| |||||||||||||
IPv6 NATIPv6 NATPosted Jul 21, 2011 9:13 UTC (Thu) by copsewood (subscriber, #199)Parent article: IPv6 NAT Smaller IPV6 networks, like the one I'm setting up on my LAN, are going to have to renumber if moving between providers. If not, the router tables will fragment into too many little pieces. If you have an AS number you can change the routing between your address space and the rest of the world, but you need a large network to do that.
(Log in to post comments)
IPv6 NAT Posted Jul 21, 2011 10:04 UTC (Thu) by akumria (subscriber, #7773) [Link]
And why is renumbering bad?
AIUI you have a router which will either be performing DHCPv6 or SLAAC (stateless address auto-configuration).
In either case, this router will be issuing the prefix (first /64) to other devices.
If you change providers, you have to modify things on the router.
With NAT66, what changes?
- no need to modify DHCPv6 (or SLAAC)
i.e. you still need to change things on the router.
I'm struggling to see why NAT66 helps in your renumbering case.
IPv6 NAT Posted Jul 21, 2011 11:27 UTC (Thu) by copsewood (subscriber, #199) [Link]
I think it's too early in the cycle to say exactly how smaller IPV6 networks will be configured, as these now are more likely to be for technology exploration geeks and early adopters as opposed to for production use. So IPV6 configurations are likely to be unstable and will change as we learn more. The cost of address renumbering is also pretty low on my list of current IPV6 migration concerns. At the moment IPV6 feels a bit like when in order to get IPV4 connections I had to install userspace PPP or SLIP tunnels over X25 over POTS. My subsequent larger permanently routed IPV4 LAN installs had static IP address allocation per host, as have my early IPV6 ones due to the fact I'm setting static IPV6 routes within my small experimental LAN for which the IPV4 only router carries IPV6 tunneled, prior to very much thought having to be given to IPV6 firewalling.
The primary motivation for IPV4 DHCP also wasn't to conserve IPV4 addresses but to simplify management, so a single host image could be rolled out and didn't need so much hand configuration. Prior to managing the LAN using DHCP/NAT we had the problem of needing to keep a very tight register of address allocations and when that eventually broke down we had occasional instances of duplicate IPV4 addresses fighting each other on the same network.
I'm also not a fan of NAT unless what you really want is a gateway to prevent the outside looking into interior private LAN operations. I am a fan of the kind of stateful default firewall NAT provides - this kind of firewall will still be needed on IPV6 consumer grade routers once these are widely available and sensibly priced, regardless of whether address translation is used or not, to require someone to state to the router that they want to provide a world-visible service before they do so by default, before IPV6 is rolled out as a standard "plug it in and it goes" default option to great numbers of the security ignorant.
IPv6 NAT Posted Jul 21, 2011 21:14 UTC (Thu) by mstefani (subscriber, #31644) [Link]
How often have you renumbered networks?
It is a *pain*. Even on the network side which is the easiest part it is a lot of work (globally update your route filters, your firewalls, intrusion detection, monitoring). Even if you use dhcp there will be the odd device or "power user" that has a static address. Or worse there will be that "critical" in house application (of which the IT department doesn't know that it even exists) that has IP addresses hard coded all over the place. And that's only the technical part. The worst thing is that you move from a simple, well understood and local change that you can do in your standard maintenance window to a high impact widespread change. Think project management, business cases and justifications, coordination meetings, ROI discussions, etc. etc.
Oh, and your sales rep with the old provider very well knows those costs of changing IP addresses and will factor that in in his updated quote. And you'll grudgingly have to accept that the $500 that he charges you more per month provides you with the "better value".
So no, changing the IPs with the provider is the worst solution for an enterprise. You want to go either PIR or ULA. But of course for a hotel or coffee place that offers Internet access to their guests changing IP addresses with the providers is a viable solution.
IPv6 NAT Posted Jul 23, 2011 13:29 UTC (Sat) by dsommers (subscriber, #55274) [Link]
Fair enough, renumbering networks can really be a pain. Agreed! Been there, done that - several times. But is that the fault of the network numbering? Or the management routines related to the network numbering?
