Michael H. Warfield
mhw at WittsEnd.com
Mon Jan 3 21:14:58 UTC 2011
On Sun, 2011-01-02 at 21:01 -0500, Genes MailLists wrote:
> On 01/02/2011 08:54 PM, Genes MailLists wrote:
> >> Probably the simplest approach is to use a router appliance that groks
> >> IPv6 for the WAN, and IPv4 for the LAN. On a Linux system, if you want
> >> it to be your firewall--and a lot of us are hard-headed enough to do
> >> so--I'd put in two NICs and use only the outward-facing NIC for IPv6,
> >> confguring the internal for IPv4.
> > Thanks for your thoughts ... I was slowly coming to exactly that
> > solution ...
> > Then I think you're saying NAT is here to stay .. in which case how
> > exactly on a linux border firewall with internal ip4 and external ip6
> > does one NAT ?
> > Do we build a ip4 NAT to ip4 - and then route that nat'ed ip4 to ip6 ?
> If you are correct - then the obvious solution is to make ip6 NAT ...
> which was designed out of the thing ...
NAT is a vile and evil abomination which was created in a half assed
effort to extend the life of IPv4. There are still protocols which
simply will not work over NAT and that situation is about to get
exponentially worse. Now that IANA is truly running out of IPv4 blocks
and it won't be more than a year or two before the RIRs are running out
(the UK is projecting end of new global IPv4 addresses available to the
consumer level by the end of 2011 or early 2012) now they are taking a
bad situation and making it even worse. Now they are taking CGN or
NAT444 (plain ole NAT is known as NAT44 in that parlayence). That's
carrier grade NAT. That's NAT in front of NAT. IOW, NAT at your ISP
and it's going to break all sorts of things. Got those nice helpers in
your NAT gateway to help with all those protocols that won't operate
over NAT's brokenness? Yeah, they're all broken again. Got that VPN
gatway ported through? Not when this happens. Think the ISP will fix
it? Not when his NAT is mapping customers on a port and address n-to-m
mapping that changes dynamically. At the last ARIN conference I saw a
list of games and applications which are known not to work over CGN.
Too bad. The IPv4 address you may get in the future from your ISP is
not going to be guaranteed to even be a global v4 address any more.
Whatcha gonna do? Change providers? They're all going to be in the
same boat as their subscribers exceed their pools with smart devices
like smart phones and such. Just not enough IPv4 address to go around
even for everyone to just get one. Anyone dragging their feet has no
ground on which to boo hoo.
As it so happens, renumbering IPv6 is trivial. It's way easier than
IPv4 and you don't need NAT. You simply add your new prefix to your
router and set the lifetime of your old prefix real low. Wait for a
while, then remove the old prefix. All your autoconf'ed machines will
have renumbered themselves You don't need to renumber the EUI (the
lower 64 bits) and they get the upper prefix from the router. If you're
using dhcp6, you'll have to do some updates there, but that's also
centrally located. Anyone using static addressing outside of routers is
shooting themselves in the foot. I've renumber my networks several
times shifting providers form Hurricane Electric to Hexago (formerly
FreeNet6) to OCCAID. Even with multiple subnets (you get 65,536 subnets
in a single /48 network allocation available to you) it's pretty easy
and it's transparent. You don't have to disrupt the network or take
anything down to renumber. Try renumbering, really renumbering, an IPv4
NAT has been used as a crutch and an excuse for too many things. I'm
glad to see that world continue to get worse with the advent of CGN.
Maybe people will start to wake up and realize that continuing to
struggle with this patchwork quilt of hacks and workarounds for broken
transports is a lot worse than just making the change and being done
AFA IPv4 vs IPv6 internal vs external goes, why not use both in both?
They do coexist, you know. You don't have to choose one and not the
other. You can even have global IPv6 will sitting behind your tonka toy
NAT44 or even a NAT44 behind a NAT444 at your ISP. You can have both.
Why not have the best of both possible worlds? You won't even know when
you're accessing one and not the other.
For reference, I find the IPv6-only fedora repositories to be much more
responsive. Probably thanks to the lighter load I enjoy and they enjoy.
I also find that my downloads from Europe over IPv6 are often faster,
but then the routing is simpler and the core backbones are all carrying
IPv6 in parallel or even as the backbone protocol. My nearest OCCAID
POP is just down the road aways, downtown so it's a short hop and I'm on
the global v6 backbone with no v4 transport or tunnels.
> gah ...
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110103/2bfc2af4/attachment.bin
More information about the users