Mailinglist Archive: opensuse (1826 mails)

< Previous Next >
Re: [opensuse] Moving to IPv6
  • From: James Knott <james.knott@xxxxxxxxxx>
  • Date: Thu, 09 Sep 2010 22:34:42 -0400
  • Message-id: <4C899942.7030006@xxxxxxxxxx>
Anton Aylward wrote:
James Knott said the following on 09/09/2010 04:50 PM:

Anton Aylward wrote:
Anders Johansson said the following on 09/09/2010 02:22 PM:

As I said to James, I don't really believe you think this, I suspect your
hatred for NAT has gotten the better of your choice of arguments

+1



Or perhaps our understanding of the implications of NAT cause us to
oppose it.

NAT is a hack that's used to get around the shortage of IP addresses and
in the process violates IP specs that addresses shouldn't be tampered
with and it also breaks some things.
How little you know abut history.
The original 'RFC1918 considered harmful" (actually "RFC 1627 - Network
10 Considered Harmful") dates from 1994. That's 26 years ago.

http://www.packetizer.com/rfc/rfc1918/
Please note that this is tagged as a "best current practice" and as
"Obsoletes: 1627, 1597"

However it replicates the wording of RFC1597 in many places.

Yes, there were panics about address exhaustion that long ago. And a
lot of other nonsense, if you recall, like running out of oil.


The justification for "Network 10" - what we now call NAT'ing, read:

<quote src="RFC1597, RFC1918">
Hosts within enterprises that use IP can be partitioned into three
categories:

- hosts that do not require access to hosts in other enterprises
or the Internet at large;

- hosts that need access to a limited set of outside services
(e.g., E-mail, FTP, netnews, remote login) which can be handled
by application layer gateways;

- hosts that need network layer access outside the enterprise
(provided via IP connectivity);

- hosts within the first category may use IP addresses that are
unambiguous within an enterprise, but may be ambiguous between
enterprises.

For many hosts in the second category an unrestricted external access
(provided via IP connectivity) may be unnecessary and even
undesirable for privacy/security reasons. Just like hosts within the
first category, such hosts may use IP addresses that are unambiguous
within an enterprise, but may be ambiguous between enterprises.

Only hosts in the last category require IP addresses that are
globally unambiguous.

Many applications require connectivity only within one enterprise and
do not even need external connectivity for the majority of internal
hosts. In larger enterprises it is often easy to identify a
substantial number of hosts using TCP/IP that do not need network
layer connectivity outside the enterprise.
</quote>

The case that Bob Moskowitz (http://htt-consult.com/bio.html) and others
made back then still has validity today. The issue isn't that "NAT
breaks the IP protocols" so much as there are situations where it
doesn't matter.

IPv6 may be a good thing, but this slagging of NAT is not necessary.
There are and there will continue to be good reasons or people to use NAT.

I will go so far as to predict that even with IPv6in place, there will
be something like "network 10" - private address spaces, and hence
something like NAT. Its just too convenient to have addresses that
cannot be - will not be - routed.

<quote>
An enterprise that decides to use IP addresses out of the address
space defined in this document can do so without any coordination
with IANA or an Internet registry. The address space can thus be
used by many enterprises. Addresses within this private address
space will only be unique within the enterprise.
</quote>

Its a pity that James' enthusiasm for IPv6 is matched by such
intolerance of the useful aspects of NAT and the conditions under which
"network 10" has been beneficial to corporations and individuals.

<quote>
In order to use private address space, an enterprise needs to
determine which hosts do not need to have network layer connectivity
outside the enterprise in the foreseeable future. Such hosts will be
called private hosts, and will use the private address space defined
above. Private hosts can communicate with all other hosts inside the
enterprise, both public and private. However, they cannot have IP
connectivity to any external host. While not having external network
layer connectivity private hosts can still have access to external
services via application layer relays.
</quote>

That's the kind of process that IT regularly performs. Risk Analysis
and Needs Analysis.

<quote>
4. Advantages and Disadvantages of Using Private Address Space

The obvious advantage of using private address space for the Internet
at large is to conserve the globally unique address space by not
using it where global uniqueness is not required.

Enterprises themselves also enjoy a number of benefits from their
usage of private address space: They gain a lot of flexibility in
network design by having more address space at their disposal than
they could obtain from the globally unique pool. This enables
operationally and administratively convenient addressing schemes as
well as easier growth paths.
</quote>

Well, lets face it, does you network printer really need to be "globally
connected"?


Please note: I am no denigrating IPv6 or saying that one _should_ use
NAT. Nor am I saying that NAT should be forced on organizations to
further (asymptotically) delay the exhaustion of the IPv4 address space.
I *am* saying that slagging NAT is not a good argument in favour of
IPv6. I am saying that blithely asserting that universal connectivity
is an argument or IPv6 ignores the reality of the needs of business and
of domestic users. I am saying that blithely asserting that you can
configure a firewall to allow domestic the benefits of NAT - that is
restricting universal connectivity - ignores the reality of how poorly
many firewalls are already configured and the lack of such expertise in
the domestic market.

"NAT breaks things". Yes. It was meant to. Lets make that quite
clear. RFCs 1597 and 1918 make that quite clear and are unambiguous
about the purpose and benefits

These links were provided earlier. Please read them.
http://www.cs.utk.edu/~moore/what-nats-break.html
http://www.faqs.org/rfcs/rfc1627.html
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups