So will IPv6 have private addressing after all?
- Thread starter mammador
- Start date
Gryz
Golden Member
- Aug 28, 2010
- 1,551
- 204
- 106
It's not the IEEE that decides on TCP/IP stuff.
It's the IETF (Internet Engineering Task Force).
And then, I don't think it will be the IETF that gets to decide if there will be NAT66 (NAT between IPv6 and IPv6). If there is a company that makes a box that does NAT66, and does it in a transparent way, these boxes will be build and sold.
NAT44 was not an idea by the IETF. NAT44 was an idea of a small private company, called Network Translation Inc. They got bought by Cisco in 1995. Their product was called PIX. Cisco implemented NAT in their IOS. And so did a lot of other vendors. But there wasn't an RFC to describe it. The PIX existed before we had rfc1918.
http://en.wikipedia.org/wiki/Cisco_PIX#History
Here's a good article on why we might need NAT66. I agree.
http://blog.ioshints.info/2011/12/we-just-might-need-nat66.html
Oh, and it seems there are already IPv6 addresses that can be considered private addresses.
http://en.wikipedia.org/wiki/Unique_local_address
Edit:
And there is an RFC on NAT66: http://tools.ietf.org/html/rfc6296
And from googling a bit, it seems there are NAT66 implementations in JunOS and BSD. If so, then I bet there will a lot more implementations in other boxes and OSs.
It's the IETF (Internet Engineering Task Force).
And then, I don't think it will be the IETF that gets to decide if there will be NAT66 (NAT between IPv6 and IPv6). If there is a company that makes a box that does NAT66, and does it in a transparent way, these boxes will be build and sold.
NAT44 was not an idea by the IETF. NAT44 was an idea of a small private company, called Network Translation Inc. They got bought by Cisco in 1995. Their product was called PIX. Cisco implemented NAT in their IOS. And so did a lot of other vendors. But there wasn't an RFC to describe it. The PIX existed before we had rfc1918.
http://en.wikipedia.org/wiki/Cisco_PIX#History
Here's a good article on why we might need NAT66. I agree.
http://blog.ioshints.info/2011/12/we-just-might-need-nat66.html
Oh, and it seems there are already IPv6 addresses that can be considered private addresses.
http://en.wikipedia.org/wiki/Unique_local_address
Edit:
And there is an RFC on NAT66: http://tools.ietf.org/html/rfc6296
And from googling a bit, it seems there are NAT66 implementations in JunOS and BSD. If so, then I bet there will a lot more implementations in other boxes and OSs.
Last edited:
NAT was pretty much a hack and has been deprecated for IPv6. I am not sad about that.
"small site multihoming" is a really bad reason to break the Internet.
"small site multihoming" is a really bad reason to break the Internet.
m1ldslide1
Platinum Member
- Feb 20, 2006
- 2,321
- 0
- 0
As someone who has had to learn a shit ton about NAT, I say good riddance. Unfortunately now we'll have to learn and maintain NAT64 and v6 tunneling techniques for years and years until native v6 is everywhere.
Gryz
Golden Member
- Aug 28, 2010
- 1,551
- 204
- 106
You should note that what people usually call NAT in the IPv4 world, is actually "Network Address Port Translation (NAPT)". Or also called PAT ("Port Address Translation"). In NAPT different ranges of IP addresses are mapped onto each other. And portnumbers are changing.
The simplest form of NAT doesn't do that. It just maps a prefix of size X to another prefix of size X. This ensures that portnumbers do not need to change. It also means that packets coming from the outside can be mapped to addresses on the inside, without any previous packets going out. Or without manually configured mapping. In fact, a true simple NAT box can be completely stateless.
Multihoming is a problem. A problem for the routing system. And as IPv6 is in the network-layer, that is the place to fix it. In the IPv4 globabl routing table there are 444K prefixes (and growing). That is a global entry for every 20 or so /24 prefixes. That is pretty bad summarization. If we want to do better in the IPv6 world, a proper solution for multi-homing would be very welcome.
