On 05/23/2016 03:05 PM, James Knott wrote:
On 05/23/2016 02:18 PM, Andrei Borzenkov wrote:
No idea. I do not even see it - it actually double NAT (provider box gets private address as well).
That's a killer. It's also an excellent example of why NAT is so bad and why IPv6 is essential. I currently get a /64 prefix from my ISP, though it may be increased later. That provides 2^64 addresses, so every IPv6 capable device I have gets a global unicast address and then some.
Sorry, I don't get this. I agree James about IPv6. I'm a Whitebeard who remembers when IPv4 was lightly populated and all connectivity was host-to-host and NAT-less, before Al Gore invented the Internet. [ Cue https://www.youtube.com/watch?v=y3KEhWTnWvE ] NAT is a piece of ingenuity layered on what was originally a private non-routable subnet that was really for "internal testing" . Yes a distortion of intent but also a display of ingenuity on the part of engineers and a gift to marketing. That it has delayed IPv6 is .... yes, I'll grant you, an 'evil". But pinging though, doing a traceroute though a NAT firewall works. provided, that is, you've configured it to allow that. I mean, heck, it *IS* a firewall and you can tell any firewall, even the ones that aren't NAT, even the host-layer ones, to filter out ICMP. Or not. So assuming that Andrei has that capability turned off - that is no filtering of ICMP, he should be able to ping and traceroute though a NAT. Yes, the NAT code will dick around with UDP and ICMP in curious ways and those curious ways will be different for each vendor, but all the versions I've come across have the capability to pass UDP and ICMP back and forth. Yes there's a time window. And stacking NAT? Well a NAT doesn't care what is generating the UDP and ICMP. if it comes via another NAT router, then why should it care. Here's the proof in the real world: I have a Netgear firewall. Its a NAT device. It has a series of ports in the back. Plugged into one of those ports is my Cisco/lynksis WRT53Gv2 wifi router. That's a NAT device as well. So when I traceroute/ping from my tablet over wifi though the double-NAT .... It works. It works because I have UDP and ICMP forwarding turned on in both cases. Back in Message-ID: <18437434-c801-6841-643c-15abc4480a6f@antonaylward.com> Date: Mon, 23 May 2016 14:34:29 -0400 I suggested Andrei try a traceroute. OK, I forgot to mention making sure that his NATs had ICMP forwarding tuned on. Andrei, did you try that? James, while I agree with you about IPv6 and the - unfortunately necessary - "evil" of NAT, please don't let your your enthusiasm for IPv6 become a religious fervour that turns into a Reality Distortion Field. The world will flip over to IPv6 and the changeover will be sudden and dramatic, a true Rene Thom[1] 'catastrophe'. It has to happen. The only issue is "will it happen before the end of technological civilization in the next 4 years?" [1] https://en.wikipedia.org/wiki/Ren%C3%A9_Thom -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org