North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Access to the IPv4 net for IPv6-only systems, was: Re: WG Action: Conclusion of IP Version 6 (ipv6)

  • From: Stephen Sprunk
  • Date: Tue Oct 02 14:34:05 2007


Thus spake "Iljitsch van Beijnum" <[email protected]>
On 2-okt-2007, at 11:36, John Curran wrote:
The proxy&tunnel vs NAT-PT differences of opinion are entirely
based on deployment model... proxy has the same drawbacks
as NAT-PT,

The main issue with a proxy is that it's TCP-only. The main issue with NAT-PT is that the applications don't know what going on.
Rather different drawbacks, I'd say.

There are several different mechanisms devices can use to discover they're behind a NAT(-PT) if they care. Most do not, and those that do often can't do anything about it even if they know.


only without the attention to ALG's that NAT-PT will receive,

ALGs are not the solution. They turn the internet into a telco-like network where you only get to deploy new applications when the
powers that be permit you to.

That's somewhat true if you rely on a NAT-PT upstream. However, you can run your own NAT-PT box, decide what ALGs to run, and bypass the upstream NAT-PT since you will _appear_ to be a natively dual-stacked site. Of course, you're limited by the vendor writing the ALGs in the first place, but that's just an argument for OSS. Or perhaps it's an argument for deploying real v6 support and getting rid of NAT-PT entirely.


The alternative to NAT-PT is multilayered v4 NAT, which has the same problem you describe except there's no way out.

and tunnelling is still going to require NAT in the deployment
mode once IPv4 addresses are readily available.

Yes, but it's the IPv4 NAT we all know and love (to hate). So this means all the ALGs you can think of already exist and we get to
leave that problem behind when we turn off IPv4.

We'll still need all those ALGs for v6 stateful firewalls. Might as well put them to use in NAT-PT during the transition between the ALG'd starting phase (all v4) and the ALG'd ending phase (all v6).


Also, not unimportant: it allows IPv4-only applications to work
trivially.

Any applications that work "trivially" through v4 NAT will also work "trivially" through NAT-PT and v6 stateful firewalls. The interesting apps are the ones that don't work through NAT or firewalls without ALGs.


If you're making some silly argument about non-NAT v4 access, well, you're over a decade out of touch with reality. The number of v4 hosts that are _not_ behind a NAT is negligible today.

S

Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking