Slashdot Mirror
Can Large Scale NAT Save IPv4?
Julie188 writes "The sales pitch was that IPv6, with its zillions of new IP addresses, would eliminate the need for network address translation altogether. But Jeff Doyle, one of the guys who literally wrote the book on IPv6, suggests that not only will NAT be needed, but it will be needed to save IPv4 at the tipping point of IPv6 adoption. 'I've written previously that as we make the slow — and long overdue — transition from IPv4 to IPv6, we will soon be stuck with an awkward interim period in which the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Large Scale NAT (LSN, also known as Carrier Grade NAT or CGN) is an essential tool for stretching a service provider's public IPv4 address space during this transitional period.'"
Of course it could fit most people needs who, by the way, don't even know what having a unique IPv4 address means, forget about knowing what a fixed IP address is. My only concerns would be towards people hosting services, even if they only host a gaming server.
Before getting a fixed IP address, I remember using services like dyndns before I setup my own private dyndns server on a fixed IP address server that I had access to. I could always reach my system even if it changed address every 6 hours on the first dialup provider I registered to back then.
So yes, it could, my only concerns is that it may cause prices to have a unique address or a fixed address to rise.
Everything I write is lies, read between the lines.
Stop the madness. Give us ip6. We (as a society) would gain so many productive hours without NAT and the shit that comes with it. (Portforwarding etc). We have the technology ready to go and give everything it's unique ip. Can we please use that tech? It's not like it's high-tech or to new to be implemented by now.
For years we've heard predictions about how we'll run out of addresses "this year." Yet we haven't.
I assume that's partly because my toaster doesn't have an IP, but it's also got to be because of NAT.
There's no -1 for "I don't get it."
If you're a Qwest customer in Omaha like my inlaws, you get a non-routable from the head end... and the last time I was there, they did not support VPN passthrough (although IIRC you could pay extra for a routable dynamic IP if you wanted VPN to work).
at work we use NAT behind a whole public class B and it work great. But as a customer I would not put up with it. I want to act as a server not only a dumb host. So please stop the carrier grade nating madness.
Jehovah be praised, Oracle was not selected
Probably because he doesn't own the infrastructure. The problem is that in the US we heavily subsidized the industry, but didn't require them to really do anything to deserve the money. We didn't require neutrality, we didn't require them to keep building out broad band, or enhance the speeds in urban areas either.
Considering that ultimately they're using public resources to provide a service, I do think they owe us at least something in exchange for making profits using our right of way or airwaves.
Most P2P protocols have at least some trouble working with local NAT. If it was implemented on a large scale there might be a few more problems, and it certainly gives ISP's (the ones running the NAT) more control over the traffic they route. I wonder how quickly the RIAA and friends will pick up on that and start pushing for NAT instead of IPv6...
Large scale or ISP wide NAT is part of the solution. It will not "save" IPv4, whatever that means. It will make it possible to transition to IPv6 and still access all the old sites, that have not yet made the transition.
It is not really important that slashdot.org is still IPv4 only. You can access it just fine. And slashdot.org has no need to access you.
You use IPv6 in all the cases where you wanted that nice static IPv4 address before: When running peer to peer software. Setting up your small hobby server. Using direct peer to peer VoIP. And so on.
All the consumer ISPs will transition soon enough during the next few years. We will fairly quickly be able to assume consumers will in fact be able to access IPv6 only sites. For the next 10 years you can also assume consumers will be able to access IPv4 only sites - is anyone really surprised by that?
If all your gaming friends got IPv6, playing on your private IPv6 only game server - what do you care that some backwards dialup only ISP, in a country you never heard of, still is IPv4 only?
There are only 65536 port numbers, so there is only so thin that you can spread a single IP address. Remember that some clients open many ports. There are also questions of reuse; you can't simply cram the 65536 space close to full. When a TCP connection terminates, you don't want to start reusing the port number right away. It's tricky.
People are not going to be happy to be NAT ed. Will large scale NAT also come with large scale port forwarding? Large scale UPnP? What do you do about port number abuses?
Dynamic DNS goes out the window. People can't have a quasi static IP any more with their own port 80, port 22, port 25 mail server or whatever.
If I were to be NATed, I would not want to pay more than 5 dollars a month for such a crippled connection, regardless of bandwidth. So you will automatically have to sell the service to ten subscribers like me instead of just one to make the same revenue.
As long as I can get non-NAT-ted service somewhere, than that is where I will be.
NAT == CRIPPLED_INTERNET. Impose that next door. Next city. Next country. NIMBY: not in my backyard.
