Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] DHCPv6-PD request
On 05/23/2016 03:05 PM, James Knott wrote:
On 05/23/2016 02:18 PM, Andrei Borzenkov wrote:
No idea. I do not even see it - it actually double NAT (provider box
gets private address as well).

That's a killer. It's also an excellent example of why NAT is so bad
and why IPv6 is essential. I currently get a /64 prefix from my ISP,
though it may be increased later. That provides 2^64 addresses, so
every IPv6 capable device I have gets a global unicast address and then

Sorry, I don't get this.

I agree James about IPv6. I'm a Whitebeard who remembers when IPv4 was
lightly populated and all connectivity was host-to-host and NAT-less,
before Al Gore invented the Internet.

[ Cue ]

NAT is a piece of ingenuity layered on what was originally a private
non-routable subnet that was really for "internal testing" . Yes a
distortion of intent but also a display of ingenuity on the part of
engineers and a gift to marketing. That it has delayed IPv6 is ....
yes, I'll grant you, an 'evil".

But pinging though, doing a traceroute though a NAT firewall works.
provided, that is, you've configured it to allow that. I mean, heck, it
*IS* a firewall and you can tell any firewall, even the ones that aren't
NAT, even the host-layer ones, to filter out ICMP. Or not.

So assuming that Andrei has that capability turned off - that is no
filtering of ICMP, he should be able to ping and traceroute though a NAT.

Yes, the NAT code will dick around with UDP and ICMP in curious ways and
those curious ways will be different for each vendor, but all the
versions I've come across have the capability to pass UDP and ICMP back
and forth. Yes there's a time window.

And stacking NAT?

Well a NAT doesn't care what is generating the UDP and ICMP. if it
comes via another NAT router, then why should it care.

Here's the proof in the real world:

I have a Netgear firewall. Its a NAT device. It has a series of ports
in the back. Plugged into one of those ports is my Cisco/lynksis
WRT53Gv2 wifi router. That's a NAT device as well. So when I
traceroute/ping from my tablet over wifi though the double-NAT ....

It works.

It works because I have UDP and ICMP forwarding turned on in both cases.

Back in
Message-ID: <18437434-c801-6841-643c-15abc4480a6f@xxxxxxxxxxxxxxxx>
Date: Mon, 23 May 2016 14:34:29 -0400
I suggested Andrei try a traceroute.
OK, I forgot to mention making sure that his NATs had ICMP forwarding
tuned on.

Andrei, did you try that?

James, while I agree with you about IPv6 and the - unfortunately
necessary - "evil" of NAT, please don't let your your enthusiasm for
IPv6 become a religious fervour that turns into a Reality Distortion Field.
The world will flip over to IPv6 and the changeover will be sudden and
dramatic, a true Rene Thom[1] 'catastrophe'. It has to happen.
The only issue is "will it happen before the end of technological
civilization in the next 4 years?"

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting frowned upon?

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread