[colug-432] IPv6
Rick Troth
rmt at casita.net
Fri Nov 22 11:58:06 EST 2013
A comment about NAT when learning IPv6.
Long soggy saga about how I tried for years to get V6 connectivity. Russ
turned me on to SixXS (tunnel broker). I also use HE (another tunnel
broker). Have "native" V6 now for one server, but most are still
tunneled. Works.
When I finally got connected, the first tunnel was flying. Awesome! I
was then trying to figure out how to get the other boxes on my LAN
safely into the IPv6 game. I was looking for a V6 equivalent of the
N-to-1 NAT which my firewall/router provided.
Stop looking. I did. Life got easier.
It took a couple weeks for the light to dawn on me. I went from N-to-1
NAT as a fact of life (even desirable) to "Rick hates NAT". You don't
have to be a hater like me, but I hope you'll come to value the absense
of gNATs in IPv6 world.
The original design of the internet was for unique addressability and
for one-to-one connectivity. The addresses reserved for N-to-1 NAT
(first in RFC 1597, then in RFC 1918) were culled before they got
allocated. It was the early 90s and we were running out of room even
then. The proliferation of N-to-1 NAT destroyed the unique
addressability. We have to play tricks because we no longer have
one-to-one connectivity.
IPv6 restores the one-to-one function.
Most people mistake N-to-1 NAT as a security feature. It's not. This was
presented playfully in a YouTube video that I share when I pitch IPv6.
http://www.youtube.com/watch?v=v26BAlfWBm8
We've been doing N-to-1 NAT so long that we're blind to the ridiculous
machinations we go through to support it. (eg: port mapping, but
numerous other things)
You /can/ still do NAT in IPv6, but you no longer /have to/. And it's
usually N-to-N. But I have yet to encounter even doing N-to-N yet for V6.
Security is offered by your firewall. You don't need NAT for security,
just a stateful firewall with half a brain. If your firewall and/or
router is brainless, you can at least control the routing so that
at-risk systems on your LAN simply do not connect with the outside world.
Long rant, but I hope it helps.
-- R; <><
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20131122/fec82fc4/attachment-0001.html
More information about the colug-432
mailing list