And remember that if EVERYONE is NATted, then nobody can talk to anyone. Because you have to connect somewhere to use the Internet. That means resolving DNS to some IP address.
To reach a DNS server you need an IP address. So the DNS server can't be NATed. That DNS server has to hand you the IP address of a host such as a web server. Are all web servers going to be NAT ed? That means they can't be all on port 80 any more. You are looking at redirects! There will have to be a port 80 service sitting on those NAT nodes, which will intercept web traffic, parse the HTTP request and forward to the appropriate node behind the NAT.
Or else DNS will have to be re-architected so that it returns not only IP's but port numbers, so when you go to www.somewhere.com, it resolves to x.y.z.w:n, and the host x.y.z.w has port n forwarded to the right server.
Good grief, and good luck with that.
Because there will literally be mountains of eWaste and headaches galore? How many of the home routers sold in the past 5 years even support IPv6? I don't think any of the consumer grade stuff does. That means we will have to replace just about every router in every home or have some sort of IPv6 to IPv4 bridge built into every modem in the country, again not cheap.
Whether we like it or not, there is a reason why IPv4 has lasted so long. It is a mature tech that everyone knows how to fix. IPv6 is gonna be a nightmare for probably 5 or 6 years and it really ain't gonna be fun trying to fix the mess. So yeah, I can see them stretching out IPv4 for as long as humanly possible, simply because the transition costs are gonna be insane.
ACs don't waste your time replying, your posts are never seen by me.
So, if money talks, and bullshit walks, then what the fuck are you still doing here?
It isn't his responsibility, this is basically the same problem we've seen in the wireless space, the people who actually control access don't bother to upgrade until the last minute, if even then, and without somewhere else to take your business, it's not a realistic option. I've heard that Comcast has IPv6 around here, but going back to them is a non-starter. They're far worse than the other options.
Unless the end user can do to their CO and upgrade the equipment it's a moot point.
The other side of big NATs is that they could make IPv6 unnecessary. With big NATs everybody could have private IPv4 space with the public IPv4 space being used to connect the private spaces.
Protocols that don't like NATs are protocols that violate the principle of independence of protocol layers. Things like SIP and FTP are hard to NAT because they carry lower level addresses. Nobody cares about FTP any more but SIP is a security and implementation nightmare that is going to need to be re-designed from scratch anyway.
The net is moving towards a world in which users see the net not as a means to transport packets end-to-end but rather as a platform to support various applications. That means that what is becoming important are application level gateways to bridge application services rather than a seamless IP address space.
Hah. The only way this will work is if they make an extremely good IPv4/IPv6 NAT gateway. Except, if they make one that does a good job such that people are going IPv4->IPv6->IPv4 and everything basically works, then people will wonder why they don't just do an extremely good IPv4 NAT solution and go IPv4->IPv4 and drop the entire IPv6 part.
Add to this how many more NAT workarounds we will need to have in software. We already have to deal with NAT busting solutions, now we will have to deal with double NAT busting solutions. Believe me, NAT was a workaround to a limitation and we shouldn't be using this workaround at any more levels than necessary.
There is only so much duct tape you can use before it is time to just accept you will have to install the new solution.
If IPv6 appears so hard, its because people keep on waiting for someone else to take the plunge. If you are an IT professional, then is should be your business to understand and embrace IPv6, whether that is in your network or in your software. If your issue is with your router not supporting IPv6, then make some noise to your router's manufacturer, install a third-party firmware or go with a company already offering an IPv6 capable router.
Jumpstart the tartan drive.
p2. The transition to IPv6 is probably going to need some NAT64 and DNS64 magick at some point. Not everybody is going to be well-served by running dual-stack hosts and networks. I've heard that some mobile broadband providers are looking at various kinds of NAT tricks to keep IPv4 marginally functional for legacy applications on IPv6-only networks without resorting to expensive tunnel encapsulation mechanisms.
Have you actually done a count of the number of addressable devices IPv6 provides. There may well be a time when IPv6 needs to be NATed, but that is well into the future when systems will be ready for a 256bit network address. At this point IPv6 provides just what we need for the next century, and possibly more. Trying to get any more mileage out of IPv4 is like taking a dying horse and expecting it to walk 1000 miles. It may make it, but there are good chances it won't.
If companies are having to deal with legacy applications, then there is nothing stopping them from having IPv4 in the internal network and having an IPv6 proxy or bridge in front of it. For everything else it will be IPv6. If companies are making new software today that is not IPv6 capable, that intended to accessible on the internet, then they deserve to be out of business tomorrow.
