NAT-PT...why did they depricate it?

[drebo]

NAT-PT seems like a very useful tool to promote IPv6 deployment. During my study for the new CCNP ROUTE exam, they mention (almost off-hand) that NAT-PT has been depricated.

Why would they do that to such a useful protocol? I can see NAT-PT being much more useful to small-to-medium organizations than the various types of tunneling...for instance, NAT-PT would be useful in translating private IPv6 addresses into public IPv4 addresses in order to promote deployment internally while almost no ISPs offer native IPv6 connections. You'd get the difficult half out of the equation.

They mention in the book I'm reading that alternatives are "in development", but don't mention what any of them are. I don't understand why NAT-PT would be depricated without a viable replacement.

Anyone have any insight to offer?

 

[RadiclDreamer]

Because its buggy and had security holes from what ive read.

 

[ScottMac]

That never stopped Microsoft ...

(sorry, couldn't help myself ...)

 

[zetsway]

That never stopped Microsoft ...

(sorry, couldn't help myself ...)

WEP, WPA, Windows ME, Windows Vista, need I go on?

 

[alpineranger]

How is microsoft responsible for wep and wpa?

Personally I'm underwhelmed by cicso's commitment to ipv6 in the service provider space. I think the market demand wasn't there so development focus was shifted elsewhere. Unfortunately with DOCSIS 3 and new broadband deployments in a lot of overseas markets it's becoming a big issue.

 

[RadiclDreamer]

How is microsoft responsible for wep and wpa?

Personally I'm underwhelmed by cicso's commitment to ipv6 in the service provider space. I think the market demand wasn't there so development focus was shifted elsewhere. Unfortunately with DOCSIS 3 and new broadband deployments in a lot of overseas markets it's becoming a big issue.

If you've ever followed Cisco they tend to do one of two things, watch the market and wait until they smell money and then they jump in headfirst and dominate, OR they blaze the trail and set "standards" that are many times hard to break out of. So the goal is to keep makiing you buy cisco

 

[taltamir]

WEP, WPA, Windows ME, Windows Vista, need I go on?

WEP and WPA are unrelated to MS, and WPA is actually very secure, its WEP that has defective security.

 

[cmetz]

drebo,

A somewhat official story is:

http://tools.ietf.org/html/rfc4966

The unofficial story is that there's a vocal set of IPv6 proponents who have decided that one of the reasons why we need IPv6 is because they believe that PAT is evil, or even that PAT doesn't work. (I guess that most of the production public Internet is just a big shared delusion) These folks have staked out a position where they feel the need to attack NAT/PAT techniques at every turn and claim that NAT/PAT techniques are inherently flawed, and that's why we *need* IPv6.

Because they believe that NAT/PAT is evil, many of them believe that NAT/PAT as a way to communicate between IPv4 and IPv6 is fundamentally evil too. So they really really don't want that solution, and have fought hard to squash it. NAT-PT and similar have all fallen to these folks' efforts. They've decided that IPv6 is the "solution" to the NAT/PAT "problem," so any IPv6 migration strategy that requires NAT/PAT is fundamentally opposed to the direction they want to go.

Unfortunately, that leaves us with basically no graceful IPv6 transition techniques, only dual-stack. I don't understand how that really works in the long run, because what it means is you can have an IPv4 address and IPv4 connectivity and be able to reach everywhere, but your IPv6 address and IPv6 connectivity only reaches a small subset of the network. In effect, IPv6 addresses and IPv6 connectivity are much less valuable.

 

[drebo]

Honestly, my feeling is that NAT and PAT are integral parts of network security, and even if I had a full /64 IPv6 subnet, I would STILL want to use NAT on my private network.

I'm of the opinion that IPv6 is grossly overengineered as it is, and that there needs to be as many tools as possible to fascilitate a graceful transition. As it is, IPv6 is 10 years old and has almost 0 penetration in the US. It's also kind of stupid that they are only using 2000::/3 as global unique addresses...aren't artificial limitations like that part of the reason that IPv4 had problems before VLSM and NAT/PAT were made popular?

 

[RadiclDreamer]

Honestly, my feeling is that NAT and PAT are integral parts of network security, and even if I had a full /64 IPv6 subnet, I would STILL want to use NAT on my private network.

I'm of the opinion that IPv6 is grossly overengineered as it is, and that there needs to be as many tools as possible to fascilitate a graceful transition. As it is, IPv6 is 10 years old and has almost 0 penetration in the US. It's also kind of stupid that they are only using 2000::/3 as global unique addresses...aren't artificial limitations like that part of the reason that IPv4 had problems before VLSM and NAT/PAT were made popular?

NAT/PAT is NOT a firewall, just remember that

 

[zetsway]

WEP and WPA are unrelated to MS, and WPA is actually very secure, its WEP that has defective security.

I was using it to illustrate how many different technologies are insecure. Appaerently, no one got that

WPA is insecure. In can be crack just as easily as WEP. Now if we are referring to WPA2 well….that’s a different story

 

[Nothinman]

NAT/PAT is NOT a firewall, just remember that

Just like BGP is not a router, but most routers do BGP. =)

 

[RadiclDreamer]

Just like BGP is not a router, but most routers do BGP. =)

Because many times they are the Border Gateway

 

[drebo]

NAT/PAT is NOT a firewall, just remember that

I'm fully aware of that, but there is no denying that it is an EXTRA layer.

 

[taltamir]

I was using it to illustrate how many different technologies are insecure. Appaerently, no one got that

WPA is insecure. In can be crack just as easily as WEP. Now if we are referring to WPA2 well….that’s a different story

In November 2008 Erik Tews and Martin Beck - reseachers at two German technical universities (TU Dresden and TU Darmstadt) - uncovered a WPA weakness[15] which relied on a previously known flaw in WEP that could be exploited only for the TKIP algorithm in WPA. The flaw can only decrypt short packets with mostly known contents, such as ARP messages, and 802.11e, which allows Quality of Service packet prioritization as defined. The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client. For example, this allows someone to inject faked ARP packets which makes the victim send packets to the open Internet. This attack was further optimised by two Japanese computer scientists Toshihiro Ohigashi and Masakatu Morii.[16] They developed a way to break the stopgap WPA system that uses the Temporal Key Integrity Protocol (TKIP) algorithm, whereas WPA2 systems that use the stronger CCMP algorithm are not affected.[17] In October 2009, Halvorsen with others made further progress, enabling attackers to inject larger malicious packets (596 bytes, to be more specific) within approximately 18 minutes and 25 seconds.[18]
The vulnerabilities of TKIP are significant in that WPA-TKIP was, up until the proof-of-concept discovery, held to be an extremely safe combination. WPA-TKIP is still a configuration option upon a wide variety of wireless routing devices provided by many hardware vendors.

I stand corrected, I was wrong and you were right.

 

[zetsway]

I stand corrected, I was wrong and you were right.

I've just seen hackers crack WPA with backtrack so I know it can be done. I would use WPA over WEP anyday but I use WPA2 at home and in the office.