| 1 |
On 03/11/2013 12:00 AM, Walter Dnes wrote: |
| 2 |
> On Sun, Mar 10, 2013 at 05:07:25PM -0400, Michael Mol wrote |
| 3 |
> |
| 4 |
>> NAT behind a home router is bad, too. For IPv4, it's only necessary |
| 5 |
>> because there aren't enough IPv4 addresses to let everyone have a unique |
| 6 |
>> one. |
| 7 |
> |
| 8 |
> The best real reason for moving to IPV6 is address space (or lack |
| 9 |
> thereof, in the case of IPV4). The people who are truly interested in |
| 10 |
> speeding up IPV6 adoption should do their best to shut up the internet |
| 11 |
> hippies who constantly rant and rave about how "NAT is evil". Don't let |
| 12 |
> the cause get distracted by that unrelated issue. Focus on the core |
| 13 |
> issue. |
| 14 |
|
| 15 |
They're two sides of the same coin. If NAT wasn't such a problem, |
| 16 |
layering RFC1918 address space would solve most of the address space |
| 17 |
problems. The address space crunch remains a technical problem largely |
| 18 |
because NAT can't solve it to completion. |
| 19 |
|
| 20 |
NAT forces a distinction between 'client' and 'server', breaking the |
| 21 |
'peer' nature of the network. This isn't some hippy egalitarian thing, |
| 22 |
it means I can't trivially tell my VPS to connect to a backup target on |
| 23 |
a different network without setting up either a tunnel or a port |
| 24 |
forward. With IPv6, doing this is so brain-dead easy I never want to be |
| 25 |
without it again. Once you've experienced IPv6 and appropriate network |
| 26 |
firewalls, along with the ease of connecting to your own machines from |
| 27 |
anywhere you want without having to bounce through a third-party |
| 28 |
management service like Teamviewer, you never want to go back. It's like |
| 29 |
discovering you've been holding a pencil wrong all your life, or like |
| 30 |
discovering a better way to tie your shoes; the solution is simple, |
| 31 |
elegant and surprisingly productive. NAT is like tying your shoes wrong; |
| 32 |
you don't know how much of a problem it is until you experience life |
| 33 |
without it. |
| 34 |
|
| 35 |
And even once you get people comfortable with deploying IPv6, they still |
| 36 |
want to hold on to NAT; it's like a stubborn stain on their minds. |
| 37 |
|
| 38 |
It's important to explain that NAT isn't a security measure. In order to |
| 39 |
operate, it requires what amounts to a stateful firewall...but that |
| 40 |
doesn't mean that a stateful firewall is difficult to obtain without |
| 41 |
NAT. People have grown so accustomed to the presence of NAT and NAT's |
| 42 |
inherent implications on inbound traffic that they wind up conflating |
| 43 |
the two in their minds, making actual understanding of their network's |
| 44 |
security that much more difficult to comprehend. So, yeah, NAT is evil. |
| 45 |
|
| 46 |
Looking for privacy in your addresses? That's what privacy extensions |
| 47 |
are for, and they're enabled by default on Windows and Ubuntu. (I |
| 48 |
haven't looked on Gentoo...) |
| 49 |
|
| 50 |
The only reasonably valid use case for NAT that I've seen is for dealing |
| 51 |
with the question of multi-homing an office with two internet |
| 52 |
connections. The idea is that you don't have to renumber your internal |
| 53 |
network if you need to switch from your primary connection to your |
| 54 |
backup connection (and you're being granted different IP ranges based on |
| 55 |
which connection you're working with...so we're talking small business, |
| 56 |
not BGP or multilink with the same ISP). |
| 57 |
|
| 58 |
In those cases, I advocate application-layer gateways; chances are, if |
| 59 |
you're investing in multi-homing your office, you probably already want |
| 60 |
the kind of administrative power (and performance improvements) proxy |
| 61 |
servers can offer you. |
| 62 |
|
| 63 |
The IPv4 address crunch triggered the development of DNAT a couple |
| 64 |
decades ago, and the silly thing persists in terrible ways when there |
| 65 |
are simpler ways to handle things. (When I say 'simpler', I mean: Don't |
| 66 |
break assumptions about basic network behavior such as 'don't mangle my |
| 67 |
packets' or 'I can open a connection back to him when I have updates he |
| 68 |
needs') |
Archives