Jumpstart the tartan drive.
http://www.ipv6porn.co.nz/ is giving away free porn to anybody who can access it with an ipv6 address
You know there's probably a reason we haven't heard anything from them. :)
This would be great for pirates, who the hell would the MPAA and RIAA sue if everybody in one region shared a single IP#?
Because there will literally be mountains of eWaste and headaches galore? How many of the home routers sold in the past 5 years even support IPv6? I don't think any of the consumer grade stuff does. That means we will have to replace just about every router in every home or have some sort of IPv6 to IPv4 bridge built into every modem in the country, again not cheap.
Whether we like it or not, there is a reason why IPv4 has lasted so long. It is a mature tech that everyone knows how to fix. IPv6 is gonna be a nightmare for probably 5 or 6 years and it really ain't gonna be fun trying to fix the mess. So yeah, I can see them stretching out IPv4 for as long as humanly possible, simply because the transition costs are gonna be insane.
You can't get better evidence of the incompetence of government than this. There's a dwindling resource that will run out in just a couple of years, impacts practically every person in every OECD country, yet have you heard of even one government agency, in any country, that is mandating IPv6 for consumer grade gear to force the vendors to solve the problem before it becomes critical? Of course not! That would require foresight and competence. About the only IPv6 push I'm hearing is that for government tenders in the US, IPv6 support is required, but that does nothing to solve the problem of hundreds of millions of home routers that are IPv4 only.
No government on Earth has even bothered to lift a finger to solve a well known, easily predicted problem with a ready and tested solution that would cost the government no money whatsoever (it's just legislation!). Given that, now picture the level of competence you'd get from the same bunch of idiots when tasked with solving much bigger issues like global warming, peak oil, or overpopulation. Issues like that won't be critical for decades, have no obvious solution, and all possible solutions are expected to cost trillions. I can only imagine the level of incompetence that will no doubt ensue...
slashdot.org has no need to access you.
As far as I know, Slashdot does a short port scan on your IPv4 address when you preview or post a comment in order to make sure that your machine isn't an open proxy that might be abused for vandalism. That's why your first preview of the day from a given machine is so slow: it has to wait for the connections to time out.
You use IPv6 in all the cases where you wanted that nice static IPv4 address before: When running peer to peer software. Setting up your small hobby server.
In other words, things that cable and phone companies don't really want customers on the residential plan doing in the first place, as explained in the terms of service.
If all your gaming friends got IPv6, playing on your private IPv6 only game server
By the time that happens in several years, you may have grown out of online gaming. Which of the current video game consoles supports IPv6?
Why should I have to pay *EXTRA* for the full internet, and competent support?
Because the majority of people don't see the point of paying for the full Internet, and what little competition there is between cable and DSL forces the two to cut their rates to the point where they have to offer a half-Internet package.
Okay, let's assume that IPv4 no longer exists...
1. Is Comcast going to give me unlimited IPv6 addresses? How will that work through my router? Do I now need to announce every device to Comcast? I REALLY like the fact that I get a single IP address, and I can port forward and use NAT as I like.
2. NAT makes for a pretty good firewall. I have Linux and Mac machines, and consumer devices, behind my current NAT router. With NAT and SPI, I have it pretty good. I really only ever use an outbound firewall to detect phone-home stuff and malware (and with Linux and Mac, surprise, surprise, there's not a lot of the latter).
Hey, I understand the need for IPv6. I guess I just don't want to lose what NAT offers.
--Jim (me)
The way CGN works is to spread multiple users across the same IP address. So forget about dyndns. Also forget about google maps, because it runs through ports like water, and TCP requires a 90-second timeout before releasing a port. Basically, CGN is a hack to cushion the blow, but it doesn't eliminate the need to switch to IPv6. You will like CGN a lot less than you like your present NAT.
A much better choice would be to go to NAT64. That way you get end-to-end connectivity for the hosts that do IPv6 (e.g., Google Maps can do IPv6 at this point) and use IPv4 ports for the hosts that haven't converted yet. Less demand on the scarce IPv4 ports means better performance for the cases where they are needed. And you get end-to-end when you really care about it--e.g., when Skyping your pal who also has NAT64.
ISPs are licking their chops for this. They want to roll out NAT for all default consumer grade ISP connections. It solves problems with scarcity, they profit from scarcity (want public IP? You pay extra for it), and it will jack with routing of P2P data and thus cut down on the leeches. It's a WIN-WIN-WIN for the Telco and cable companies.
