On 03/11/2013 12:00 AM, Walter Dnes wrote: > On Sun, Mar 10, 2013 at 05:07:25PM -0400, Michael Mol wrote > >> NAT behind a home router is bad, too. For IPv4, it's only necessary >> because there aren't enough IPv4 addresses to let everyone have a unique >> one. > > The best real reason for moving to IPV6 is address space (or lack > thereof, in the case of IPV4). The people who are truly interested in > speeding up IPV6 adoption should do their best to shut up the internet > hippies who constantly rant and rave about how "NAT is evil". Don't let > the cause get distracted by that unrelated issue. Focus on the core > issue.
They're two sides of the same coin. If NAT wasn't such a problem, layering RFC1918 address space would solve most of the address space problems. The address space crunch remains a technical problem largely because NAT can't solve it to completion. NAT forces a distinction between 'client' and 'server', breaking the 'peer' nature of the network. This isn't some hippy egalitarian thing, it means I can't trivially tell my VPS to connect to a backup target on a different network without setting up either a tunnel or a port forward. With IPv6, doing this is so brain-dead easy I never want to be without it again. Once you've experienced IPv6 and appropriate network firewalls, along with the ease of connecting to your own machines from anywhere you want without having to bounce through a third-party management service like Teamviewer, you never want to go back. It's like discovering you've been holding a pencil wrong all your life, or like discovering a better way to tie your shoes; the solution is simple, elegant and surprisingly productive. NAT is like tying your shoes wrong; you don't know how much of a problem it is until you experience life without it. And even once you get people comfortable with deploying IPv6, they still want to hold on to NAT; it's like a stubborn stain on their minds. It's important to explain that NAT isn't a security measure. In order to operate, it requires what amounts to a stateful firewall...but that doesn't mean that a stateful firewall is difficult to obtain without NAT. People have grown so accustomed to the presence of NAT and NAT's inherent implications on inbound traffic that they wind up conflating the two in their minds, making actual understanding of their network's security that much more difficult to comprehend. So, yeah, NAT is evil. Looking for privacy in your addresses? That's what privacy extensions are for, and they're enabled by default on Windows and Ubuntu. (I haven't looked on Gentoo...) The only reasonably valid use case for NAT that I've seen is for dealing with the question of multi-homing an office with two internet connections. The idea is that you don't have to renumber your internal network if you need to switch from your primary connection to your backup connection (and you're being granted different IP ranges based on which connection you're working with...so we're talking small business, not BGP or multilink with the same ISP). In those cases, I advocate application-layer gateways; chances are, if you're investing in multi-homing your office, you probably already want the kind of administrative power (and performance improvements) proxy servers can offer you. The IPv4 address crunch triggered the development of DNAT a couple decades ago, and the silly thing persists in terrible ways when there are simpler ways to handle things. (When I say 'simpler', I mean: Don't break assumptions about basic network behavior such as 'don't mangle my packets' or 'I can open a connection back to him when I have updates he needs')
signature.asc
Description: OpenPGP digital signature
