[136201] in North American Network Operators' Group
Re: quietly....
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Feb 1 18:19:09 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <318049.99548.qm@web31804.mail.mud.yahoo.com>
Date: Tue, 1 Feb 2011 15:11:57 -0800
To: David Barak <thegameiam@yahoo.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 1, 2011, at 2:43 PM, David Barak wrote:
>=20
> ________________________________
>=20
> From: Owen DeLong <owen@delong.com>
>=20
>=20
> David Barak
> Need Geek Rock? Try The Franchise:=20
> http://www.listentothefranchise.com=20
>=20
>> If you're determined to destroy IPv6 by bringing the problems of NAT =
forward=20
>> with you, then, I'm fine with you remaining in your >IPv4 island. I'm =
willing to=20
>> bet that most organizations will embrace an internet unencumbered by =
the=20
>> brokenness that is NAT and >move forward. I do not think that lack of =
NAT has=20
>> been a significant barrier to IPv6 adoption, nor do I think it will =
be.
>=20
> Lack of NAT may or may not continue to be a barrier to IPv6 adoption. =
However,=20
> it certainly *has* been a barrier to IPv6 adoption - I have had =
customers tell=20
> me that explicitly, and I have no reason to doubt them.
>=20
>=20
>=20
I'm sure there are a few isolated places where IPv6 might have been =
adopted if
it hadn't been for the fact that nobody has educated them on the =
alternatives.
However, I'm not convinced there are very many of them. Most of the =
people I have
had more detailed conversations with go something like this:
X: We con't implement IPv6 because there's no NAT and we depend on =
NAT.
O: Why do you depend on NAT? All it does is conserve addresses?
X: We use it for address obfuscation and security. We have to meet =
PCI-DSS
and other audit criteria.
O: Well, the latest PCI-DSS doesn't require NAT. Additionally, you =
can get
better address obfuscation with privacy addresses. All the =
security in NAT
comes from stateful inspection. You can still do that in IPv6, =
you just don't
rewrite the address in the packet.
X: You've got an answer for everything, don't you?
O: Well, I've been doing IPv6 for a few years now. It works pretty =
well for
me and I'm really glad I don't have to deal with the problems =
caused
by NAT.
X: Well, OK, but, even if we ignore NAT, we're still not ready to =
do IPv6.
Then we discuss their real issues stopping them from going to IPv6.
So... I think there are a lot more people using NAT as an excuse than
there are people that would actually implement IPv6 if we just gave
them NAT.
In any case, I think as they find their NATv4 environment becoming
an island disconnected from the internet, they'll probably reconsider
that decision. I'm OK with waiting until that time for those people to
connect to IPv6.
Owen