If you guys think IP6 will be adopted, just wait till they find huge money in artificial scarcity of IP4 blocks. There will be no where to run and escape it! Unless you pay that premium...
Life is not for the lazy.
I am working on an IPv6 migration project for our group. Our solution will include:
IPv6 to IPv4 proxy servers to a Private internal IPv4 address space
Some native IPv6 support where it is easy
White listing of some IPv4 services where the above two solutions do not work
I suspect our solution is fairly typical for most Internet portals considering IPv6.
Two big issues with Carrier Grade NAT (CGN) or Large Scale NAT (LSN) that will have to be resolved are geolocation and denial of service protection.
Geo-location is the mapping of a browser's IP address to a physical location. Most of the large portals are fairly accurate about this. Although I move around from Hayward to Pleasanton and sometimes they get it right with Palo Alto. The problem with CGN is that many browsers for many different users will be NATed behind a single IP address. So if you are on the left coast you might be mapped to the Silicon Valley, if you are on the right coast it might be DC or New York, and people in the middle might be Omaha, Nebraska. As long as the ISPs hide big regions behind a single set of IP addresses, geolocation is going to have problems.
HTML 5 has a separate geolocation protocol built in, but that is going to have to wait for browser upgrades. A logical solution might be to have the ISPs map their old POPs to a single fixed IPv6 address so all traffic from Palo Alto has one IPv6 address and all the traffic from Redwood City has another IPv6 address. But this is entirely to logical and would require effort on the part of the ISPs
The other big problem is Denial Of Service protection. My company has tools to block traffic from IP addresses that are determined to be abusers of the site: to many account creation requests, to many emails sent, to many login failures, etc. With CGN this becomes a real problem. First how do you determine how many is to many. With thousands of hosts NATed behind a single address a thousand emails an hour is entirely reasonable and ten thousand an hour is not outrageous. The other problem is that when you block the IP address you block all of the customers, not just the one causing the problem. A logical solution for this would be to give each customer their own IPv6 address that they are NATed behind. This could also work well with geolocation. But again it entirely to logical and it requires work on the part of the ISPs. Without the unique per browser IP addresses DOS protection becomes a really hard problem.
RLH
"IPv6, too much, too soon" -- Someone
Practically all of them can support IPv6 with a simple firmware update, but I'm betting the vendors would rather sell you a new router than provide that update.
If you have the skills to set up IPv6 just for kicks I seriously doubt you are dealing with what we out here in the field run into in most folk's homes, which is CCC, or "Cheap Chinese Crap". Trendnet/Zonenet, linksys, hell pick any under $50 router and see how many updates are sitting there for it on its home page. my guess it'll be like the Trendnet that is looking at me right now, which is zip. And unless things have changed in the less than 6 months I looked at routers there were exactly squat when it came to home combo wireless/wired routers under $50 that supported IPv6. None. you are not gonna get a home user to shell out $100+ for a router when their neighbor got a Trendnet for $20.
So trust me pal, they'll be eWaste all right, fricking endless traincars full of the crap. And where are all the IPv6 experts gonna come from? I don't see too many around here in NW AR, and traveling the south mostly what you find is good old boys running the networks that know IPv4 tools like the back of their hands and probably still got Win2K boxes running at home.That is a hell of a lot of flyover states that are gonna be seriously short of manpower when that switch gets flipped, a hell of a lot of problems that would take a couple of hours on IPv4 turning into weeks, it'll be a mess friend. Thanks to all the offshoring young folks just don't go IT hardly anymore, and it isn't like they can ship all those fixit jobs to India. Hell I'll admit I'm guilty of it myself, as I have been putting in 9 hour plus days and simply haven't had the time to learn IPv6, as there is nobody here actually using the stuff which makes learning it all that more difficult.
So if you are in NYC, LA, Miami, Dallas? Yeah it probably won't be that bad. The flyover states? Gonna be a fucking mess man, as someone who lives there I know of which I speak dude, i know of which I speak.
ACs don't waste your time replying, your posts are never seen by me.
Absolutely. I don't understand why do dual-stack and NAT44 instead of giving customers IPv6 and NAT64.
I assume this is because the problem isn't just all those web servers on IPv4 addresses, but a significant number of end user applications that are not IPv6 aware. Unfortunately, if we allow them to avoid upgrading with NAT44 then we can confidently predict that apps won't get updated and you'll never be able to switch it off. It's human nature not to fix the problem until forced to.