nanog mailing list archives
Re: Rate of growth on IPv6 not fast enough?
From: Leen Besselink <leen () consolejunkie net>
Date: Tue, 20 Apr 2010 22:31:46 +0200
On 04/20/2010 09:31 PM, Roger Marquis wrote:
Jack Bates wrote:.01%? heh. NAT can break xbox, ps3, certain pc games, screw with various programs that dislike multiple connections from a single IP, and the crap load of vpn clients that appear on the network and do not support nat traversal (either doesn't support it, or big corp A refuses to enable it).If this were really an issue I'd expect my nieces and nephews, all of whom are big game players, would have mentioned it. They haven't though, despite being behindcheap NATing CPE from D-Link and Netgear.Address conservation aside, the main selling point of NAT is its filtering of inbound session requests. NAT _always_ fails-closed by forcing inbound connections to pass validation by stateful inspection. Without this you'd have to depend on less reliable (fail-open) mechanisms and streams could be initiated from the Internet at large. In theory you could enforce fail-closed reliably without NAT, but the rules would have to be more complex and complexity is the enemy of security. Worse, if
As others have mentioned on the list, this is wrong. NAT is the one that makes things
much more complicated in fact. And even NAT can be tricked. But I do have a question: Do you think TCP-port 53 for DNS are only used for domain-name transfers ?
non-NATed CPE didn't do adequate session validation, inspection, and tracking, as low-end gear might be expected to cut corners on, end-user networks would be moreexposed to nefarious outside-initiated streams.Arguments against NAT uniformly fail to give credit to these security considerations, which is a large reason the market has not taken IPv6 seriously to-date. Even in big business, CISOs are able to shoot-down netops recommendations for 1:1 address mapping with ease (not that vocal NAT opponents get jobs where internal security is aconcern). IMO, Roger Marquis
Current thread:
- Re: Rate of growth on IPv6 not fast enough?, (continued)
- Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Mark Andrews (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Karl Auer (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? joel jaeggli (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? William Herrin (Apr 21)
- Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? isabel dias (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? William Herrin (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 29)
- Re: Rate of growth on IPv6 not fast enough? Simon Perreault (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Valdis . Kletnieks (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Chris Adams (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Mikael Abrahamsson (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Chris Adams (Apr 20)
- Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 20)