From: Ray Soucy Sent: Thursday, October 21, 2010 5:49 AM To: Owen DeLong Cc: NANOG list Subject: Re: IPv6 fc00::/7 - Unique local addresses
See... You're falling into the same elitist mindset that I was trapped in a year ago.
Perception is a powerful thing. And Joe IT guy at Mom and Pop dot com (who's network experience involves setting up a Linksys at home) loves his magical NAT box firewall appliance. Over the last year I've been trying to fight the NAT war and have gotten pretty beat down. It doesn't matter if *we* know NAT is wrong, undesirable, and breaks the Internet... we all live in the large scale, multi-homed, BGP, mega Internet land.
And BetaMAX was a much better format than VHS, too, from a technical standpoint. It doesn't matter which is "better", it matters what people want. Telling people they can't have what they want leads to someone somewhere providing them with what they want and making a fortune on it.
Start working with smaller shops, and you'll find the typical setup is a bunch of switches and a "VPN Firewall" picked up from Best Buy, or maybe a Sonicwall or something. These guys couldn't manage public IPv4 let alone public IPv6, because the term "private" gives them that warm and fuzzy false sense of security and lets them change their ISP without reconfiguring a single thing (they often wouldn't know where to start anyway).
I am not sure there really is a such thing as a "secure" network. If you can somehow get a host inside a network to send the first packet to you, you are in. Yeah, all those filters and NATs prevent you from being able to send the first packet, but as long as people are dragging in laptops, thumb drives, opening email attachments, and browsing the web, there is no such thing as a "secure" network if it has internet access. Even the deepest packet inspection won't make you secure of the traffic going back and forth abides by the protocol rules. Is that really a file upload and download going on, or is it a bi-directional tunnel disguised as file transfers that never end and is someone now doing a complete scan of your network from one of your employee's workstations? Having a lock on the door is fine, but for a door to be useful, you must be able to open it from the inside. And when you take a delivery, are you sure what is in that box is what is really on the packing slip? And if you take it out of the box and look on it, is it still *really* what it says on the packing slip? Sort of like a birthday cake arriving at a prison.
They *will* fight you, and tell you to your face that if you want to take NAT away from them it will be from their cold dead hands.
And it isn't NAT in and of itself that is attractive. Those people aren't talking about static NAT where you are just translating the network prefix. They are talking dynamic port-based PAT so that the translation doesn't exist until the first packet goes in the outbound direction. Like it or not, that DOES provide some barrier of entry to someone outside wishing to initiate a connection from the outside. You cannot predict in advance what outside address/port will be associated with which inside address/port or if any such association even exists and a lot of people have already made up their minds that the breakage that causes for various things is offset by the perceived benefit of that barrier and worth the price of dealing with that breakage.
Why? Because we've had 10 years of "consultants" selling NAT as the best thing for security since sliced bread.
Maybe we could get them to do it the right way if they had some sort of IPv6 appliance that dumbed things down, but it simply doesn't exist yet. When it is created, it will be created by the people with the NAT mindset wishing to maintain the status quo.
At least that's my prediction...
I tend to agree with that. Not saying that I think that is the best way to go, mind you, just saying that I can see such a thing happening and all the jumping up and down on NANOG isn't going to change that because it is the end user that decides in the end what gets built and what doesn't. So either put into the protocol a specific prohibition of NAT, engineer the protocol so NAT can't possibly work, or get ready to accept that you are going to be dealing with it.
We need to keep in mind that most on this list is likely at a completely different level than anything you'd find in the SMB community.
I have tried making that point privately to many individuals but it doesn't seem to click and is taken as if I am "defending" or somehow rationalizing that "dumbed down" behavior when I am simply acknowledging the existence of it. Sort of like when your daughter starts dating that ne'er-do-well up the street. Sometimes it just is what it is and you can point out the potential problems until the cows come home but it isn't really going to matter. There are billions more of "them" than there are of "us" to put it in tribal terms. In fact, I will say that the lack of such NAT features is exactly WHY IPv6 hasn't caught on in many networks. They can't afford to hire "networking" people, they hire
"IT" people who are tasked with anything related to technology and usually completely understaffed. Thus they want the quick, painless, easy solution.
If it doesn't have a GUI checkbox, it doesn't exist. So they configure a NAT pool, and maybe put a packet filter on the router ahead of it and they are "done" as far as they are concerned. Changing providers means touching the network in two places.