Not logged in
Log in now
Create an account
Subscribe to LWN
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
And if we want to have NAT-less world it'll have to grow BIG.
Posted Jul 22, 2011 8:32 UTC (Fri) by anselm (subscriber, #2796)
I'm not convinced. The IPv4 routing tables are as big as they are because (a) various assumptions governing address allocation were flawed and couldn't really be corrected retroactively, and (b) people are generally not eager to renumber their whole network when they change providers just to simplify the default-free routing tables, hence »provider-independent addresses« for larger installations.
With IPv6, renumbering is much less of a hassle than with IPv4, and there are many more addresses available in the first place, so there's a good chance that the routing tables will not grow that much. They will probably grow some, but not by several orders of magnitude.
(Note: I don't claim to be an IPv6 guru, but I have this from a few people who do IPv6 for a living, and it makes sense to me.)
Posted Jul 22, 2011 9:00 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
First, even renumbering won't help you to use two independent uplinks. You either need PI or NAT for it. No other choices. And right now NAT wins by a huge margin.
As for renumbering, have you ever done it with IPv6? It's actually WORSE than with IPv4.
<rant mode on>
The situation with IPv6 rhymes with "muster duck", to quote someone on NANOG.
For example, I have a device (say, a network printer) on my network. It gets its address from SLAAC. So far so good, the only question is: how do I discover it?
Manually adding it by typing 128-bit long address is out of the question. And won't work with renumbering, anyway.
Ok, let's try DHCPv6. Oh, another "muster duck" - it can't be used separately without SLAAC. And anyway, this way I'll have to identify my devices by MAC addresses which is definitely suboptimal. Also, DHCP server becomes a single point of failure and a maintenance nightmare.
Ok, what if we want device to self-register in my local DNS? Can't be done. TSIG is broken for that purpose and IETF only _now_ starts to think about suitable standards for it.
With NAT everything is easy - just statically assign IPv4 address and you're done. And it'll work even if you have multiple uplinks. End of story.
</rant mode off>
Posted Jul 22, 2011 14:13 UTC (Fri) by foom (subscriber, #14868)
When the lease expires, the name is removed from DNS. The device doesn't need to self-register with DNS, since the DHCP server handles it. And the DHCP server doesn't need to have MAC address mapping for the endpoints, since it just gets the names from the DHCP request.
Works great....and would work for IPv6 too, if I had set that up.
Posted Jul 22, 2011 20:10 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
Want to bet that it'd take less than a week in organization of medium size for a host with duplicate name to appear?
Also, that's a nice attack vector for hackers. Just infect your CEOs iPad and make it impersonate a VerySecureFinancialServer.yourorganization.com - DHCP is not authenticated so all hacker would need to do is change iPad's hostname.
Posted Jul 24, 2011 18:00 UTC (Sun) by foom (subscriber, #14868)
Well, we use the automatic unauthenticated assignment for desktops so it mostly doesn't matter (and btw, there's ~400 of them). If a duplicate name is requested, it's simply ignored if the first DHCP lease is still active. Of course if the first user's lease expires (or is relinquished), you could steal their hostname, indeed. Shrug.
> Also, that's a nice attack vector for hackers. Just infect your CEOs iPad and make it impersonate a VerySecureFinancialServer.yourorganization.com - DHCP is not authenticated so all hacker would need to do is change iPad's hostname.
Well, yes, guess what. Neither MAC addresses nor IP addresses are authenticated either. If you want to secure such things, you'll need to have a separate trusted network segment (or use 802.1x), and then you can lock down "secure" hostnames to that network segment.
You can also use Windows Active Directory, with which it is trivial to do dynamic hostname assignment authenticated to the host's kerberos key.
Posted Jul 22, 2011 15:48 UTC (Fri) by raven667 (subscriber, #5198)
Sure there are operational changes with IPv6 and there will be rough edges that need to be refined that will become more apparent as it is used more. Think about the difference between a modern IPv4 implementation such as in Linux vs. IPv4 of 10 or 20 years ago. The protocols are compatible but the implementation and management are very different. Implementations can be modified to support quick prefix changes without changing any of the local subnetting or addressing in a compatible way, if that is the way the market goes.
Posted Jul 22, 2011 20:29 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
That's so incredibly unreliable and convoluted, that it actually might be used.
>Manually putting addresses in DNS is certainly not out of the question either, just because you have a slightly longer address string.
It is out of the question. Addresses are not 'slightly' longer, they are ten _times_ longer in practice.
