Posted Jul 21, 2011 11:27 UTC (Thu) by copsewood (subscriber, #199)
In reply to: IPv6 NAT by akumria
Parent article: IPv6 NAT
I think it's too early in the cycle to say exactly how smaller IPV6 networks will be configured, as these now are more likely to be for technology exploration geeks and early adopters as opposed to for production use. So IPV6 configurations are likely to be unstable and will change as we learn more. The cost of address renumbering is also pretty low on my list of current IPV6 migration concerns. At the moment IPV6 feels a bit like when in order to get IPV4 connections I had to install userspace PPP or SLIP tunnels over X25 over POTS. My subsequent larger permanently routed IPV4 LAN installs had static IP address allocation per host, as have my early IPV6 ones due to the fact I'm setting static IPV6 routes within my small experimental LAN for which the IPV4 only router carries IPV6 tunneled, prior to very much thought having to be given to IPV6 firewalling.
The primary motivation for IPV4 DHCP also wasn't to conserve IPV4 addresses but to simplify management, so a single host image could be rolled out and didn't need so much hand configuration. Prior to managing the LAN using DHCP/NAT we had the problem of needing to keep a very tight register of address allocations and when that eventually broke down we had occasional instances of duplicate IPV4 addresses fighting each other on the same network.
I'm also not a fan of NAT unless what you really want is a gateway to prevent the outside looking into interior private LAN operations. I am a fan of the kind of stateful default firewall NAT provides - this kind of firewall will still be needed on IPV6 consumer grade routers once these are widely available and sensibly priced, regardless of whether address translation is used or not, to require someone to state to the router that they want to provide a world-visible service before they do so by default, before IPV6 is rolled out as a standard "plug it in and it goes" default option to great numbers of the security ignorant.