nanog mailing list archives

Re: Rate of growth on IPv6 not fast enough?

From: Leen Besselink <leen () consolejunkie net>
Date: Tue, 20 Apr 2010 22:31:46 +0200

On 04/20/2010 09:31 PM, Roger Marquis wrote:

Jack Bates wrote:
.01%? heh. NAT can break xbox, ps3, certain pc games, screw with various
programs that dislike multiple connections from a single IP, and the
crap load of vpn clients that appear on the network and do not support
nat traversal (either doesn't support it, or big corp A refuses to
enable it).
If this were really an issue I'd expect my nieces and nephews, all ofwhom are biggame players, would have mentioned it. They haven't though, despitebeing behind
cheap NATing CPE from D-Link and Netgear.
Address conservation aside, the main selling point of NAT is itsfiltering of inboundsession requests. NAT _always_ fails-closed by forcing inboundconnections to passvalidation by stateful inspection. Without this you'd have to dependon lessreliable (fail-open) mechanisms and streams could be initiated fromthe Internet atlarge. In theory you could enforce fail-closed reliably without NAT,but the ruleswould have to be more complex and complexity is the enemy ofsecurity. Worse, if

As others have mentioned on the list, this is wrong. NAT is the one thatmakes things

much more complicated in fact. And even NAT can be tricked.

But I do have a question:

Do you think TCP-port 53 for DNS are only used for domain-name transfers ?

non-NATed CPE didn't do adequate session validation, inspection, andtracking, aslow-end gear might be expected to cut corners on, end-user networkswould be more
exposed to nefarious outside-initiated streams.
Arguments against NAT uniformly fail to give credit to these securityconsiderations,which is a large reason the market has not taken IPv6 seriouslyto-date. Even in bigbusiness, CISOs are able to shoot-down netops recommendations for 1:1address mappingwith ease (not that vocal NAT opponents get jobs where internalsecurity is a
concern).

IMO,
Roger Marquis

Current thread:

Re: Rate of growth on IPv6 not fast enough?, (continued)
- - - Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Mark Andrews (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Karl Auer (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? William Herrin (Apr 21)
    - Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 29)
    - Re: Rate of growth on IPv6 not fast enough? isabel dias (Apr 29)
    - Re: Rate of growth on IPv6 not fast enough? William Herrin (Apr 29)
    - Re: Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 29)
  - Re: Rate of growth on IPv6 not fast enough? Leen Besselink (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Simon Perreault (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Chris Adams (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Mikael Abrahamsson (Apr 20)
    - Re: Rate of growth on IPv6 not fast enough? Chris Adams (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Roger Marquis (Apr 20)
  - Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)

(Thread continues...)