In IPv4 world one just needs to remember _one_ _octet_ in practice. Because three other octets are usually fixed in a typical NAT-ed network. In IPv6 world one needs to remember at least 8 octets.
And no, assigning the second half of the IPv6 manually won't work. I have not yet seen a device that can accept a prefix advertisement AND allow to assign the postfix manually. And you'll need it to make renumbering even a remotely possible alternative.
>Sure there are operational changes with IPv6 and there will be rough edges that need to be refined that will become more apparent as it is used more. Think about the difference between a modern IPv4 implementation such as in Linux vs. IPv4 of 10 or 20 years ago.
Not true. IPv4 networks 10 years were administered almost exactly like today. Even 15 years ago situation was not that much different (well, we used HTTP proxies instead of NATs, relied more on manual assignment than on DHCP but that's basically all).
IPv6 is right now NOT READY for the real world. The basic protocol is fine, but everything else starting from DHCPv6 and SLAAC is utterly and horribly broken.
/me wants to hit IETF members with a lead pipe. Repeatedly.
Posted Jul 23, 2011 16:12 UTC (Sat) by baldur (guest, #77305)
But lets consider what it is you want. You want a private address range, for example fdbe:3b30:fb0b::/48. You can make up your own range easily here: http://bitace.com/ipv6calc/
Then you propose to use NAT to convert that range to your real public address range. But why would you do that? It is so much simpler to assign both a private AND a public IP to every device. If you are multihomed you simply assign two public IPs to everyone. In case you are wondering: How long does it take for everyone to switch to the backup if the primary fails: 30 seconds (the NUD timeout).
If you follow all the rules a private range can be quite long and hard to remember as in my example. But then, if you don't care and it appears you don't, why not just use fd00::/64 as your range? Then your printer could be fd00::5. How is that any harder to remember than 172.16.0.5? The IPv6 address is in fact shorter...
How to make the printer be fd00::5? The same way as with IPv4. Either manual config or through DHCP(v6).
Posted Jul 23, 2011 16:23 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
First, not all services accept link-locals. Second, they are not routed.
>Then you propose to use NAT to convert that range to your real public address range. But why would you do that?
Because alternatives suck.
>It is so much simpler to assign both a private AND a public IP to every device. If you are multihomed you simply assign two public IPs to everyone. In case you are wondering: How long does it take for everyone to switch to the backup if the primary fails: 30 seconds (the NUD timeout).
Yeah, yeah. Now try this _in_ _practice_. Printers and other networked devices usually don't support it. And even desktop computers have problems with choosing correct addresses.
AND you're not solving the problem with renumbering, you're actually making it even worse (which IP address should be registered in DNS if we have three uplinks?).
Oh, and I actually help to support a production IPv6 network of about 1000 devices. Try this, and you'll rapidly realize that IPv6 is just not yet ready for the real world.
Posted Jul 23, 2011 18:33 UTC (Sat) by baldur (guest, #77305)
Fact is that if you put two or more routers on a network and let them announce different prefixes, I have never seen a device that will not pick them up correctly. I have never seen a desktop OS that did not choose the correct address, do you have any documentation for that claim?
What address would you put in DNS if you were using NAT with multiple uplinks? Whatever your answer to that question I will say the same for the solution without NAT.
I am not sure why you want client computers to be in the DNS in the first place. But anyway, one possible answer is to put all the public IP addresses in the DNS. Some programs, like a web browser, knows to try the alternative IP if the first fails. Another answer is to put the private fd00:: addresses in DNS. This will work for anyone using VPN or similar to your network (ie. anyone that has a reason to communicating with your client machines using a DNS name).
If we are talking about servers the best option is PI. As would it be in a solution that includes NAT. But there is actually an alternative: You can use mobile IPv6. This has no overhead when your primary link is up.
In fact you can use mobile IPv6 or NEMO for the whole network if need to. Or you can use LISP.
Posted Jul 23, 2011 19:07 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
For example, on HP networked printers allow to manually assign only one address. And Windows does not allow to select address precedence using GUI, so it's extremely easy to get one congested link and one lightly loaded - and no way to fix it. Even setting an interface metric (which still doesn't solve problems in reality) requires to use DHCPv6 and SLAAC.
Even something as simple as ULA does not work well.
>What address would you put in DNS if you were using NAT with multiple uplinks?
The local address. It works fine for intra-organization purposes. In fact, it works GREAT when it's coupled with Microsoft AD.
>If we are talking about servers the best option is PI.
Which is expensive and doesn't scale.
>As would it be in a solution that includes NAT. But there is actually an alternative: You can use mobile IPv6.
