Re: IPv6 NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> 
> > That's a terrible idea, because it would pander to the myths that
> > NAT is a security or policy tool.
> 
> Brian,
> Several comments in this thread have suggested that security is the 
> primary driver for NAT.
> 
> While it is surely a factor, I believe the dominant driver for NAT is 
> addressing autonomy.
> 
> Unless/until enterprise (or even home) network operators have some 
> number of bits of address to call their own, without risk of forced 
> change or being held hostage to their ISP, you will have NAT for v6 
> just like for v4.  I think you can take that to the bank.

	They have that today without NAT.   You are stuck in IPv4
	think.  You are thinking *one* address per interface.
	IPv6 was designed with *multiple* addresses per interface
	in mind.

	Use ULA + global addresses.  There is no need to NAT from
	one address to another.  Your internal network connects
	over ULA, you external net connects of a global addresses.
	Even with 1 to 1 NAT in IPv4 you have to use new global
	addresses for people to reach you.

	Note: this works today. link-local + ULA + global.

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
	inet6 fe80::214:22ff:fed9:fbdc%bge0 prefixlen 64 scopeid 0x1 
	inet6 fd92:7065:b8e:0:214:22ff:fed9:fbdc prefixlen 64 autoconf 
	inet6 2001:470:1f00:820:214:22ff:fed9:fbdc prefixlen 64 autoconf 
	inet 192.168.191.236 netmask 0xffffff00 broadcast 192.168.191.255
	ether 00:14:22:d9:fb:dc
	media: Ethernet autoselect (10baseT/UTP <half-duplex>)
	status: active

% env |grep SSH
SSH_CLIENT=fd92:7065:b8e:0:2e0:29ff:fe19:c02d 4656 22
SSH_CONNECTION=fd92:7065:b8e:0:2e0:29ff:fe19:c02d 4656 fd92:7065:b8e:0:214:22ff:fed9:fbdc 22
% 

	Mark
 
> (Note that autoconf doesn't remove this need... enterprise operators 
> will have local host addresses sprinkled throughout a plethora of 
> departmental traffic disruption appliances, so renumbering will be 
> viewed by many as a non-starter.)
> 
> -teg
> 
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> http://www.ietf.org/mailman/listinfo/ietf
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@xxxxxxx
_______________________________________________

Ietf@xxxxxxxx
http://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]