Re: IPv6 NAT?

Sun, 17 Feb 2008 18:49:04 -0800 

> 
> > That's a terrible idea, because it would pander to the myths that
> > NAT is a security or policy tool.
> 
> Brian,
> Several comments in this thread have suggested that security is the 
> primary driver for NAT.
> 
> While it is surely a factor, I believe the dominant driver for NAT is 
> addressing autonomy.
> 
> Unless/until enterprise (or even home) network operators have some 
> number of bits of address to call their own, without risk of forced 
> change or being held hostage to their ISP, you will have NAT for v6 
> just like for v4.  I think you can take that to the bank.

        They have that today without NAT.   You are stuck in IPv4
        think.  You are thinking *one* address per interface.
        IPv6 was designed with *multiple* addresses per interface
        in mind.

        Use ULA + global addresses.  There is no need to NAT from
        one address to another.  Your internal network connects
        over ULA, you external net connects of a global addresses.
        Even with 1 to 1 NAT in IPv4 you have to use new global
        addresses for people to reach you.

        Note: this works today. link-local + ULA + global.

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet6 fe80::214:22ff:fed9:fbdc%bge0 prefixlen 64 scopeid 0x1 
        inet6 fd92:7065:b8e:0:214:22ff:fed9:fbdc prefixlen 64 autoconf 
        inet6 2001:470:1f00:820:214:22ff:fed9:fbdc prefixlen 64 autoconf 
        inet 192.168.191.236 netmask 0xffffff00 broadcast 192.168.191.255
        ether 00:14:22:d9:fb:dc
        media: Ethernet autoselect (10baseT/UTP <half-duplex>)
        status: active

% env |grep SSH
SSH_CLIENT=fd92:7065:b8e:0:2e0:29ff:fe19:c02d 4656 22
SSH_CONNECTION=fd92:7065:b8e:0:2e0:29ff:fe19:c02d 4656 
fd92:7065:b8e:0:214:22ff:fed9:fbdc 22
% 

        Mark
 
> (Note that autoconf doesn't remove this need... enterprise operators 
> will have local host addresses sprinkled throughout a plethora of 
> departmental traffic disruption appliances, so renumbering will be 
> viewed by many as a non-starter.)
> 
> -teg
> 
> _______________________________________________
> Ietf mailing list
> [email protected]
> http://www.ietf.org/mailman/listinfo/ietf
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
_______________________________________________
Ietf mailing list
[email protected]
http://www.ietf.org/mailman/listinfo/ietf

Reply via email to