 / v7 / v8 / v20 et al. purity will be the norm. That day isn’t here yet and, for the foreseeable future thanks to the ubiquity of dumb devices that require human administration, not coming for quite a while.
I thought about reading your entire post. I honestly did. About two or three paragraphs in, though, I realized that this is definitely a case of tl;dr.
The bottom line is that you get what you pay for. Don’t pretend that small businesses don’t make a profit. You keep trying to make them out to be a not-for-profit or an organization that just barely scrapes by. If they’re barely making it, then they have more issues to worry about than their network and they should probably reconsider their services, business model, or–worst case scenario–everything.
I’m sure you’re panicking inside because you’re seeing your profession slip away. You clearly don’t have the necessary skills to implement solutions to a business’s IPv6 problems. Maybe you can still make a living installing ISA cards in legacy machines. I’m sure you’re still arguing that PCI cards are too expensive for small business…let alone PCI Express.
Update your skills. Quit crying. Considering you probably don’t know what I do for a living, or what my work history is, I would suggest that you stop saying I’ve never done work for small businesses. I doubt you know what anyone’s work history is. We clearly know you’re a hardware junkie. And that’s okay. Except when you’re still trying to insist on DDR1 or, god forbid, SDR SDRAM as a memory solution.
I’m finished talking to you. You’re boring.
That was directed at Snake, by the way, if that wasn’t clear.
Doesn’t matter. You are just a dick with a ridiculous illusion of yourself. Plain and simple.
What is really ammusing to me is that everyone that is anti-NAT is railing against techies saying that they are lacking skills. What has that to do with anything? Such comments only strengthen the pro-NAT arguments in bystanders mind.
So, let me get this straight; you’re saying people against NAT66 are primarily against it because they “lack skills”.
Is that an admission that a NAT66 implementation would make IPv6 easier to work with?
I would think this would be favourable to businesses of any sort, as well as any average home user that just wants something they can plug in and just work.
Abstraction and simplification is almost always desirable to most users.
That’s why OOP is used by most people instead of procedural languages.
OOP, in theory, will give lower performance than procedural languages (or even assembly, provided you have the time and skills to actually use it properly). But compilers have become so good these days that any performance difference is negligible to nonexistent; and it’s just not worth the time and hassle to use procedural (or assembly).
I think the same sort of thing applies to NAT. Yes, it will add latency. But the processors used in even consumer routers these days are quite fast anyway. And the abstraction it provides makes things easier.
Anyway, basically, the argument of “you just need to update your skills” is a poor argument for higher complexity.
A better argument would be listing any technical advantages.
You say that it ruins the end-to end model.
I don’t see why it’s necessary to dictate that the entire internet needs to work as a pure end-to-end model. The internet is a hybrid of client/server as well as peer-to-peer.
And it’s not like NAT66 is proposed as a mandatory feature that everybody must use (not like IPv4, which is technically optional, but kind of necessary; IPv6 has more than enough addresses for it to be truly optional). You would use NAT66 if it’s appropriate for your particular network.
In other words; don’t like NAT66? don’t use it. But it can still be there for those that do want it and have a use for it.
As far as security goes: Yes, I’m aware that NAT is not the same as a firewall. But it does provide obfuscation.
Security through obscurity does work. Although obviously it’s a bad idea to rely solely on obscurity, it is one additional layer that can be good to have.
Pingback: IPv6 networking: Bad news for small biz | Technology News
Pingback: maccad » IPv6 networking: Bad news for small biz
Pingback: IPv6 networking: Bad news for small biz | Leomoo.com
Pingback: NAT is Coming to IPv6. Whether We Like It Or Not.
I question the need for NAT66 for SME’s when NPTv6 (or RFC 6296) is in place to address the multi-homed no BGP situation many SME’s seem to do and does not require the use of PI space at all. Additionally, it even allows the use case of running everything internal on ULA and running prefix translation to your single ISP who has given you PA space.
I do sympathize with those that are being hampered by policy rules that were clearly developed in an IPv4 centric world such as limiting the number of addresses assigned per switchport but that is a policy problem not a functional one of the protocol. IPv6 has more than enough addresses to assign out in a single /64 than most any organization will ever need. It does not seem rational to port overload an IPv6 address when you can simply provide an additional address at no cost. My 2 cents.
Don’t let Snake read this. He might argue that such a solution requires too much thought/planning/work.
I’m sorry…but your “replies” are a joke.
Every “anti-NAT66” argument put up comes down to the *technical* aspects, “IPv6 has enough address space for everyone”.
