Skip to content

Top Best Ask Show New Jobs

Linux gets IPv6 NAT (opens in new tab)

(marc.info)

47 pointsKonradKlause14y ago58 comments

58 comments

31 comments · 7 top-level

kenny_r14y ago· 14 in thread

I'd be interested to hear some of these legitimate use cases for IPv6 NAT.

agwa14y ago

I suspect that there will still exist some situations where you only have a /128 but need to run a network behind it. I realize I'm in a tiny minority here, but when I travel I bring a WRT54GL, plug it into the hotel's Internet connection, and then plug my devices into it on my own private subnet. I kinda doubt hotels will be routing /64 to their guests, so NAT will be the only option.

I hope that IPv6 NAT will be used rarely, but I'm grateful that I will have it in my toolbox for atypical situations where there are no other options.

loup-vaillant14y ago

Noob question: what exactly are a /128 and a /64 ? How many public IPs do they provide? Do you have a link so I can learn how to interpret those /xx?

Originally, I was under the impression that /n subnets have 2^n public IPs at there disposal. Could it be 2^(128-n) instead?

But either way, a /64 should be plenty. However, you suggest here http://news.ycombinator.com/item?id=3261500 that /64 are not so great. I wonder why. Is there something special going on?

dspillett14y ago

The only ones I can think of are:

1. Topology hiding: the outside world only sees one interface not potentially the rest of your network. Though I doubt this offers and security worth speaking of, some people might want to keep that part of their arrangement when they migrate from IPv4 to IPv6.

2. Selective address forwarding: your router could send packets for a particular IPv6 address to different machines LAN-side depending on various things like where the packets came from WAN-side.

Of course there might be better ways to implement these things in the IPv6 spec already, I'm very behind the times in that respect and really must find time to read up on the subject (I purposely chose an ISP that fully supports IPv6 when I switched a few months ago, so I could try it all out when I have some time to play)

throwaway6414y ago

a firewall can handle both those things without NAT

zobzu14y ago

responses you might get (not that i agree):

"we're used to the false sense of security from NAT and we like it"

"we feel like NAT protects our privacy ('but we use gmail')"

"its easier to setup than ndp proxying ('because i never heard of ndp before')"

yada yada :-)

guan14y ago

I don't know if this qualifies as legitimate, but Comcast has already decided to allocate /128 to customers with "directly connected CPE", which sounds like people who have just a cable modem and didn't pay for a "home gateway device". NAT could be useful if you plug that cable modem into a Linux box.

http://blog.comcast.com/2011/11/ipv6-deployment-technology.h...

wmf14y ago

You're interpreting it wrong; Comcast is going to provide at least /64 to each customer but they just haven't turned on prefix delegation yet.

pasbesoin14y ago

My opinion is that when you're dependent upon a (possibly recalcitrant) upstream provider, it's best to have means of dealing with whatever they give you.

If in some circumstance someone hands you only one address (or, one address too few, perhaps), you can still hang your own network behind it.

syncsynchalt14y ago

I think you're reading that wrong. The CPE (the cable modem itself) gets a /128, similar to the 10.0.0.0/8 address that it currently gets (that is not visible to the end user). They then go on to say that the home gateway gets a /64.

KonradKlauseOP14y ago

Topology hiding.

No, please don't tell me about socks or other proxy solutions.

viraptor14y ago

> Topology hiding.

== making VoIP deployment hard/impossible depending on your router and phone model. :(

AndrewDucker14y ago

I'm curious as to what topology is detectable from a standard IPv6 packet?

nodata14y ago

Privacy.

count14y ago

IPv6 privacy addresses are even more effective at this than NAT would be. Once the address is done being used, it goes away. You can still be tracked by your NAT'd address, as it will remain (relatively) static.

adestefan14y ago· 4 in thread

This makes me sad. People claiming that NAT provides some sort of privacy are misguided. There's also the option of the privacy extensions described in RFC 4941. This is even easier to enable in Linux, just add "net.ipv6.conf.<if>.use_tempaddr = 2" to /etc/sysctl.conf.

forgotusername14y ago

As for uses, how about: I live in a crappy country with a crappy monopolistic ISP that provides a crappy /128. No amount of purist theoretical pontification can fix this reality, which is guaranteed to happen for someone, regardless of the size of address space (say, because a business guy at $ISP thinks that will somehow force users to pay for extra subscriptions for their devices).

