Can Large Scale NAT Save IPv4? 583
Julie188 writes "The sales pitch was that IPv6, with its zillions of new IP addresses, would eliminate the need for network address translation altogether. But Jeff Doyle, one of the guys who literally wrote the book on IPv6, suggests that not only will NAT be needed, but it will be needed to save IPv4 at the tipping point of IPv6 adoption. 'I've written previously that as we make the slow — and long overdue — transition from IPv4 to IPv6, we will soon be stuck with an awkward interim period in which the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Large Scale NAT (LSN, also known as Carrier Grade NAT or CGN) is an essential tool for stretching a service provider's public IPv4 address space during this transitional period.'"
Useless investement (Score:5, Informative)
Re:NOOOOOOO (Score:5, Informative)
Except for all the people still on XP, which has no native IPv6 support...
Has too. You just need to enable it: http://ipv6int.net/systems/windows_xp-ipv6.html [ipv6int.net]
Re:NOOOOOOO (Score:5, Informative)
err windows xp does have ipv6 support but its not installed by default (in fact has had it since XP sp2)
now it may not have all the bells and whistles of say Vistas support (if anything can be supported by Vista) but you should at least be able to get an IP and get online.
Re:Fuck you. (Score:1, Informative)
You are talking to Michael David Kristopiet. The one slashdotter too stupid for even slashdot.
Don't waste your breath on this crazy but ultimately pathetic and worthless fucker.
Re:Hasn't it already? (Score:5, Informative)
I don't know where you have been getting your predictions. It is pretty certain that IANA is going to run out of space [potaroo.net] about the middle of next year.
We have 14 /8's left in the IANA free pool, we use up almost 2 /8's every month.
Are you betting on the ipv4 space usage magically decreasing ( right when everyone will start freaking out about getting their last allocations )?
Re:NOOOOOOO (Score:4, Informative)
Re:NAT is good (Score:2, Informative)
Your ISP could still issue you a router with a firewall that's locked down pretty tight by default. Just because you have a globally routable IPv6 address doesn't mean your router has to let every packet through. What exactly are you worried about losing?
Re:NAT is good (Score:4, Informative)
1. Is Comcast going to give me unlimited IPv6 addresses? How will that work through my router? Do I now need to announce every device to Comcast?
You get a subnet, and your router routes the whole subnet. Just like with IPv4, coincidentally.
NAT makes for a pretty good firewall. I have Linux and Mac machines, and consumer devices, behind my current NAT router. With NAT and SPI, I have it pretty good.
As opposed to having a firewall, instead of having a firewall?
Hey, I understand the need for IPv6. I guess I just don't want to lose what NAT offers.
Like what? Nothing what you stated had anything to do with NAT as such.
Re:NOOOOOOO (Score:3, Informative)
Mod parent up. If you've had to deal with any sort of reasonably larged sized network and NAT, everything he mentions above is a huge pain in the ass. Relying on NAT as a "firewall" is brain damaged anyway, and those who tihnk NAT needs not processing ability compared to a proper firewall are deluded. Every single packet needs to be looked up against the NAT state table, so even though you don't have any real firewall rules, processing is still going on.
The "protection" that NAT provides can be replaced with a real firewall simply blocking incoming connections and maintaining state on outgoing connections - without breaking NAT incompatible protocols to boot.
I can't wait for the IPV6 migration to hit en-masse. Those with a clue will be in huge demand.
Re:NOOOOOOO (Score:5, Informative)
Support for XP has stopped, it's an old OS.
Windows XP is supported until 2014 [microsoft.com] if you keep up with service packs.
Re:Port scanning posters; TOS server ban (Score:2, Informative)
Most US ISP's have a "No running servers" clause in their residential service ToS.
Re:NOOOOOOO (Score:1, Informative)
http://www.sixxs.net/ [sixxs.net] or https://www.sixxs.net/ [sixxs.net]
Beware their ssl cert is from an unlisted provider so maybe just stick with the http version
Re:NOOOOOOO (Score:3, Informative)
Currently, the internal IPs of my computers do not depend on which ISP I am connected to.
Actually IPv6 interfaces can, nay MUST, allow multiple address assignments. So in an all IPv6 world, each of your computers will have an ISP-dependent (publically routable) address, as you say. But, they will each ALSO have a locally assigned, non-routable ("site-local") address that you can use as an unchanging address on your LAN.
Plus, with IPv6 router solicitation/advertisement and/or DHCPv6, even the case of updating machines with new ISP-dependent addresses is not the onerous task you make it out to be.
Comment removed (Score:3, Informative)
Re:Large scale NAT is completely moronic. (Score:1, Informative)
There are only 65536 port numbers, so there is only so thin that you can spread a single IP address. Remember that some clients open many ports. There are also questions of reuse; you can't simply cram the 65536 space close to full. When a TCP connection terminates, you don't want to start reusing the port number right away. It's tricky.
It's fine not to like NAT if that's your thing, but let's not spread misinformation about TCP.
TCP connections are identified by a source_ip:source_port::dest_ip:dest_port quad. This means you can use the same IP:port pair on the NAT end many times for different connections with different IP:port pairs on the other end.
So it's not as dire as you paint it -- a single IP can participate not in 65536 (2^16) connections, but in 2^16 * 2^32 * 2^16 = 2^64 =~ 10^19 different TCP connections (in theory) in IPv4. In practice, not all IPs and ports are used, but unless all the clients behind that NAT are connecting to the same IP:port pair on the other side, the limit is going to be your NAT device's connection table, not TCP ports, because the device is unlikely to have the exabytes of RAM needed to track all those possible connections.
Also, the most commonly-used protocol of residential clients is going to be HTTP, and browsers are usually not going to open up more than a couple of connections to port 80 on a given IP, thanks to RFC2616, so you can still fit a lot of customers behind a single NAT IP even though half of them are connected to google.com at any moment. Other protocols, like BitTorrent, may use lots of connections, but by their nature tend to spread those out among a lot of IPs and ports.
Re:NOOOOOOO (Score:1, Informative)
Be careful what you wish for - IPv6 so full of flaws, until IPv4 completely runs and and it gets rammed down our throats, no enterprise will adopt this. Where do I even start?
OK, case in point. The people who designed IPv6 think NAT is not necessary because there's enough addresses for everybody. That's the dumbest thing I've ever heard. They're missing the point! Does anyone NOT think about the routing tables?
Right now IPv4 over the Internet is barely manageable and only because people NAT. In fact, you cannot have networks more specifc than a /24 because many ISP's will filter you out because it would be just too many routes to deal with. Most companies that connect to the Internet have one network (or a small handful of networks) and thankfully present only those few networks to the Internet. Now let's say you take NAT out of the equation. You mean to say you want the **INTERNAL routing table of every company everywhere ** in every Internet router?? That's madness! Do people think routers just have terabytes of memory, and that routing protocol convergence times are negligible?
And before you try to suggest summarization as a solution, no, you cannot just summarize in IPv6 and call that a simple answer. That leaves no room for mobility. So one specific host leaves the summary route and goes to a different location, how are you going to inject that /128 route into the Internet routing tables? You can't, nobody would be able to handle your /128 (host) route and know how to return traffic to you. NAT is clearly the only way to allow access for mobile devices to change locations and still get to the Internet.
Here's a more specific example. You have an IP address at home. You IPSec VPN to work. They turn off split tunneling for security reasons, which of course means all traffic has to go over the VPN tunnel. However they allow you to go to the Internet through this VPN tunnel. So now you pass traffic to the VPN concentrator, and try to get to the Internet. But now you have a problem, without NAT. Your home computer's IP now has to appear as if it's coming from your company? So you have to inject a host route to the Internet, and hope the rest of the Internet has a return route to you? That's so not happening - no routing protocol can handle that.
Let me also point out NAT hides addresses and provides security. I don't want the Internet knowing my internal host IP's. They can know about my firewall IP though. So I want to hide the internal IP's. NAT does this beautifully, and is an essential security function.
There's no denying NAT is needed. The fact the the IPv6 designers even debate this at all shows how clueless they are to real world issues, and because they are so detached from reality, nobody wants to implement their new protocol. It's no mystery why the IPv6 adoption rate is so slow.
Re:NOOOOOOO (Score:4, Informative)
If you have carrier redundancy, the IP6 stack can/will have *both* sets of IPs active at once, and you decide which gets used outgoing at the router. IPv6 actually includes multi-homing, unlike IPv4....