Your arguments COMPLETELY fail when it comes to the topic that [us] SME’s are CONSTANTLY bringing up – “Who’s gonna PAY for all this and WHAT positive benefit/cost ratio does IPv6 give to me?”!
For the SME community, there pretty much is NO positive BCR to making the switch to IPv6 in their infrastructure. SME systems are currently working *fine* in v4 yet you gurus suggest spending unknown dollars…just to switch to IPv6 in order to satisfy the *desire* for end-to-end IP connectivity. For many SME’s the idea of of E2E is a MOOT point – they don’t need it. If they DID need it, **they already have it**.
So, you suggest a wholesale change-up of their entire infrastructure for, what benefit then, exactly?
The POINT: You’re trying to stand on your high horse as a technophile> But, SME’s stand on the platform of BUSINESS. *Currently*, there is very little cost rationale to force a change across an SME’s topology simply because other people have “said so”. The proof is in the pudding – IPv6’s implementation ratio is WAY, WAY below expected, isn’t it? And the “World IPv6 Days” aren’t really changing that, are they?
In business, action is taken based upon benefits versus cost analysis. If technophiles can explain to the common SME owner and/or IT manager the benefits of switching to v6 for the cost that will be incurred…you’ll have a winning formula for success. But, as of now, all discussion points of making the switch is “Because it’s here, because it’s new, and because it will be the standard” but that fails all tests in stating that their *current* implementation will cease to work, *today*. Therefore, and quite simply…they won’t switch – until they MUST.
And, by the time they “must”, things will be quite different anyway. More, and cheaper, v6 routers, firewalls and other devices, along with a lower dependence on legacy OS’s with ‘questionable’ v6 support, will make the switch in the future easy and smooth (as compared to today).
You want IPv6 implementation? Then tell me why the cellular 3G and 4G systems haven’t been forced into IPv6, considering that (in the United States especially) they have a completely captive audience in regards to hardware control. The cellular network could much more easily rollout v6 on a network that they have full control of. Doing so would free millions of v4 addresses for land-based ISP’s. Add in v6 rollout across the backbone and that will also free up millions of addresses more.
You’re being idealistic. Try being profit-oriented pragmatic for a change, and you’ll see the world through a small business owner’s eyes.
It’s 2021 and mobile companies use IPv6 heavily. I agree, we can stave off the exhaustion of IPv4 address space for decades to come, if all mobile devices go v6.
“The people complaining seem to have two options. Increase their skill sets so that they can be that engineer, or risk becoming dated and irrelevant” So we all have to pay for training in this one area of IT or become irrelevant? In a previous response to a comment you pointed out how wide a field IT is and now you are saying that I risk becoming irrelevant unless I learn IPv6? Actually we have 3 options, get training (oh wait that is really expensive), become irrelevant (hello dole line) or 3 pay someone like you to come to our rescue (oh wait that is really, really expensive).
SME’s do not have limitless budgets to provide training or pay for consultants and these types of considerations are usually way down the list when the budget comes to be decided. Please do not make the assumption that because people are concerned about the amount of money changing their existing setup would cost they either lack technical knowledge or are unwilling to learn new skills, personally I do not know enough about IPv6 yet but I know that if I ask for training I will be turned down, especially when I have been turned down for training that is directly related to the job that I do..
I’m sorry, but you do realize that contracting a network engineer is very common for SMEs. They design the network, set it up, and then the admins amend it as time goes on. It’s a one time fee, you don’t need to keep a CCIE on constant payroll.
If you going into the territory of divorce law offices with a misconfigured Windows 2k3 DC in the corner, then these guys don’t care about BGP or whatever. They just use the router that the ISP gives them.
Even if you’re dealing with a pure v4, the network complexity in those SMEs is so much that an “office IT dude” wouldn’t be able to handle it or do it securely. I once worked for an MSP that was headed by a demanding jack of all trades Chinese man. He would grossly misdesign the networks like using single GBE links between switches, so that the last room in that chain was severely bottlenecked. No VLANs, no DNS, no AD, no build systems.
You can call be a pompous ass, but frankly, I rather have an SME pay for a proper MSP that bills hourly, instead of having an overworked office IT guy try to design their firewall and **** things up royalty (which they almost always do). These MSPs have teams of specialized experts. The economies of scale (in terms of knowledge) are simply unsurmountable.
Pingback: IPv6, NAT, and the SME – A Response | The Networking Nerd
I am very against nat66 from a philosophical perspective. But I believe that as long as at least one other person who believes in it can also invent it, then it will come to be. I have since halted my evangelical crusade because it’s just a waste of my own energy.
