Reply to post:

OK, this time it's for real: The last available IPv4 address block has gone

Lee D Silver badge


You've gone from "Just add an IPv6 address to the device already running NAT on the front-end of your Internet connection" which is centralised, easy to diagnose and easy to revert to "set up IPv6 local DHCP which could interfere with local services if they aren't already set up for IPv6, while making sure that all your internal access lists, subnets, etc. are also configured for IPv6, etc. etc. etc." not to mention "now you have to consider that every machine has a globally routable IP", so your firewall config just expanded from securing ONE IP to an entire subnet on a protocol you aren't familiar with.

Worrying about NAT literally held everyone back. NAT isn't broken. It works for the vast majority of the world. You know how we know? Because the vast majority of the world has a NAT router on their DSL connection. And the solution to "poor" IPv6 deployment is now likely to be carrier-grade NAT on IPv4. Ironically, the "problem" cited by everyone like yourself - spewing NAT-hate - actually CAUSES PEOPLE to stay on IPv4, which means ISPs are forced to NAT them as they can't get any more public routable IPv4 addresses.

Nobody is saying "stay like that forever", but the initial transition is literally an hour of work, for a site with an unlimited number of existing machines, with no changes to internal services whatsoever. But NAT-fear stopped people doing that, because "with IPv6 you should ditch NAT too", etc. etc. Which turns it into a 6-12 month project of testing and reconfiguration.

Your post is the epitome of demonstrating my explanation. NAT or not-NAT has nothing to do with security either. I'm not even claiming that. NAT is a "sensible default" applied to the technology that happens to translate to a "block all incoming" as the final rule by the way it works, and that should be your default rule anyway.

What you did was tell people: You're an idiot to use NAT, turn it off. When everyone is using NAT and there are no inherent problems with a proven technology that serves a practical purpose. And because you conflated that with "here, have a bunch of new-style IP addresses", nobody moved to new-style IP addresses because they were afraid they'd also have to change EVERYTHING about a technology they've been using successfully for decades.

P.S. Your IPv6 router/firewall, no matter how basic it is, still has to keep track of connections. Stateful firewall is the norm. If it's not, you should worry. And though connection tracking on IPv6 does technically take up slightly more memory... there's no way you should be hitting limits on any router advertising itself as IPv6-capable.

P.P.S. I've run Bittorrent on NAT'd connections, like I imagine the majority of the world has. It's never dropped unrelated connections. That's a factor of "crappy router" not NAT. I've literally never witnessed the symptoms you describe (but sheer bandwidth can fill up your outgoing line, which knocks your users for six if you have asymmetric connections and they can't get TCP request and acknowledgements etc. back out. Solution: QoS, not removing NAT.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019