Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

I think it's our responsibility to put an end to NAT as it's a nightmare for application designers and simply was not part of the plan when older protocols were designed. If we collectively decide to drop NAT then future IPv6-only protocols will be able to start afresh, without this burden if carrying out NAT case research and outing various kludges into their code.

I can understand the attractions of NAT for protecting the sysadmin against the pain of network renumbering and issues with multiple ISPs, but I feel that PI space is the way and it should be made a lot easier, with ISPs being encouraged to support it. More research is urgently needed into how to mitigate the costs of using PI space in terms of bloating routing tables and complicating routing. If I remember correctly, AA are happy to support your PI space, think I read that somewhere.

[aesmith]

Routing table size is going to be the issue if every one goes PI, although in time that may not become an issue with updated kit etc.  The telecoms industry must have gone through something similar with number porting.   You're correct as well, A&A will announce PI addressing.

However, devils advocate asks what actually fails to work currently with NAT, and would not work with the much more straightforward IPv6 NAT?   I've come across a few cases where it's helpful for a front end server to have a native address, but those are individual border hosts not the end user clients.  I'm not convinced that the requirement for those border gateways would go away without NAT because some of this is to do with opening firewall ports dynamically.  (For example SIP early media needs protocol specific firewall support even without NAT).

I also note that in the recent past I've worked with two organisations that possessed Class A ranges and numbered their entire internal networks from those public address.  Neither of them routed direct from end users to the Internet without NAT.   I don't even know how it could work at that scale, in an organisation with probably thousands of separate Internet connections around the world.

[loonylion]

NAT also reduces attack profile and protects from ISPs deciding to charge per device using the connection.

[aesmith]

I would say security should not be an issue, any half decent stateful firewall will only permit valid replies to valid outbound connections, not really any different if the connections are NA/PAT or natively routed.  However I suppose you could say that concealing your internal address structure can't hurt.

[Weaver]

My comments were motivated by my thinking like a protocol designer (which I am, or used to be) having read about the struggles that the Microsoft instant messaging design team (Windows/MSN Messenger) had with NAT, and the similar struggles that Teredo has.

I fully sympathise with the concerns of sysadmins and the devil's advocates. It's a question of whom you love more, the software designers or network architects.

[Weaver]

I would encourage any kitizens who want to learn about this technology to try it out using the HE or SixXs tunnels. Or even Teredo, if you're using Windows. and of course, you could always choose an IPv6 ISP.

[aesmith]

It's a question of whom you love more, the software designers or network architects.

Funny you should mention MSN and Windows Messenger as we have mostly come across it when customers want it blocked from their network. This is actually quite difficult with a conventional firewall as the software doesn't use standard ports.  It wouldn't surprise me if it was designed to be difficult to block. 

[Chrysalis]

I am back on native ipv6 now, took some work on my router to get it working tho as sky use /56.

Also its not very sticky, even just a router reboot was enough for the ipv6 prefix to change not very good that sky are using dynamic ipv6 allocations.

The dynamic allocation may make me revert to my he tunnel as I cannot stand dynamic ip addressing.

[Weaver]

Why the bloody hell are Sky dynamically allocating prefixes? You can already have privacy addressing yourself within your subnet if you wish? Why make it impossible to write certain firewall rules, configure external systems properly, why break all existing TCP connections and cause data loss for no reason whenever the prefix jumps?

Sounds like they simply have no clue. I've never ever been with an ISP that uses dynamic addressing, don't need the admin grief and the unreliability. Ugh.

[Chrysalis]

Already sent email to a senior networking bod, as its ridicolous.

Spent last hour or so tho working on my router as I had to be exotic to get QoS working on ipv6.  First I had to get DHCP preservation working for ipv6 so I could get steady ipv6 allocations on my network which is a bit of a pain since its designed to use a OS generated UID instead of hardware MAC.  Then I had to take a look at ip6tables since asuswrt is not adding rules for MAC's on the upstream, so all my ipv6 traffic was same speed as my very low default setting limited to 1mbit/sec upload, which was strangling downloads as not enough bandwidth for ack's.  I have already modified the qos script to set appropriate downstream rules.

[phi2008]

Who did you contact? I recently e-mailed Ian Dickinson who has done presentations on Sky's IPv6 rollout, and he was nice enough to reply(fairly quickly).

[Chrysalis]

Mark Evans but I think Ian Dickinson would have been better as it looks like he is much involved in the ipv6 setup at sky.

[Weaver]

At least you are able to know the name of a human, not a bad sign

[Weaver]

[rant_at_Sky]
I simply couldn't get anything at all to even work like that as there's no way for me to change the IP addresses of hosts once the prefix has been advertised and the hosts have all picked their IP addresses based on it. I'd simply have to turn IPv6 off for good really quick. How are they even expecting anything to work ? Perhaps they are assuming that everyone has some kind of router with a dynamically varying NAT translator. AESmith uses IPv6 NAT, which is where he and I differ. It would still silently screw all your open TCP connections though, which is the nastiest of all possibilities. That's a bloody joke. Apologies for being so frank, but what a bunch of utter clowns.

Don't suppose they have attracted too many Cisco, Juniper or Firebrick router owners.[/rant_at_Sky]

I'll shut up now as you have no need to hear from me, I should think everyone can work it out for themselves. My apologies.

Sounds like there's going to be a lot of breakage when some ISPs roll out IPv6 this Autumn if clue==0

[Weaver]

No offence (to any Kitizen)  meant.