1 |
On 03/11/2013 12:00 AM, Walter Dnes wrote: |
2 |
> On Sun, Mar 10, 2013 at 05:07:25PM -0400, Michael Mol wrote |
3 |
> |
4 |
>> NAT behind a home router is bad, too. For IPv4, it's only necessary |
5 |
>> because there aren't enough IPv4 addresses to let everyone have a unique |
6 |
>> one. |
7 |
> |
8 |
> The best real reason for moving to IPV6 is address space (or lack |
9 |
> thereof, in the case of IPV4). The people who are truly interested in |
10 |
> speeding up IPV6 adoption should do their best to shut up the internet |
11 |
> hippies who constantly rant and rave about how "NAT is evil". Don't let |
12 |
> the cause get distracted by that unrelated issue. Focus on the core |
13 |
> issue. |
14 |
|
15 |
They're two sides of the same coin. If NAT wasn't such a problem, |
16 |
layering RFC1918 address space would solve most of the address space |
17 |
problems. The address space crunch remains a technical problem largely |
18 |
because NAT can't solve it to completion. |
19 |
|
20 |
NAT forces a distinction between 'client' and 'server', breaking the |
21 |
'peer' nature of the network. This isn't some hippy egalitarian thing, |
22 |
it means I can't trivially tell my VPS to connect to a backup target on |
23 |
a different network without setting up either a tunnel or a port |
24 |
forward. With IPv6, doing this is so brain-dead easy I never want to be |
25 |
without it again. Once you've experienced IPv6 and appropriate network |
26 |
firewalls, along with the ease of connecting to your own machines from |
27 |
anywhere you want without having to bounce through a third-party |
28 |
management service like Teamviewer, you never want to go back. It's like |
29 |
discovering you've been holding a pencil wrong all your life, or like |
30 |
discovering a better way to tie your shoes; the solution is simple, |
31 |
elegant and surprisingly productive. NAT is like tying your shoes wrong; |
32 |
you don't know how much of a problem it is until you experience life |
33 |
without it. |
34 |
|
35 |
And even once you get people comfortable with deploying IPv6, they still |
36 |
want to hold on to NAT; it's like a stubborn stain on their minds. |
37 |
|
38 |
It's important to explain that NAT isn't a security measure. In order to |
39 |
operate, it requires what amounts to a stateful firewall...but that |
40 |
doesn't mean that a stateful firewall is difficult to obtain without |
41 |
NAT. People have grown so accustomed to the presence of NAT and NAT's |
42 |
inherent implications on inbound traffic that they wind up conflating |
43 |
the two in their minds, making actual understanding of their network's |
44 |
security that much more difficult to comprehend. So, yeah, NAT is evil. |
45 |
|
46 |
Looking for privacy in your addresses? That's what privacy extensions |
47 |
are for, and they're enabled by default on Windows and Ubuntu. (I |
48 |
haven't looked on Gentoo...) |
49 |
|
50 |
The only reasonably valid use case for NAT that I've seen is for dealing |
51 |
with the question of multi-homing an office with two internet |
52 |
connections. The idea is that you don't have to renumber your internal |
53 |
network if you need to switch from your primary connection to your |
54 |
backup connection (and you're being granted different IP ranges based on |
55 |
which connection you're working with...so we're talking small business, |
56 |
not BGP or multilink with the same ISP). |
57 |
|
58 |
In those cases, I advocate application-layer gateways; chances are, if |
59 |
you're investing in multi-homing your office, you probably already want |
60 |
the kind of administrative power (and performance improvements) proxy |
61 |
servers can offer you. |
62 |
|
63 |
The IPv4 address crunch triggered the development of DNAT a couple |
64 |
decades ago, and the silly thing persists in terrible ways when there |
65 |
are simpler ways to handle things. (When I say 'simpler', I mean: Don't |
66 |
break assumptions about basic network behavior such as 'don't mangle my |
67 |
packets' or 'I can open a connection back to him when I have updates he |
68 |
needs') |