Re: IPv6 uptake

[Tom Beecher <beecher () beecher cc>]

> I'm not going to participate in the security conversation, but we do
> absolutely need something to fill the role of NAT in v6. If it's already
> there or not, I don't know. Use case: Joe's Taco Shop. Joe doesn't want a
> down Internet connection to prevent transactions from completing, so he
> purchases two diverse broadband connections, say a cable connection and a
> DSL connection. When ISP fails, traffic will have to exit ISP B. He's not
> getting a /48, LOA, BGP, etc. to do it on his own, he's just going to do
> simple NAT.


If you are asserting that the business is just taking the
dynamic allocations from ISP A and ISP B, and NAT'ing internal stuff to
those , then sure, that works, until ISP A goes down, and the NAT device
must detect that so it no longer uses those addresses until it comes back
up. Which is of course doable, but is no longer 'simple' NAT.

On Mon, Feb 19, 2024 at 9:53 AM Mike Hammett <nanog () ics-il net> wrote:

> "We can seriously lose NAT for v6 and not lose
> anything of worth."
>
> I'm not going to participate in the security conversation, but we do
> absolutely need something to fill the role of NAT in v6. If it's already
> there or not, I don't know. Use case: Joe's Taco Shop. Joe doesn't want a
> down Internet connection to prevent transactions from completing, so he
> purchases two diverse broadband connections, say a cable connection and a
> DSL connection. When ISP fails, traffic will have to exit ISP B. He's not
> getting a /48, LOA, BGP, etc. to do it on his own, he's just going to do
> simple NAT.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------
> *From: *"Michael Thomas" <mike () mtcc com>
> *To: *nanog () nanog org
> *Sent: *Saturday, February 17, 2024 12:50:46 PM
> *Subject: *Re: IPv6 uptake
>
>
> On 2/17/24 10:26 AM, Owen DeLong via NANOG wrote:
> > > On Feb 16, 2024, at 14:20, Jay R. Ashworth <jra () baylink com> wrote:
> > >
> > > ----- Original Message -----
> > > > From: "Justin Streiner" <streinerj () gmail com>
> > > > 4. Getting people to unlearn the "NAT=Security" mindset that we were
> forced
> > > > to accept in the v4 world.
> > > NAT doesn't "equal" security.
> > >
> > > But it is certainly a *component* of security, placing control of what
> internal
> > > nodes are accessible from the outside in the hands of the people inside.
> > Uh, no… no it is not. Stateful inspection (which the kind of NAT
> (actually NAPT) you are assuming here depends on) is a component of
> security. You can do stateful inspection without mutilating the header and
> have all the same security benefits without losing or complicating the
> audit trail.
>
> Exactly. As I said elsewhere, the security properties of NAT were a
> post-hoc rationalization. In the mean time, it has taken on its own life
> as if not NAT'ing (but still having stateful firewalls) would end the
> known security universe. We can seriously lose NAT for v6 and not lose
> anything of worth.
>
> Mike