The simplest form of NAT doesn't do that. It just maps a prefix of size X to another prefix of size X. This ensures that portnumbers do not need to change. It also means that packets coming from the outside can be mapped to addresses on the inside, without any previous packets going out. Or without manually configured mapping. In fact, a true simple NAT box can be completely stateless.
Multihoming is a problem. A problem for the routing system. And as IPv6 is in the network-layer, that is the place to fix it. In the IPv4 globabl routing table there are 444K prefixes (and growing). That is a global entry for every 20 or so /24 prefixes. That is pretty bad summarization. If we want to do better in the IPv6 world, a proper solution for multi-homing would be very welcome.
- Dec 9, 2010
- 2,120
- 1
- 76
So it's a reliance on firewalls, access control lists, etc?
I understand there is less need to converse addressing space, but if all v6 addresses will be /64, this in itself is too large for any organisation. that's like trillions of nodes per organisation, who the fuck needs that many? lol..
There should be a function in which /80 or /96 subnets can be available. even though this makes the number of subnets available huge too, that's preferable IMO over the alternative IMO.
Were actually getting close to having to implement Carrier Grade NAT (CGN) apparently. NAT at the ISP level. This will really screw things up. No more personal port forwarding.
http://www.datacenterknowledge.com/archives/2013/02/06/carrier-grade-nat-a-look-at-the-tradeoffs/
NAT on the one had is neat, and handy (more devices, basic firewall), but such a PITA on the other.
http://www.datacenterknowledge.com/archives/2013/02/06/carrier-grade-nat-a-look-at-the-tradeoffs/
NAT on the one had is neat, and handy (more devices, basic firewall), but such a PITA on the other.
Pheran
Diamond Member
- Apr 26, 2001
- 5,740
- 35
- 91
As Gryz pointed out, private space already exists in IPv6, it's called ULA. However, there's very little reason for most organization to use it. IPv6 NAT is not something you want to inflict on yourself.
Mammador, all IPv6 subnets should be /64s with the possible exception of point-to-point links. Trying to use anything else will break a number of things, including address autoconfiguration. One benefit of /64s is that it pretty much makes it impossible for anyone to scan your address space, because it's so huge.
Mammador, all IPv6 subnets should be /64s with the possible exception of point-to-point links. Trying to use anything else will break a number of things, including address autoconfiguration. One benefit of /64s is that it pretty much makes it impossible for anyone to scan your address space, because it's so huge.
Red Squirrel
No Lifer
Sorry to bump an old thread but randomly stumbled on this in a search and thought I'd mention this.
One point of nat that is often forgotten is to create a private, fully controlled network. You can assign any IP to any machine, have as many IPs as you want etc...
If they don't have NAT, then you will be limited by your ISP as far as how many IP's they'll give you,and whether or not they are static. Imagine having to change all your IPs every time you reboot your modem. No, I rather have NAT and have 1 or 2 public IPs and the rest is local to me only. The security side of things can be fixed with a proper firewall, so that's not so much an issue. But it's the control. I rather have a 10.1.1.1/8 equivalant I can play with and do everything I want with, than to get a public IP range that can change.
Suposedly ISPs will be handing out /64's, which is HUGE, but I don't count on them actually doing that. They'll hand you MAYBE 10 or so IPs, and you'll have to pay extra to get more.
So here's hoping, they will have NAT for IPv6. I do like the idea of getting larger ranges of public IPs though, for situations where they are static.
One point of nat that is often forgotten is to create a private, fully controlled network. You can assign any IP to any machine, have as many IPs as you want etc...