No I cannot. Mobile IPv6 is not even supported in Linux properly, never mind all those embedded networked devices. Oh, Windows Vista/7 also don't support it.
Posted Jul 23, 2011 19:39 UTC (Sat) by baldur (guest, #77305)
Address preference is set by the router (RA option).
ULA address in the DNS works the same with or without NAT.
Mobile IPv6 would require extra software on the clients yes. But not on these embedded devices, printers, etc, that are not supposed to be public available anyway. There is Linux support btw: http://www.umip.org/
You are overlooking the more powerful alternatives:
LISP was used by Facebook during IPv6 day.
Posted Jul 24, 2011 17:35 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
And right now I have only two solutions: NAT or PIR. And the second one is expensive and complex.
Forget IPv6 NAT; use LISP instead
Posted Jul 24, 2011 20:58 UTC (Sun) by baldur (guest, #77305)
Or if you are using Cisco go here: http://lisp4.cisco.com/index.html
The Linux implementation (which seems less mature): https://github.com/aless/
The available NAT66 solutions do not seem to be any more mature than LISP. Since LISP is so far superior I can not imagine the world taking on NAT66 at a greater scale. I would therefore expect little or no application support for NAT66 and a world of hurt for those that follow that ill path. There for sure are zero applications today that handles NAT on IPv6 (using STUN to figure out the real IP address and all that jazz).
Posted Jul 25, 2011 8:35 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
I have IPv6 address assignment from my ISP. I want to use LISP. What should I do?
Posted Jul 25, 2011 9:39 UTC (Mon) by baldur (guest, #77305)
Otherwise you can ignore the network and install your own PxTR(s) on collocated servers.
Posted Jul 25, 2011 13:10 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
Well, I can do this with IPSec tunnels or PPtP/GRE. And more easily, in fact.
Posted Jul 25, 2011 19:34 UTC (Mon) by baldur (guest, #77305)
But you are right - a tunnel is yet another way to solve the multihome issue. So now we got:
1) IPv6 with multiple prefixes
2) IPv6 with multiple prefixes and ULA
3) LISP: http://www.lisp4.net/
4) BGP multihome
5) NEMO and MIPv6: http://software.nautilus6.org/implementations.php
6) Custom tunnel
7) NAT66 (pre alpha version published on 15 Jul 2011: http://sourceforge.net/projects/nfnat66/).
We are currently doing 1) on a significantly larger network than the one you administer and it "just works". But I definitely think the future is 3). It might currently take some involvement to setup but that will change quickly.
The use cases and complaints that you have put forward are all solved by LISP and in a much better way than NAT66.
Posted Jul 26, 2011 16:26 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
MIPv6 and NEMO are effectively dead. They require cooperation of both parties to avoid triangular routing, and that's not going to happen because Windows has dropped MIPv6 support and has never had NEMO support.
I honestly think that NAT66 will be used quite widely. And it's actually not that bad, because it's possible to use it just in prefix-translation mode with 1-to-1 mapping.
Posted Jul 26, 2011 16:53 UTC (Tue) by baldur (guest, #77305)
Say you have ISP A and ISP B as uplinks. In addition pay for, rent or collocate a server at both ISPs where you install the LISP proxy software. Granted this extra expense but you got:
1) The ISPs are taking care of BGP.
2) Automatic load balancing both up and downstream.
3) Automatic failover.
4) If you got PI address space you can easily switch ISPs.
5) If one server goes down your are still good although this depends on the ISP stopping advertising your PI space.
LISP currently as an enormous amount of steam so I feel quite confident that the beta network will eventually convert to production state. At that point it will be just as easy to setup as NAT66 but without any of the drawbacks. All you would need is to login to the web interface of your standard router and check the LISP option. Then tell it four pieces of information: Your allocated EID, the address of the map service, your username and password.
Of course NAT66 will happen but I don't see multihoming or renumbering-protection as good use cases. These will be better handled by LISP. I don't see most applications getting good NAT66 handling the same way they have NAT44 handling today.
We are probably not going to get any more learnings or consensus out of this thread. I just wanted to point there are in fact more options than BGP and NAT66.
Posted Jul 26, 2011 17:53 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
We've actually considered a similar variant (colocate a server and use it to terminate GRE tunnels).
So while there may be other ways (I'll concede that multiple IPv6 addresses might work for somebody), your choice is still is very much between spending $$$$ and having in many ways inferior solution.
As for LISP, it merits its own article on LWN. And right now it's FAR from being really complete (which is OK, people are still working on it).
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds