[111403] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Mohacsi Janos)
Thu Feb 5 03:47:59 2009
Date: Thu, 5 Feb 2009 09:47:48 +0100 (CET)
From: Mohacsi Janos <mohacsi@niif.hu>
To: Roger Marquis <marquis@roble.com>
In-Reply-To: <20090205030522.13D152B21F3@mx5.roble.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Wed, 4 Feb 2009, Roger Marquis wrote:
> Perhaps what we need is an IPv6 NAT FAQ? I'm suspect many junior network
> engineers will be interested in the rational behind statements like:
>
> * NAT disadvantage #1: it costs a lot of money to do NAT (compared to what
> it saves consumers, ILECs, or ISPs?)
Yes it cost more money in OPEX. Try to detect malicious host behind a NAT
among thousand of hosts.
>
> * NAT disadvantage #3: RFC1918 was created because people were afraid of
> running out of addresses. (in 1992?)
Yes. One of my colleague, who participated in development of RFC 1918
confirmed it.
>
> * NAT disadvantage #4: It requires more renumbering to join conflicting
> RFC1918 subnets than would IPv6 to change ISPs. (got stats?)
This statement is true: Currently you encounter more private address
usage than IPv6 usage.
>
> * NAT disadvantage #5: it provides no real security. (even if it were true
> this could not, logically, be a disadvantage)
It is true. Lots of administrator behind the NAT thinks, that because of
the NAT they can run a poor, careless software update process. Majority of
the malware infection is coming from application insecurity. This cannot
be prevented by NAT!
>
> OTOH, the claimed advantages of NAT do seem to hold water somewhat better:
>
> * NAT advantage #1: it protects consumers from vendor (network provider)
> lock-in.
Use PI address and multi homing.
>
> * NAT advantage #2: it protects consumers from add-on fees for addresses
> space. (ISPs and ARIN, APNIC, ...)
No free lunch. Or use IPv6.
>
> * NAT advantage #3: it prevents upstreams from limiting consumers'
> internal address space. (will anyone need more than a /48, to be asked in
> 2018)
You can gen more /48, or use ULA.
>
> * NAT advantage #4: it requires new (and old) protocols to adhere to the
> ISO seven layer model.
This statement is a bullshit.
>
> * NAT advantage #5: it does not require replacement security measures to
> protect against netscans, portscans, broadcasts (particularly microsoft
> netbios), and other malicious inbound traffic.
Same, if your implement proper firewall filtering.
Best Regards,
Janos Mohacsi