If they don't have NAT, then you will be limited by your ISP as far as how many IP's they'll give you,and whether or not they are static. Imagine having to change all your IPs every time you reboot your modem. No, I rather have NAT and have 1 or 2 public IPs and the rest is local to me only. The security side of things can be fixed with a proper firewall, so that's not so much an issue. But it's the control. I rather have a 10.1.1.1/8 equivalant I can play with and do everything I want with, than to get a public IP range that can change.
Suposedly ISPs will be handing out /64's, which is HUGE, but I don't count on them actually doing that. They'll hand you MAYBE 10 or so IPs, and you'll have to pay extra to get more.
So here's hoping, they will have NAT for IPv6. I do like the idea of getting larger ranges of public IPs though, for situations where they are static.
There will be no NAT66 for IPv6 for the foreseeable future. The primary purpose for NAT is to alleviate IP address exhaustion by allowing many machines to share a single IP, and the large size of a /64 network makes this band-aid unnecessary.
Your concern about ISPs not handing out /64s is unwarranted. A /64 is the smallest point-to-multipoint network supported by the IPv6 spec as well as the smallest network in which SLAAC will work, so an ISP would simply be creating a support headache for themselves if they tried to hand out anything smaller.
If you want to run a private network, ULA addresses are available for this purpose, and serve the same function as the RFC 1918 addresses do for IPv4. However, since NAT66 doesn't exist, your private machines won't be able to connect to the Internet.
Your concern about ISPs not handing out /64s is unwarranted. A /64 is the smallest point-to-multipoint network supported by the IPv6 spec as well as the smallest network in which SLAAC will work, so an ISP would simply be creating a support headache for themselves if they tried to hand out anything smaller.
If you want to run a private network, ULA addresses are available for this purpose, and serve the same function as the RFC 1918 addresses do for IPv4. However, since NAT66 doesn't exist, your private machines won't be able to connect to the Internet.
No, they'll assign /64s because that's what the standard says.
ISPs are generally given /32s with enterprises (and some smaller ISPs) getting /48s.
That means that ISPs have more than the IPv4 public scope worth of /64s to assign to customers.
And no one says that you couldn't subnet your assigned /64 further if you needed to.
There are "private" scopes set asside for IPv6 if you have a network that is not connected to the Internet.
But if your network is connected to the Internet, NAT is a terrible thing to inflict upon it. NAT provides no implicit security. Any security associated with "NAT routers" is provided by separate SPI firewall or some other filtering mechanism.
I can see a case for 1:1 NAT in IPv6, but even that breaks a number of protocols and shouldn't be used. PAT (what's most commonly referred to as NAT, or otherwise referred to as NAPT) is an abomination and should be shot and left for dead.
ISPs are generally given /32s with enterprises (and some smaller ISPs) getting /48s.
That means that ISPs have more than the IPv4 public scope worth of /64s to assign to customers.
And no one says that you couldn't subnet your assigned /64 further if you needed to.
There are "private" scopes set asside for IPv6 if you have a network that is not connected to the Internet.
But if your network is connected to the Internet, NAT is a terrible thing to inflict upon it. NAT provides no implicit security. Any security associated with "NAT routers" is provided by separate SPI firewall or some other filtering mechanism.
I can see a case for 1:1 NAT in IPv6, but even that breaks a number of protocols and shouldn't be used. PAT (what's most commonly referred to as NAT, or otherwise referred to as NAPT) is an abomination and should be shot and left for dead.
Local link is pretty much all Pirvate address can be desired.
Beside that there is not no need or even any advantage to Pirivate address.
I do think NAT is behind us.
Behind us once IPv6 is fully rolled out which I don't anticipate fully seeing for another 10 years or so. There's no single reason to use NAT with IPv6. NAT's purpose was to increase the number of computers an entity had so they didn't have to use publicly routable IP's for all computers. IPv6 has plenty of IP space for anything we may need.
Gryz
Golden Member
- Aug 28, 2010
- 1,551
- 204
- 106
For the record, I disagree with evilsharpie, drebo and Pheran.
Yes there are.
