Slashdot Mirror
Can Large Scale NAT Save IPv4?
Julie188 writes "The sales pitch was that IPv6, with its zillions of new IP addresses, would eliminate the need for network address translation altogether. But Jeff Doyle, one of the guys who literally wrote the book on IPv6, suggests that not only will NAT be needed, but it will be needed to save IPv4 at the tipping point of IPv6 adoption. 'I've written previously that as we make the slow — and long overdue — transition from IPv4 to IPv6, we will soon be stuck with an awkward interim period in which the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Large Scale NAT (LSN, also known as Carrier Grade NAT or CGN) is an essential tool for stretching a service provider's public IPv4 address space during this transitional period.'"
at work we use NAT behind a whole public class B and it work great. But as a customer I would not put up with it. I want to act as a server not only a dumb host. So please stop the carrier grade nating madness.
Jehovah be praised, Oracle was not selected
Except for all the people still on XP, which has no native IPv6 support...
Has too. You just need to enable it: http://ipv6int.net/systems/windows_xp-ipv6.html
err windows xp does have ipv6 support but its not installed by default (in fact has had it since XP sp2)
now it may not have all the bells and whistles of say Vistas support (if anything can be supported by Vista) but you should at least be able to get an IP and get online.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
You are talking to Michael David Kristopiet. The one slashdotter too stupid for even slashdot.
Don't waste your breath on this crazy but ultimately pathetic and worthless fucker.
I don't know where you have been getting your predictions. It is pretty certain that IANA is going to run out of space about the middle of next year.
We have 14 /8's left in the IANA free pool, we use up almost 2 /8's every month.
Are you betting on the ipv4 space usage magically decreasing ( right when everyone will start freaking out about getting their last allocations )?
I am a lawyer and this constitutes legal advice and I shall indemnify you against any losses arising from taking it.
Win/XP has fine IPv6 support except that it can only query DNS over IPv4 transport. That is, you can't run a pure IPv6 + Windows XP environment.
Protoplasm. Quiet Protoplasm. I like quiet protoplasm.
Your ISP could still issue you a router with a firewall that's locked down pretty tight by default. Just because you have a globally routable IPv6 address doesn't mean your router has to let every packet through. What exactly are you worried about losing?
1. Is Comcast going to give me unlimited IPv6 addresses? How will that work through my router? Do I now need to announce every device to Comcast?
You get a subnet, and your router routes the whole subnet. Just like with IPv4, coincidentally.
NAT makes for a pretty good firewall. I have Linux and Mac machines, and consumer devices, behind my current NAT router. With NAT and SPI, I have it pretty good.
As opposed to having a firewall, instead of having a firewall?
Hey, I understand the need for IPv6. I guess I just don't want to lose what NAT offers.
Like what? Nothing what you stated had anything to do with NAT as such.
Mod parent up. If you've had to deal with any sort of reasonably larged sized network and NAT, everything he mentions above is a huge pain in the ass. Relying on NAT as a "firewall" is brain damaged anyway, and those who tihnk NAT needs not processing ability compared to a proper firewall are deluded. Every single packet needs to be looked up against the NAT state table, so even though you don't have any real firewall rules, processing is still going on.
The "protection" that NAT provides can be replaced with a real firewall simply blocking incoming connections and maintaining state on outgoing connections - without breaking NAT incompatible protocols to boot.
I can't wait for the IPV6 migration to hit en-masse. Those with a clue will be in huge demand.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Support for XP has stopped, it's an old OS.
Windows XP is supported until 2014 if you keep up with service packs.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Most US ISP's have a "No running servers" clause in their residential service ToS.
http://www.sixxs.net/ or https://www.sixxs.net/
Beware their ssl cert is from an unlisted provider so maybe just stick with the http version
Currently, the internal IPs of my computers do not depend on which ISP I am connected to.
Actually IPv6 interfaces can, nay MUST, allow multiple address assignments. So in an all IPv6 world, each of your computers will have an ISP-dependent (publically routable) address, as you say. But, they will each ALSO have a locally assigned, non-routable ("site-local") address that you can use as an unchanging address on your LAN.
Plus, with IPv6 router solicitation/advertisement and/or DHCPv6, even the case of updating machines with new ISP-dependent addresses is not the onerous task you make it out to be.
If you have the skills to set up IPv6 just for kicks I seriously doubt you are dealing with what we out here in the field run into in most folk's homes, which is CCC, or "Cheap Chinese Crap". Trendnet/Zonenet, linksys, hell pick any under $50 router and see how many updates are sitting there for it on its home page. my guess it'll be like the Trendnet that is looking at me right now, which is zip. And unless things have changed in the less than 6 months I looked at routers there were exactly squat when it came to home combo wireless/wired routers under $50 that supported IPv6. None. you are not gonna get a home user to shell out $100+ for a router when their neighbor got a Trendnet for $20.
So trust me pal, they'll be eWaste all right, fricking endless traincars full of the crap. And where are all the IPv6 experts gonna come from? I don't see too many around here in NW AR, and traveling the south mostly what you find is good old boys running the networks that know IPv4 tools like the back of their hands and probably still got Win2K boxes running at home.That is a hell of a lot of flyover states that are gonna be seriously short of manpower when that switch gets flipped, a hell of a lot of problems that would take a couple of hours on IPv4 turning into weeks, it'll be a mess friend. Thanks to all the offshoring young folks just don't go IT hardly anymore, and it isn't like they can ship all those fixit jobs to India. Hell I'll admit I'm guilty of it myself, as I have been putting in 9 hour plus days and simply haven't had the time to learn IPv6, as there is nobody here actually using the stuff which makes learning it all that more difficult.
So if you are in NYC, LA, Miami, Dallas? Yeah it probably won't be that bad. The flyover states? Gonna be a fucking mess man, as someone who lives there I know of which I speak dude, i know of which I speak.
ACs don't waste your time replying, your posts are never seen by me.
There are only 65536 port numbers, so there is only so thin that you can spread a single IP address. Remember that some clients open many ports. There are also questions of reuse; you can't simply cram the 65536 space close to full. When a TCP connection terminates, you don't want to start reusing the port number right away. It's tricky.
It's fine not to like NAT if that's your thing, but let's not spread misinformation about TCP.
TCP connections are identified by a source_ip:source_port::dest_ip:dest_port quad. This means you can use the same IP:port pair on the NAT end many times for different connections with different IP:port pairs on the other end.
So it's not as dire as you paint it -- a single IP can participate not in 65536 (2^16) connections, but in 2^16 * 2^32 * 2^16 = 2^64 =~ 10^19 different TCP connections (in theory) in IPv4. In practice, not all IPs and ports are used, but unless all the clients behind that NAT are connecting to the same IP:port pair on the other side, the limit is going to be your NAT device's connection table, not TCP ports, because the device is unlikely to have the exabytes of RAM needed to track all those possible connections.
Also, the most commonly-used protocol of residential clients is going to be HTTP, and browsers are usually not going to open up more than a couple of connections to port 80 on a given IP, thanks to RFC2616, so you can still fit a lot of customers behind a single NAT IP even though half of them are connected to google.com at any moment. Other protocols, like BitTorrent, may use lots of connections, but by their nature tend to spread those out among a lot of IPs and ports.
Be careful what you wish for - IPv6 so full of flaws, until IPv4 completely runs and and it gets rammed down our throats, no enterprise will adopt this. Where do I even start?
OK, case in point. The people who designed IPv6 think NAT is not necessary because there's enough addresses for everybody. That's the dumbest thing I've ever heard. They're missing the point! Does anyone NOT think about the routing tables?
Right now IPv4 over the Internet is barely manageable and only because people NAT. In fact, you cannot have networks more specifc than a /24 because many ISP's will filter you out because it would be just too many routes to deal with. Most companies that connect to the Internet have one network (or a small handful of networks) and thankfully present only those few networks to the Internet. Now let's say you take NAT out of the equation. You mean to say you want the **INTERNAL routing table of every company everywhere ** in every Internet router?? That's madness! Do people think routers just have terabytes of memory, and that routing protocol convergence times are negligible?
And before you try to suggest summarization as a solution, no, you cannot just summarize in IPv6 and call that a simple answer. That leaves no room for mobility. So one specific host leaves the summary route and goes to a different location, how are you going to inject that /128 route into the Internet routing tables? You can't, nobody would be able to handle your /128 (host) route and know how to return traffic to you. NAT is clearly the only way to allow access for mobile devices to change locations and still get to the Internet.
Here's a more specific example. You have an IP address at home. You IPSec VPN to work. They turn off split tunneling for security reasons, which of course means all traffic has to go over the VPN tunnel. However they allow you to go to the Internet through this VPN tunnel. So now you pass traffic to the VPN concentrator, and try to get to the Internet. But now you have a problem, without NAT. Your home computer's IP now has to appear as if it's coming from your company? So you have to inject a host route to the Internet, and hope the rest of the Internet has a return route to you? That's so not happening - no routing protocol can handle that.
Let me also point out NAT hides addresses and provides security. I don't want the Internet knowing my internal host IP's. They can know about my firewall IP though. So I want to hide the internal IP's. NAT does this beautifully, and is an essential security function.
There's no denying NAT is needed. The fact the the IPv6 designers even debate this at all shows how clueless they are to real world issues, and because they are so detached from reality, nobody wants to implement their new protocol. It's no mystery why the IPv6 adoption rate is so slow.
If you have carrier redundancy, the IP6 stack can/will have *both* sets of IPs active at once, and you decide which gets used outgoing at the router. IPv6 actually includes multi-homing, unlike IPv4....