I for one am glad to see that if the time should arrive for me, Linux will support this out of the box, and that the greater madness by far, is to ignore a problem simply because you'd prefer that it not exist.

Besides all that, there is simple hacker value in having this kind of translation available. Great ideas are often borne of insanity.

wmf14y ago

And now every protocol needs to add NAT66 traversal to work around you. The lack of NAT66 is not ignoring a problem, it's trying to prevent a massive externality.

count14y ago

If your ISP gives you a single address and requires you to pay for more equipment, and you 'hide' with NAT, you're violating your terms of service and contract with that ISP.

Are you really suggesting that NAT66 be developed and deployed in order to help you violate your contract? Should the IETF find some way to help you get out of paying your bill too, or maybe stealing somebodies WiFi?

KonradKlauseOP14y ago

True. But it's still not a drop-in replacement for NAT.

alexchamberlain14y ago· 2 in thread

Will it ever be safe to design a protocol which isn't "NAT Safe"?

agwa14y ago

Well, even if NAT went away, you would still have to contend with stateful firewalls (i.e. those that only allow inbound packets from established connections).

This article explains it pretty well (mainly on the second page):

http://arstechnica.com/hardware/news/2007/05/ipv6-firewall-m...

alexchamberlain14y ago

It depends where firewalls are implemented in x years time. (In the context of the home) At the moment, people rely on their routers to provide a decent firewall rather than configuring their computers properly.

That being said... if firewalls "move" onto computers, it is "easy" to open ports.

WalterGR14y ago· 2 in thread

How does this relate to / compare with Teredo?

http://en.wikipedia.org/wiki/Teredo_tunneling

wmf14y ago

Teredo is a way of getting IPv6 if your ISP doesn't provide it. IPv6 NAT translates between outside IPv6 addresses and inside IPv6 addresses.

WalterGR14y ago

Thanks. (I had it in my head that Teredo was an IPv6 NAT, despite the Wikipedia link.)

seanlinmt14y ago· 2 in thread

Without looking at the code to see what's going on, I'm wondering if this patch is actually about IPv6 NAPT, ie. protocol translation between IPv4 and IPv6. If it's really NAT, like IPv4 NAT, then has there been an RFC on this? I can't seem to find it.

wmf14y ago

There wasn't an RFC for NAT44 either, because the IETF didn't want to encourage it. Realizing how that worked out last time, the debate is raging about NAT66 specification.

adestefan14y ago

There's a draft RFC. http://tools.ietf.org/html/draft-mrw-nat66-16

mindslight14y ago

The more I hear about IPv6 (these comments in particular), the more it seems like it contains many solutions to non-problems. Yes, IPv4's 32 bit address space is basically full, and upgrading that is a good thing.

But honestly, burning 64 bits of address space for a redundant global identifier just so "nat+dhcp" are only half as complicated? And then needing privacy extensions to keep the uuid from leaking out? All while doing nothing to solve the problem that caused NAT to spring up in the first place.

On the surface, "no NAT" sounds like a reasonable goal, but ignores the realities of what NAT is actually used for - keeping your network your business. How long until consumer providers offer different tiers of plans based on number of devices that can be connected, and smart users are back to NAT anyway? The proper solution to NAT problems is at layer 4 - a standard way of making connections from the outside to a device inside based on some kind of onion address, where the upstream can only see the outer part.

101001011114y ago

What makes solutions like NAT* and IPv6 necessary is the concept of the "backbone". In spite of all its benefits, it also has tradeoffs too.

When everything has to pass through centralised "core" routers for enormous segments of the network, it limits how we can work with addresses.

It forces us to allocate addresses in blocks (the larger ones within which most of the individual addresses remain unused). And it creates problematically large routing tables for those "core' routers.

As with everything, there are both costs and benefits to doing things this way. There are always tradeoffs with any approach, whether it is centralised or decentralised. So arguments can go on to infinity about the "best" way. There is no such thing. There are just different alternatives, each with their own costs and benefits. And there's human consensus.

And there are the inevitable workarounds, some of them pure "hacks".

NAT* and IPv6 are a natural result of having a "backbone", "core routers", gigantic ever-growing routing tables and large address allocation minimums.

j / k navigate · click thread line to collapse