On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote:
Problem is that NAT will not go away or even become less common in IPv6 networks for a number of reasons.
#1 NAT advantage: it protects consumers from vendor lock-in.
Consider the advantage of globally unique public addressing to ISPs and telcos. Without NAT they have a very effective vendor lock-in. Want to change ISPs? It's only as easy as reconfiguring every device and/or DHCP server on your internal network. With NAT you only need to reconfigure a single device, sometimes not even that.
Isn't this the problem that router advertisements are meant to solve? Do you have operational experience which suggests that they aren't a sufficient solution?
#2 NAT advantage: it protects consumers from add-on fees for addresses space.
Given the 100 to 10,000% mark-ups many telcos and ISPs already charge for more than a /29 it should come as no surprise they would be opposed to NAT.
I was under the impression that each end-user of an IPv6 ISP got a /64 assigned to them when they connected.
#3 NAT advantage: it prevents upstreams from limiting consumers' internal address space.
Even after full implementation of IPv6 the trend of technology will continue to require more address space. Businesses will continue to grow and households will continue to acquire new IP-enabled devices. Without NAT consumers will be forced to request new netblocks from their upstream, often resulting in non-contiguous networks. Not surprisingly, often incurring additional fees as well.
By my calculations, the /64 of address space given to each connection will provide about 18446744073709551616 addresses. Is that an insufficient quantity for the average user of an ISP?
#4 NAT advantage: it requires new protocols to adhere to the ISO seven layer model.
H.323, SIP and other badly designed protocols imbed the local address in the data portion of IP packets. This trend is somewhat discouraged by the layer-isolation requirements of NAT.
NAT doesn't seem to have stopped the designers of these protocols from actually deploying their designs, though.
#5 NAT advantage: it does not require replacement security measures to protect against netscans, portscans, broadcasts (particularly microsoft's netbios), and other malicious inbound traffic.
The vendors of non-NAT devices would love to have you believe that their stateful inspection and filtering is a good substitute for the inspection and filtering required by NAT devices. Problem is the non-NAT devices all cost more, many are less secure in their default configurations, and the larger rulesets they are almost always configured with are less security than the equivalent NAT device.
Haven't we already had this thread killed by the mailing list team today? - Matt -- If only more employers realized that people join companies, but leave bosses. A boss should be an insulator, not a conductor or an amplifier. -- Geoff Kinnel, in the Monastery