[190448] in North American Network Operators' Group
Re: IPv6 deployment excuses
daemon@ATHENA.MIT.EDU (Masataka Ohta)
Mon Jul 4 22:16:45 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Tue, 5 Jul 2016 11:16:31 +0900
In-Reply-To: <CAPkb-7Cxq0XZ663ysMbHCGfK_QTCfkSBgDf_tV-1c-QB+9Y+Rg@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
Baldur Norddahl wrote:
>> With end to end NAT, you can still configure your UPnP capable NAT
>> boxes to restrict port forwarding.
> Only if you by NAT mean "home network NAT". No large ISP has or will deploy
> a carrier NAT router that will respect UPnP.
A large ISP should just set up usual NAT. In addition, the ISP
tells its subscriber a global IP address, a private IP address
and a small range of port numbers the subscriber can use and
set up *static* bi-directional port forwarding.
If each subscriber is allocated 64 ports, effective address
space is 1000 times more than that of IPv4, which should be
large enough.
Then, if a subscriber want transparency, he can set up his
home router make use of the bi-directional port forwarding
and his host reverse translation by nested port forwarding.
> That does not scale and is a
> security nightmare besides.
It is merely because you think you must do it dynamically.
But, if you want to run a server at fixed IP address
and port, port forwarding must be static.
Masataka Ohta