Maybe we should call it "network address rewriting", or something. Not NAT. So the fundamentalist, short-sighted, less-cluefull and biased people will not start religious wars.
The purpose of NAT was to make renumbering not necessary, when you hadn't used officially-acquired addresses, and later wanted to connected to the public Internet. This was in 1995-1996.
Later NAT evolved into PAT. And then we could get 1:N translation and save on the amount of public addresses needed.
People always think that the only problem is the amount of available addresses. IPv4 and IPv6 are network-layer addresses. The addresses are not just an identifier. They are a locator too. That causes a lot of problems. People were aware of these problems in 1990. IPv6 could have solved those problem. But the folks who developed IPv6 chose to ignore these problems. (They were not the same folks who developed IPv4).
People have argued for identifier/locator separation in IPv6 since Mike O'Dell's 8+8 proposal from 1996. The IETF and the IAB now wish we would have identifier/locator separation. Address rewriting is one way to achieve this. But it would be a great help if layer-4+ protocols would be aware.
The benefits ?
1) Easier renumbering. In fact, you don't need to renumber your internal networks anymore. You only need to reconfigure your public ip-prefixes on your border-routers, at the edge of your network.
2) Proper multi-homing. (And better load-balancing). When you are multi-homed to 2 ISPs, your get 2 prefixes. Packets get rewritten, so they use the ISP-given prefix when leaving your network. Return traffic will automatically return of the symmetric path.
3) Better support for mobility.
This does not only mean phones, laptops and other mobile devices. If layer-4+ protocols are aware, you could have mobility (= address changes) while existing connections persist. So you could move hosts (like VMs in a virtualized environment) around, off their own subnet, while maintaining connections.
4) Smaller routing tables in the default-free zone on the Internet.
If you do proper multi-homing with address-rewrites, every multi-homed site can use address-space from their provider (and not provider-independant addresses). Those prefixes can be summarized by the ISP. In an ideal world, every ISP will announce only 1 prefix. And those could be summarized by tier-1/transit-providers, without losing multi-homing for those ISPs. This can not be done without address-rewriting, in IPv6 nor IPv4. Besides smaller tables, we'd also get less flaps.
This can be done simple 1:1 NAT. But you'd still have some problems, e.g. with DNS. And your changes will reset TCP connections. Therefor, it needs to be included in the overall architecture. I think this can still be done, as atm IPv6 is still mostly a toy-technology (as opposed to a production-technology).
There's been lots of research, proposals, drafts, RFCs, etc about this issue. I have no idea if it will happen. (The people who champion IPv6 the most, seem to be the most clueless about routing).
If you wanna learn more about locator/identifier separation, there is a load of information here:
http://ilnp.cs.st-andrews.ac.uk/
Last edited:
One of the BIG Selling point of IPV6 was "No need for NAT (pt)"
Have enough IP address for even for ants!
Noneless NAT was/is State of Art Technology.
Before PIXs before part of CISCO; I tried port address fowarding by using LinX box (Firewall) and have failed miserably. After two weeks of feeling, I told my self, I am fool in the rain.
Then CISCO did the MASS announcement; I thought it was/is best thing after the wheel invention.
Yes NAT can idunce strange IPsec and Packet abomination issues....... but that is the FUN of the GAME:ninja:
Definitely some valid concerns here, especially for anyone who care about static IP addressing outside of a business setting. I don't care if the IP address of my smartphone changes daily, but if my home LAN starts rearranging itself whenever my ISP feels like shaking things up, it's going to break all sorts of things I use regularly (remote access to network resources, FTP, private game servers, etc). There's no way i'm going to pay extra fees for them not to bork my network, i'm just going to keep running IPv4 with NAT internally and let my router translate externally as necessary like it already does, at least until it dies and they stop making routers with that feature
Not to mention trying to remember IPv6 addressing in a support setting :\ Better start taking exceptionally good notes I guess. "Type ipconfig /all and read off the gigantic awkward alphanumeric string to me without any errors please! Now type ping 2001:0db8:85a3:0000:0000:8a2e:0370:7334..."
