Re: IPv6 NAT?

That's a terrible idea, because it would pander to the myths that
NAT is a security or policy tool.


Brian,
Several comments in this thread have suggested that security is the 
primary driver for NAT.

While it is surely a factor, I believe the dominant driver for NAT is 
addressing autonomy.

Unless/until enterprise (or even home) network operators have some 
number of bits of address to call their own, without risk of forced 
change or being held hostage to their ISP, you will have NAT for v6 
just like for v4.  I think you can take that to the bank.


        They have that today without NAT.   You are stuck in IPv4
        think.  You are thinking *one* address per interface.
        IPv6 was designed with *multiple* addresses per interface
        in mind.

        Use ULA + global addresses.  There is no need to NAT from
        one address to another.  Your internal network connects
        over ULA, you external net connects of a global addresses.
        Even with 1 to 1 NAT in IPv4 you have to use new global
        addresses for people to reach you.

        Note: this works today. link-local + ULA + global.

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet6 fe80::214:22ff:fed9:fbdc%bge0 prefixlen 64 scopeid 0x1 
        inet6 fd92:7065:b8e:0:214:22ff:fed9:fbdc prefixlen 64 autoconf 
        inet6 2001:470:1f00:820:214:22ff:fed9:fbdc prefixlen 64 autoconf 
        inet 192.168.191.236 netmask 0xffffff00 broadcast 192.168.191.255
        ether 00:14:22:d9:fb:dc
        media: Ethernet autoselect (10baseT/UTP <half-duplex>)
        status: active

% env |grep SSH
SSH_CLIENT=fd92:7065:b8e:0:2e0:29ff:fe19:c02d 4656 22
SSH_CONNECTION=fd92:7065:b8e:0:2e0:29ff:fe19:c02d 4656 
fd92:7065:b8e:0:214:22ff:fed9:fbdc 22
% 

        Mark

(Note that autoconf doesn't remove this need... enterprise operators 
will have local host addresses sprinkled throughout a plethora of 
departmental traffic disruption appliances, so renumbering will be 
viewed by many as a non-starter.)

-teg

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread]	Current Thread	[Next in Thread>
AW: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt], (continued) AW: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt], Tschofenig, Hannes (NSN - FI/Espoo) Re: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt], Florian Weimer IPv6 NAT?, Iljitsch van Beijnum Re: IPv6 NAT?, jewheele Re: IPv6 NAT?, Florian Weimer Re: IPv6 NAT?, Dan York Re: IPv6 NAT?, Masataka Ohta Re: IPv6 NAT?, Stjepan Gros Re: IPv6 NAT?, Brian E Carpenter Re: IPv6 NAT?, Terry Gray Re: IPv6 NAT?, Mark Andrews <= Re: IPv6 NAT?, Brian E Carpenter Re: IPv6 NAT?, Dan York Re: IPv6 NAT?, Brian E Carpenter Re: IPv6 NAT?, Keith Moore Re: IPv6 NAT?, Brian E Carpenter Re: IPv6 NAT?, Keith Moore Re: IPv6 NAT?, Rémi Després Re: IPv6 NAT?, Dan York RE: IPv6 NAT?, Paul Francis RE: IPv6 NAT?, Eric Gray