You can’t control what other folks do with their packets. Might as well just accept it, as frustrating as it is.
Pingback: Start Menus and NAT – An Experiment | The Networking Nerd
Pingback: SME IT guy
HEY GUYS LETS LET ALL OUR PORTS BE OPEN! LETS LET ALL THE WINDOWS COMPUTERS IN THE WORLD BE ONLINE WITHOUT A FIREWALL! I DONT HAVE ANY DOUBT THAT CONSUMER HOME NETWORKS WILL BE PROPERLY CONFIGURED! DOWN WITH NAT66 HACK THE PLANET FTW! Not having NAT – worst idea of all time. If there are no ipv6 nat ip address provisions I’m just going to take a block by the toe and set it up as my internal nat. I prefer to control my own network, quit telling me what I can and cannot do with my network, thanks.
P.S. I don’t care how you feel about NAT66. How you feel doesn’t matter. We just need an allocation for internal usage. My network is not subject to your ‘feelings’.
It’s sad you don’t even know the ignorance of your post.
Please tell me how I can link my 2 houses over vpn both of whom have multi-homed dsl/cable links so I can replicate my AFS cluster, and share common networking infrastructure between my houses without using nat or PI assignments. Please explain why I would want to do this without NAT. I do already have PI assignments for other uses, but do you think my DSL isps are going to give me a BGP feed/push abilities on a 40$/month account?
Keep in mind, there are 4 different uplinks and ISPs involved here.
IPV4 with nat this setup is no problem. I can control my routing and outgoing packets how i see fit over multiple links without needing PI space. My houses appear as one big lan. I can see all my resources and life is good. Give it up and support NAT. Just because you can’t think of use for internal or private networks, doesn’t mean there aren’t uses for it.
Vpn2! I can see your house from here!
I say bring back NetBIOS and let it sort itself out.
Hank, I know right? It’s like people don’t remember the days of “netbus” and “backorifice”. This new IT generation all high and mighty thinking that people will properly configure their firewalls. It’s like the 1990s, and the things learned from that time period, didn’t even happen.
Ah you guys were having fun in twitter. No wonder I got no serious replies. Just another reinforcement of what has already been said 10x in this post (That you’re a pompous piece of shit). If you guys are going to IETF and helping to create standards for the future, I worry for the internet as we know it. All of your replies in this thread do nothing but attack the posters, I’ve yet to see you post anything of substance as to why there shouldn’t be a NAT provision; other than, your “feelings” that it shouldn’t exist. Oh well, at least I got to vent my IPV6 rage. Back to trying to get something to work, that should just, work.
Bullet, I was content to let you say your peace on this matter. However, it appears that you came looking for a fight. Okay, I’ll bite…
So, you’ve got four consumer-grade ISPs running between your two houses to sync an AFS cluster for some reason. And you don’t want to upgrade to a business class connection that would give you the ability to multihome? Why is that? You’re already running PI space. You could configure NPT on the link. You could continue to run IPv4 and IPv6 dual stacked to provide for your corner case. Or, you could run multiple IPv6 addresses on the links and source your VPN connection from a loopback adapter so it will automatically fail over in the event that your ISP connection goes down. I don’t really have a good solution to your quandry because I have one ISP at my house running an Airport that uses IPv6 tunneling back to HE.net, since my ISP won’t likely support IPv6 on my consumer grade connection for a few more years at best. Of course, I could upgrade to a business connection if I really needed that kind of connectivity.
I get it. I’m pompous because I don’t think of the little guys. I don’t like NAT66. I like making people’s live insecure and needlessly complicated. I also kick puppies in my spare time.
Or maybe perhaps it’s because NAT is a broken concept that causes fundemental end-to-end connectivity between nodes on the Internet to break and not work as it should. Address translation causes asymmetric routing issues. NAT breaks VoIP return call paths. NAT doesn’t provide security. I’m holding off implementing a /48 at my office because I’m not sure how it will interact with our existing firewall. Security is first and foremost on my mind. NAT introduces a false sense of security, as a matter of fact. It makes firewall configuration twice as complicated as it needs to be.
I won’t deny there are use cases for NAT44. What I have a problem with is that IPv6 was designed at a time when NAT44 wasn’t being used prevalently. IPv6 was designed to use point-to-point communications between end nodes. The address space was allocated so that we wouldn’t run out of addressable space any time soon so that we could assign addresses to anything that could want them, and that was at a time before IP addressed phones and Xboxes and washing machines. The decision to split the network and host portion of an IPv6 address down the middle at 64-bits was specifically so that the network portion of the address could be changed quickly without much impact to the end host.
You say that my replies in this post were attacks on people. Then, you post a strange use case that maybe four other people in the world will have and then accuse me of being a “pompous piece of shit” when I don’t respond to your post with a clever solution. Ask yourself why you need to upgrade to IPv6. Why are you chasing functionality that you obviously have sorted out?
I’m not a member of the IETF. I was approached and I turned it down. I’m not an architect. I don’t spend hours upon hours arguing the mathematic simplicity of header values and TLV extensions. I’m a grunt. I program switches and implement protocols on networks. I work almost exclusively in the SME environment that I’ve been accused of ignoring. I want things to work easily without overhead that causes people to spend needless time troubleshooting things that should “just work.”
You did inspire me to write another post on IPv6 and NAT though. Because it does appear there are people that the IETF needs to contact to get these strange problems solved. I’ll be sure to forward your email address to them so they can argue with you about your particular problem. If you think I’m being pompous, I can promise you that some of the people on that mailing list really will have you reaching for the bullets.
I wasn’t looking for a fight specifically. I was looking for information on nat66 and ipv6 in general as I do once a year to see if it’s made it to some sort of usable incarnation yet. This page is the #2 result for “nat66”. So when I’m looking for information on NAT66 and the second google result is telling me about how I don’t need NAT66, I was a little incensed.
I knew my test case required NAT, PI spacing, or some form of private network. I was actually looking at being able to give vpn clients static addresses based on their user id regardless of the location they connect to. If they connect to London, they would get the same address on their interface as if they connected to New York. This would allow me to easily manage users regardless of their connected location. Then map these users onto the network in 1:1 nat pool at those locations (which should not be an issue with currently available tools in IPv6).
But, with regards to my test case.. The business DSL connections are lower bandwidth than the residential connections. If I were to upgrade to the business connectivity I would receive less bandwidth for more money (which I wouldn’t mind if they sold business connectivity as SDSL, but it’s just normal ADSL). I’m not sure if you’re suggesting I should use PI space in my house, but all of these 5 man companies with 2 internet connections that would be pushing BGP scares me. It’s bad enough that we’ve got small unknown chinese ISPs pushing bad ipv4 routes to the internet taking sites offline globally, or at least, regionally. Do you really want mom and pop in there fiddling with their BGP routes? (But i guess that says more about trust between uplinks than anything)
Sure, I’m probably the only person in the world with this configuration. But it’s mine, so why can’t I just have my internal network and run it as I see fit? There are n billion of people in the world. There will be people doing odd stuff on their network for no other reason than just for the sake of doing it. Just because NAT would exist, doesn’t mean that people would need to, or be required to use it default out of the box. There’s no reason that consumer grade routers would use it default. Just because not everyone would use it or it’s unneeded, is no reason for it to not exist. Only a small portion of people actively/knowingly use/setup anycast, maybe we should get rid of that spec too, since not everyone needs it, and there are other ways to accomplish the same thing.
The thing that scares me most with regards to NAT and security. Yes sure, it breaks the end-to-end model. But you don’t have to worry about tons of non-updated windows systems being internet facing with only their windows firewall flapping in the breeze to save them. When a new network is being deployed at someone’s house, I don’t have to worry about if their computer will have proper firewall setup (if any firewall at all). With NAT, I can be assured they have no incoming connections. It’s bad enough that we’ve got people on the internet dumb enough to fall for email virii. The last thing we need is these people being responsible for maintaining their home firewalls. You can search google for “(videogamehere) port forwarding” asking about how to configure port forwarding in their router. You’re talking about asking people who can’t figure out how to forward a port to manage their home security. And these are gamers, the people most likely, within the consumer community, to know how to do these things. I’m sure there will be some companies shipping home ipv6 routers with the router in a default deny configuration. But i’d be willing to wager there will be more than 1 that ships it with nothing, or default allow configured for default firewall rules. This is what reminds me of the 1990’s wild west days of the internet. All of those IPv4 dial up clients with no nat or firewall configurations on the ISPs end or the consumers end. I thought this was what Hank was referring to when he was talking about netbios. Numerous hard drives just being available for anyone to access at any time. I don’t think I ever had to pay for an internet connection when I was in highschool. I would just have to port scan one of the local ISPs for common netbus ports and read their computer’s DUNS info. When you tell me that people are going to be running consumer grade hardware at home without NAT, this is the first thing that pops into my mind. Sure, a small fraction may have properly configured routers, but the vast majority will not. I wonder how many of these routers will ship with default passwords and administration consoles/interfaces open to the world (which already happens in IPv4 land, but not as common).
If consumers weren’t bad enough, network admins are just as lazy. I can’t even count the number of core cisco routers I’ve found over the years with default or “qwerty123” passwords over the years. Even best are the networks that process localhost. Dropping your local interface so the loop back address is routed to the next hop up where it connects locally to the DSLAM or host device. In fairness, I only had that happen once with a dial up ISP that didn’t properly restrict routes on their modem banks.
I also wonder when the first time I will turn on the news and hear about some guy’s life being destroyed because his wifi handed a routed IP to someone who cracked his WEP key and hosted a kiddie porn site off the line. It’ll be inevitable. Well, I guess it’s his fault for not having a properly configured firewall and not being a network engineer, huh?
IPv6 in general is a botnet admin’s wet dream and a nigerian email spammers Jannah.
“If consumers weren’t bad enough, network admins are just as lazy.” should read “If consumers weren’t bad enough, network admins are just lazy.”
I want a self feeling network.
My last comment on this post:
With NAT you can only ever have TCP or UDP as your L4 protocol. Why? Because that is how PAT and overloading an interface works. You map original source port of the private address space to a new source port of the globally routable address. The reason I am such a huge advocate for a no-nat Internet is because of the possibility of someone designing a new L4 protocol that might solve a lot of problems we face in the networking world today. Perhaps someone can design something with a proper session layer? If we continue to use NAT the chances of that happening are nil.
I believe solutions are there to allow SMB/SMEs to multihome without the need for BGP or NAT. Are they easy? Perhaps not…but once they make their way into the Linksys/Netgear/Sonicwall gear that’s being installed in most small environments I imagine they’ll be a simple check box. I don’t consider people that install only those types of equipment to be “network engineers.” (Just being honest.)
I think the main problem anti-nat folks are facing is primarily an education problem. If you could see the benefits of a no-nat network perhaps you would change your stance. Hear me on this though: I don’t think NAT66 should be wiped from the books. I imagine there is some corner case that could potentially need it…I’m advocating that there is no need for NAT66 in most every use case, and EVERY option should be exhausted before finally implementing NAT66 (while crying).
You guys….you guys.
Pingback: The Failing Crusade Against NAT | Keeping It Classless
Pingback: The Five Stages of IPv6 and NAT | The Networking Nerd
Good point? Why NAT again for IPv6?
This post is so old now, I doubt the author (or even the commenters) are even monitoring this anymore.
But, what the heck…since I am just *now* gearing up my learning about IPv6, I’ll throw my 2 cents worth into the wild abyss of this probably-not-even-read internet article…
Please note, I am just playing “Devil’s Advocate” here. As they say in the south, “I have no dog in this hunt.” In other words, I really don’t care one way or another about the IPv6 implementation of NAT *itself*. What I care about is my right to CHOOSE whether or not I utilize NAT on my network(s).
I do not understand the pure hatred of NAT, and your obvious push to do away with it. I am not going to argue the technical merits one way or the other, or quote RFCs because to be honest, I would be speaking out of sheer ignorance. But in the grand “big picture” of things, I think the author is making “much ado about nothing”.
You mention basically it is a “kludge” or a “band aid” designed to overcome the IPv4 address shortage; True. It has also been mentioned that NAT was never considered in the original internet specifications. True. But I imagine services like NetFlix, Xbox Live, and e-commerce, etc weren’t considered in the original design, either (did they even have SSL specifications back then?). So just because the initial specifications weren’t written when the internet was first gearing up, I don’t think is a valid argument to do away with it.
Although I can’t find the direct quote now, I read above somewhere that NAT essentially “breaks end-to-end communications”. But really, doesn’t a firewall do the same thing? I mean that is the whole intended purpose of a firewall! (And I do understand the different between NAT and a firewall).
Above, you had also mentioned that NAT gives people a false sense of security, and really provides no real protection beyond masking addresses. That is not entirely true. (but you are correct about NAT itself giving people a false sense of security). Provided there are no security holes in the NAT device itself, NAT makes it impossible for unsolicited inbound traffic to transverse the NAT device and reach any internal devices. (But the problem with NAT is, once an outbound connection is initiated, say from a piece of malware on an infected device, then whatever protection you thought you had with NAT has just been circumvented, and you might as well have no protection at all). So it at least provides protection from unsolicited inbound traffic.
Getting completely off subject, I consider this “controversial issue” just like I do most others. Lets take the current hot topic of firearms. I do not own a gun. I can count on one hand the number of times I have fired a firearm in my life. I do not see the *NEED* for guns. After all, slaughter houses [to the best of my knowledge] do not use firearms to kill the animals we prepare as food. In my eyes, guns serve no real useful purpose. However, there are those that like to shoot for sport, or hunt as a hobby. And you know what? That is perfectly okay by me. Although I do not see the *NEED* for firearms, that doesn’t mean that I want to see the production or sale of firearms outlawed. Although personally, I do not *WANT* to own a gun, I do want the *RIGHT* to own a gun if I should so choose.
I see the same thing with an IPv6 implementation of NAT: If you do not like it, then do NOT use it. But like so many other issues of today, just because you have a disdain for it, you want to essentially take away everyone else’s right to choose it basically because you know what is better for everyone else’s network than they do. I say go ahead and write in the specifications for an IPv6 implementation of NAT, and leave the decision whether to implement it or not up to the end users.
In closing, again I am not PRO IPv6NAT, nor am I ANTI IPv6NAT. What I am for is PRO CHOICE of whether I use it or not.
If you want to know all the ways that NAT can be bad, and why it doesn’t belong in an IPv6 network, you should review the presentations from the North American IPv6 Summit, and INET Denver, also this past week. There was even a presentation that shows that CGN is more expensive than dual-stack.
My main gripe with NAT is actually aimed at CGN. It’s going to break my customers’ online experience, and send them to my 800 number to complain, about something that we’ll have no ability to correct because the ISP broke the net.
Owen has a good note on this: http://www.datacenterknowledge.com/archives/2013/02/06/carrier-grade-nat-a-look-at-the-tradeoffs/
I do hate NAT.
At work we have servers with 2 Nat IPS and a “native one”, just for service (same thing for console and backup).
Not only is it a PAIN to connect 12 servers + 10-12 external systems, it is also VERY resource intensive for the routers and firewalls. And then they get overloaded, you rstart losing packets/dropped connections and it is very difficult to sort it out.
And connecting to these servers to manage them is also quite complicated.
I would LOVE to have ipv6 and get rid of all this nonsense.. having hundreds of servers is difficult enough.. having 6 ips for each one…and some not being reliable…
Pingback: CCIE Version 5: Out With The Old | The Networking Nerd
I’m curious about the ipv6 implications and how it affects security. I understand that NAT wasn’t made with security in mind. I understand that end-to-end connectivity is a nice thing to have, If I have an ipv6 environmnet what could I use to prevent my ipv6 address to be public routable? Temporary address, link-local or a stateful firewall that will allow only established sessions ?
I’m curious about the ipv6 implications and how it affects security. I understand that NAT wasn’t made with security in mind. I understand that end-to-end connectivity is a nice thing to have, If I have an ipv6 environmnet what could I use to prevent my ipv6 address to be public routable? Temporary address, link-local or a stateful firewall that will allow only established sessions ?
I want to be able to translate link local addresses so I don’t have to assign globally routable IPs to devices on the inside of my network. That is a perfectly valid use case.
In a perfect world, where everyone is honest and responsible on the Internet, NAT66 wouldn’t be ever necessary, that’s true.
But it’s not the case. There are employers who want to restrict access to certain websites to their employees. There are children, whose parents want to put them behind a parental control firewall. There are public WiFi operators who want to put a captive portal in place and put ads on all visited websites. They all need transparent (or “intercepting”, as otheres call them) proxies. Which are easiest to implement using a NAT.
Also, as someone pointed out earlier, there are overprotective (or overly greedy) ISPs who won’t allow you to use more than one IPv6 address even though it’s precisely why IPv6 was put in place. And you need to put a NAT in place (and NAT66 isn’t overly expensive or hard even for a consumer – just use a PC as a router) to get any kind of access (even though it’s totally suboptimal) on more devices (which isn’t necessarily always a blatant dishonesty and policy circumvention – perhaps you just need WiFi for five minutes on some device just for e.g. first run activation).
Or you might need it in a testing environment where you are designing something that is going to be a single device, prototyping it using more than one device.
You will also need some kind of NAT66 to give IPv6 Internet access to virtual machines or emulators if you don’t have (or don’t want to use) superuser privileges on the host machine.
There are tons of valid use cases for NAT66. Even though they all lead to suboptimal connectivity. We don’t live a in a perfect world – and to fix a kludgy world we need kludgy tools.
So I’m a couple of years late to the party!!!! but I still wanted to chime in (since I just found this thread on google, and I am a small business trying to get on board with IPV6 and finding it a very time-consuming learning curve!).
With that said, maybe we’re all stuck thinking an old paradigm.
Here’s my point. Assigning a /64 block to an end user seems to be evolving as the common wisdom on how to manage IPV6. Let’s assume this becomes standard practice. In that case, consumer devices should come with an automatic address assignment policy that can hand out unique addresses within that /64 block. Perhaps DHCPV6 or DHCPV6-PD, or if that doesn’t meet the need then some later refinement.
Further, I think for the small user, NAT makes connecting multiple devices to the internet close to “Plug and Play”, and usually NAT devices include a default firewall policy of “Drop” except for established connections, etc.
So imagine this bold new world…
We define a new DHCP-64 protocol (YES — I’m the first to use that name for this idea… Phil Brown… may I forever be credited with creating this term!!!)
So imagine that consumer grade devices, out of the box are configured to use DHCPV6 or DHCPV6-PD, or whatever is the eventual consensus on a good way to dynamically give “end users” a globally routable /64 ipv6 address.
Now imaging that, by default, most of these consumer devices are running this newly conceived DHCP-64 service that I’m envisioning. The purpose of this server, is to dynamically provide unique IPV6 address to clients connecting behind the consumer device.
Furthermore…. Let’s include two more conventions…
First… a firewall where the default rule is that external access is not allowed to these devices.
Second… a method (akin to UPNP, or manual exceptions, or whatever the intelligentsia deems best) as a way to open up limited outside access to these devices.
NOW…. we’ve recreated most of the advantages of NAT…. namely connection multi-plexing (as I’ll call it!) meaning that as a consumer I get one network address, can through in a consumer device, and connect more devices to it without a hassle, without much knowledge or configuration required.
I also get the default firewall policies to protect these devices….
And I have a manual way (easy web interface on the device) to enable certain of my devices to be exposed to the internet for certain services I choose…. plus, we have a UPNP-type technology that I can choose to enable that will allow certain services to automatically be enabled if I turn on this feature.
Not bad thinking… huh? Maybe one of the resident network “Rock Stars” would help develop this idea and promote it to the RFC crowd.
And yes… it could be further refined…
For example (and maybe I’m off the mark here)…
let the default mode for devices connected to DHCP-64 be that the DHCP-64 device will give out strictly non-routable sub-address. How? We define a new convention… similar to those for IPV4 and IPV6. So… lets just say, that by convention, that last bytes of
my DHCP-64 assigned ipv6 address end with “f”,
my DHCP-64 assigned ipv6 address ends with “9”,
–which means my device should not be open to connections initiated from the internet, except for rules that I manually add to my DHCP-64 server using the friendly web interface….
my DHCP-64 assigned ipv6 address ends with “0”,
–which means my device is allowed to have internet access opened to it automatically using a UPNP-like protocol to open and/or close access (let the rock stars design the protocol), plus any rules that I manually add.
Now we’ve moved towards making this work for “small” users too, and lessened the learning curve greatly. Buy a consumer IPV6 routing device. Plug it in to your ISP connection, and by default it gets a globally routable address. Plug new devices into the lan side of it, and I get a “local-only” address assigned to each device by my consumer router. Check a box or two, and the address changes slightly (only the last byte of the address), and I can now have it so that I can create my own rules to expose that device to the internet, or I can allow a UPNP-like protocol to choose when and how to open up certain services on that device to the internet.
Lastly… my device would always have an address ending in “0”… the non-internet accessible address. So that my internal network can always find the device. If I have a “9” last digit, then the device has two address… one that ends in “0”, accessible only from my lan, and one that ends in “9”, accessible from my lan, and from the internet for any access that manually enabled, and lastly, if I have a DHCP-64 address that ends in “f”, then I have upnp-like access allowed from the internet, plus I also have address that end in “9” and in “0” for this device.
Not bad for only a few minutes of thought. I now have a simple, small business and consumer friendly NAT-like solution which is easy (or easier) to explain to the average user.
And, similar to existing “NAT” rules, this scheme would not be friendly towards “double NAT”…. but with only a few tweaks to this Idea, I’m confident it could easily be extended to allow multiple layers of this “NAT-like” solution, by keeping the same basic concepts (including the meaning of “0”, “9”, and “F”) last digit, but enhancing the DHCP-64 protocol, so that devices that received their network address from a DHCP-64 server, would be able to receive a small block of subnet addresses for it to use or allocate (maybe /64, /72, /80, /88, /96, /104, and /112) which would allow for these consumer-grade devices to easily be nested up to seven levels deep in most use-cases, without a big hassle.
I am going to copy and paste what I just posted on another blog, but will also add a bit about inbound nat, so first on outbound nat below.
True that NAT’s purpose is to move traffic between local and wide area subnets via address translation. False however to say it provides no security benefit, it should never be used as security device primarily, but as a side effect it does add a security layer. It can be subverted, but its still a layer. Of course one should never ever substitute a firewall with NAT.
However lets explain for a moment on the uses of NAT, one might assume the only reason for NAT is to address the shortage of ip address space, however NAT is also very useful tool for redirecting traffic.
Currently there is a DNS war, everyone wants your DNS lookups, because DNS is used as a means to direct traffic, and is a means of logging what people are doing. Because of this we have software that does “not” honour configured DNS. Some examples?
My android phone adds google dns to the end of the DNS servers it gets from dhcp(6).
Chrome has been known to forcefully use google dns ignoring what you configured.
Various apps including netflix will force dns via specific dns servers.
You get the picture?
On my ipv4, I use outbound nat to “force” “all” dns requests to 127.0.0.1 which is the local dns resolver on my router. This overides dns routing, no matter how its configured LAN side, each and every ipv4 dns request will go to 127.0.0.1 on my router. I am in control of my network which is how it should be
However ipv6 is a different game, due to lack of NAT66 support on pfsense (my router) I have no ability (at least via official UI) to divert outgoing ipv6 dns requests to my own local resolver. I can pass on my requested resolver ip via dhcp6, I can manually add it to OS configuration on each device, however software can (and does) choose to ignore it. I added a firewall rule that blocks (and logs) requests to external ipv6 dns servers initiated from my LAN, there is many requests been blocked from my windows machine alone, to dns servers that are not in my configuration.
The lack of ability for a admin to control his network, and plug things like dns leak’s is a security issue, and as such NAT66 has security benefits.
But as usual we have silly politics, we need consistent standards across devices, instead ipv6 standards are all over the place because people cannot agree with each other on how things should be implemented, and this is one of the reasons many isps wont rollout ipv6, they see it as “not ready” for as long as things are not implemented. NAT66 should be on every routing device out there, by all means disable it by default, hide it away, but it should be there. One cannot declare ipv6 as an upgrade over ipv4 if it doesnt have all the features of ipv4.
So basically if you have an alternate way of diverting DNS traffic on a router (for just a port so not NPt) than I am all ears, but I believe NAT is the only way.
On the subject of inbound NAT, your article assumes every single isp assigns a decent sized routeable block to each customer, believe it or not there is isp’s that assign a /128 only, the first blog I replied to the guy absolutely hates NAT like yourself, but ironically the article was a guide on how to setup NAT66 as he had to do it because he only had a /128 to work with, so basically proving there is a purpose for NAT66. Obviously it wont have a widespread defacto use like NAT on ipv4, but there is edge cases where it is needed.
Pingback: Why Do You Need NAT66? | The Networking Nerd
Although I like to stay neutral on NAT, since it’s a technology like any other, this article reminded me of the presentation by Steve Deering at IETF 51 called “Watching the waist of the protocol hourglass”, and the difficulty this concepts bring when recreating OSI compliant network model in a database. NAT essentially creates a new IP network, inserting itself in the middle of the “protocol hourglass” separating two IP layers at the top and the bottom.
Just confirming, is it specifically (stateful) NAT66 that you are against? And I presume also what you call (stateful) PAT66, like what a lot of home-router IPv4 NAT does (internal private addresses to outbound ports).
What about PAT66 (RFC 6296), which is stateless prefix address translation? Is that a specific use case where you think it makes sense?
My specific use case would be a developer, running a local container network (e.g. Kubernetes) on IPv6 only, on a laptop.
The laptop will move between a home network, and office network, and sometimes connect via mobile, all of which provide IPv6, but different ranges. The mobile is IPv6 single stack, although Android runs XLAT464 so you get an IPv4 anyway. The other connections, e.g. home, are dual stack, and have DNS64+NAT64, for IPv6 only boxes.
With address translation the container network can assign ULA addresses, and still work.
It is hard enough to get apps to support IPv6 without also requiring them to support dynamically changing addresses.
For fixed servers, like a production, or even test, environment, it all works fine.
But for a mobile developer solution (admittedly only a small percentage), what other workable solution do you think could be used other than address translation?
What about ISP’s like Comcast that have one set of IP’s for the external comcast subnet and another that is for the “LAN” most implementations of IPv6 by firewall vendors like Sonicwall require NAT for IPv6 access to the internet
they also have poor nd-proxy rules for allowing addressing for ipv6 between internal and external subnets. The vendors and ISP’s themselves are confused by questions about IPv6 and offer little help.