Red Squirrel
No Lifer
Definitely some valid concerns here, especially for anyone who care about static IP addressing outside of a business setting. I don't care if the IP address of my smartphone changes daily, but if my home LAN starts rearranging itself whenever my ISP feels like shaking things up, it's going to break all sorts of things I use regularly (remote access to network resources, FTP, private game servers, etc). There's no way i'm going to pay extra fees for them not to bork my network, i'm just going to keep running IPv4 with NAT internally and let my router translate externally as necessary like it already does, at least until it dies and they stop making routers with that feature
Not to mention trying to remember IPv6 addressing in a support setting :\ Better start taking exceptionally good notes I guess. "Type ipconfig /all and read off the gigantic awkward alphanumeric string to me without any errors please! Now type ping 2001:0db8:85a3:0000:0000:8a2e:0370:7334..."
Yes that's exactly my main concern and it's a pretty big one. So many people seem to not understand this.
For a long time we'll probably have external IPv6 with internal IPv4, but it would be nice to just go full IPv6 to finally be up to date with the times, but they need to fix this problem. Another issue is reverse DNS. At home, I can change reverse DNS to my heart's desire because the IPs are private and owned by me (within my own network). With public IPs I'd probably have to pay extra money to have access to do that.
Gryz
Golden Member
- Aug 28, 2010
- 1,551
- 204
- 106
There is this thing called DNS.
It allows you to use names, in stead of numbers.
My ISP allows its customers to configure a name for their home ip-address. So you can always use ssh, ftp, sftp, or whatever protocol you want to connect to your home machine(s). Via a static name. There is no need for static addresses. (Still, you don't want ip-addresses to change too often, because DNS takes some time to update (although this can be fixed by changing TTLs in advance)).
The funny thing is, I see network designers who suggest that the best way to build a new data-center is to build it IPv6 inside, and then do NAT64 on your links to the Internet. The exact opposite way of how you want to run your network.
Personally I think it's gonna take a long time before we see a substantial amount of IPv6 traffic. If ever. If people would want to enhance IPv6 to have identifier/locator separation, better mobility, better multi-homing support, etc, then maybe there would be an incentive for ISPs and businesses to start using IPv6.
Last edited:
- Dec 9, 2010
- 2,120
- 1
- 76
/64 is simply too large a subnet for practical use. There is scalability, granted, but that is really taking the piss in IPv6. What if one is a micro-enterprise with only 10 employees, is a /64 even necessary? Even for a large multi-national such as Coca-Cola or Nissan, a /64 is way more than one can feasibly project. Similar applies to home users. Though a homeowner may have to live until s/he is 10,000 to acquire all IP nodes to fill a /64 address.
There should be an option for company size. If Nissan wants a /64 for all of its offices, so be it, let it apply to the Japanese registry. It doesn't mean all other companies should.
- Dec 9, 2010
- 2,120
- 1
- 76
- Dec 9, 2010
- 2,120
- 1
- 76
I agree there is no need to conserve addressing space, which was the major requirement for IPv4 NAT.
I just don't want Joe Internet user in China to know of all hosts behind the firewall. Yes, the firewall itself can prevent intrusion, but why should Joe in China know how many desktops or laptops I have, or how many network cameras I have installed?
Pheran
Diamond Member
- Apr 26, 2001
- 5,740
- 35
- 91
No it isn't. The /64 is the standard IPv6 subnet size. As has already been stated, not using /64 will break multiple things. How many addresses you actually use within a subnet is irrelevant. In fact, the sparsely populated space works to help protect you from scanning. There is absolutely no reason to use anything other than /64 on a multipoint IPv6 network.
Direct quote from RFC 5375:
Last edited:
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter