[126110] in North American Network Operators' Group
Re: the alleged evils of NAT,
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Apr 30 22:05:40 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <6C8CF96D-4CEC-400F-A5C7-8671AFA1272E@virtualized.org>
Date: Fri, 30 Apr 2010 19:04:10 -0700
To: David Conrad <drc@virtualized.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 30, 2010, at 6:26 PM, David Conrad wrote:
> Paul,
>=20
> On Apr 29, 2010, at 8:29 AM, Paul Timmins wrote:
>> If you change ISPs, send out an RA with the new addresses, wait a =
bit, then send out an RA with lifetime 0 on the old address.
>=20
> Even if this works (and I know a lot of applications that use the =
socket() API that effectively cache the address returned by DNS for the =
lifetime of the application), how does this help situations where IPv6 =
address literals are specified in configuration files, e.g., =
resolv.conf, glue for authoritative DNS servers, firewalls/filters, =
network management systems, etc.? See sections 5 and 7 of =
http://www.rfc-editor.org/internet-drafts/draft-carpenter-renum-needs-work=
-05.txt
>=20
Ideally, in the vast majority of cases, resolv.conf is populated by =
dhcpv6 or it's successor.
It is actually possible (although I agree questionable practice) to have =
your NS glue records updated dynamically.
Firewalls and NMS can usually be done by copying the existing rulesets =
and doing a global S&R on the affected prefix.
It's not like a v4 renumbering. You'll still be dealing with a 1:1 =
replacement of the prefix and the suffixes don't need to change.
IPv6 also has the convenient concept of preferred and valid lifetimes on =
addresses facilitating a convenient overlap period while both prefixes =
still work, but, new flows should be universally originated from the =
specified prefix. This makes it easier to identify hosts in need of =
manual intervention by monitoring for traffic sourced from the incorrect =
prefix.
> The point here is that if there is a non-zero cost associated with =
renumbering, there will be non-zero incentive to deploy technologies =
such as NATv6 to reduce that cost. Some folks have made the argument =
that for sites large enough for the cost of renumbering to be =
significant, they should be able to justify provider independent space =
and be willing to accept the administrative and financial cost. While =
this may be the case (I have some doubts that many of the folks using PA =
space now will be all that interested in dealing with the RIR system, =
but I may be biased), it does raise concerns about routing system growth =
and forces ISPs to be willing to accept long IPv6 prefixes from end =
users (which some ISPs have already said they won't do).
>=20
There is a non-zero cost associated with renumbering. However, it is =
much closer to zero than in IPv4. There is also a non-zero cost to NAT. =
Unfortunately, the costs of NAT are more on the toxic polluter basis, =
where you must pay your own tab for renumbering. As such, NAT in IPv6 =
will probably be as popular as SPAM is in IPv4, to about the same level =
of detriment.
Owen