I do consider NAT44 a nasty hack, but is pragmatic enough to see that David S. Miller is right. NAT won't go away. But sometimes I wonder why many prefers hacks to solve their issues, rather than to target the root issue. Make the tools you need/use tackle network renumbering better, instead of adding yet another layer of complexity in your core network. Tools will only have effect and do the job when you do the change. NAT66 can impact the network efficiency over a long time.
Regarding 'power users' or 'that "critical" in house application of which IT doesn't know about" ... for me this is just lame excuses why not to aim for a better solution. Yes, these things happens. But that those services or persons outside the IT dep. can be able to keep the IT dep. hostage like this, is just absurd in my eyes.
However, renumbering IPv6 addresses cannot be that easily compared to renumbering IPv4 nets. With IPv4, your netmask might be reduced, or you might have a /27 net which is moved and so on. So with IPv4 addresses you might need to change your addressing scheme, sometimes that's a very big change - *this* is painful. But with IPv6 only the prefix should change, where you most likely will have /48, /56 or /64 subnets. Which means you can keep the same IPv6 addressing scheme, you just need to change the prefix you have been assigned. In other word, this is be *less* painful.
And if I've understood NAT66 correctly, it is not really comparable to NAT44, as *port* NATing is not part of NAT66. NAT66 will just modify the IPv6 prefix. But I've not looked deep into the changes nfnat66 does. If it stays compliant to the RFC6296, I struggle to see the real effect of this "infrastructure hiding" which is claimed as the reason why to use NAT.
IPv6 NAT Posted Jul 21, 2011 17:36 UTC (Thu) by Lennie (subscriber, #49641) [Link]
Why not use http://en.wikipedia.org/wiki/Unique_local_address ?
You have 3 addresses on your hosts:
You can have several ULA-ranges in your organisations and you setup any firewalls and internal DNS and so on to only use the ULA.
I know some people think ULA is a bad idea, but I think using NAT is a lot worse.
IPv6 NAT Posted Jul 21, 2011 19:58 UTC (Thu) by mstefani (subscriber, #31644) [Link]
Because it is an operational mess in practice.
ULAs are not a special IPv6 address type like the site local addresses once where. They are global addresses by the standard. So you have 2 global addresses on the hosts and the applications/hosts will "randomly" pick one as source address. There doesn't seem to be any consistency between OSes or even OS versions on which address is chosen and applications can mess with that too. Stateful firewalls tend to not like that and protocols that are NAT unfriendly will have a tendency to break too.
What we hear from network vendors is that their customer that tried your proposal have reverted to use only global addresses pretty quickly and not bother with ULA. Even if they don't route their global address to the internet and provide only NATed or proxied Internet access over IPv6.
No, ULA is a nice idea but doesn't seem to work in practice.
IPv6 NAT Posted Jul 21, 2011 22:28 UTC (Thu) by Lennie (subscriber, #49641) [Link]
That is the best argument of why ULA doesn't work I've ever seen.
I do think there are ways to solve that, SLAAC and DHCPv6 have a lot of options, I wouldn't be surprised if most operating systems don't honor half of them though.
The solution could be to have the router(s) send 2 different RA-packets, one with the global routablable address and default route, the other with the ULA and more specific routes for other parts of the network.
That way the host-machine thinks there are 2 routers and thus it knows what source-address to use when talking to the router and hosts on the other parts of the network.
In other news, some people say proxy servers are the solution not NAT.
IPv6 NAT Posted Aug 30, 2011 23:20 UTC (Tue) by baldur (guest, #77305) [Link]
"So you have 2 global addresses on the hosts and the applications/hosts will "randomly" pick one as source address."
No, the host should follow the rules set out in RFC 3484: http://www.ietf.org/rfc/rfc3484.txt
More specifically the host will use the source address with the longest common prefix of the destination address. This rule guarantees that the ULA address will be used to communicate with other ULAs. And the GUA for other GUAs.
|
|||||||||||||