From: "Perry E. Metzger" <perry(_at_)piermont(_dot_)com>
Date: 17 Dec 2000 13:32:03 -0500
It certainly takes more. The amount of NAT equipment out there is
astonishing, and as I said at the plenary, people are starting to pay
Real Money (as in millions a year) in large organizations to keep the
NATs working properly. Several layers of NAT has become common, and
NATs are stateful, which means they are necessarily more of a
reliability problem than routers.
v6 is really no harder to use than the old v4 pre-NAT network was.
It is true that v6 qua v6 does not solve the route explosion
problem. It is also true that the route explosion problem is a real
problem. However, it doesn't make it worse, either.
Perry,
The flaw in your argument is that you're assuming that the only reason
to do NAT is because of the address space problem. My concern is that
it may turn out that some transport/routing people may conclude that we
may also need to do NAT to solve the routing problem. In which case,
we're back to where we started.
I'd feel a lot better if we could get key routing/transport people to
sign some contract in blood stating that the IPV6 address is guaranteed
to be invariant, and that any attempt to design boxes which muck with
the IPV6 address in transit is architecturally out of bounds. That may
seem to you to be obviously true, but I 10 years ago we assumed the same
would be true for IPV4 addresses.
If it turns out that we need some kind of routing identifier in the IPV6
address, whether it's the dreaded 8+8 scheme, or adding another 16 byte
value in the header which router are free to muck with to our heart's
content, at some level, whatever, I don't care. I'm security guy, not a
routing guy, so I don't know what will work the best, and at some level,
I don't care --- just so long as it works, and that we have something
which *everyone* agrees will be an invariant end-point identifier, now
and forever, world without end, Amen.
Otherwise, 5-7 years from now, we'll be using IPV6, and there will be a
need for some kind of routiing-gw/NAT boxes, and people will *still* be
complaning that it's all IPSEC's fault that IPSEC doesn't work through
NAT boxes, and the anti-NAT people will be complaining that the NAT
folks have changed the rules again. And all that work which the IPV6
rollout folks have put into that project will in the end be for naught.
- Ted