v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Mohacsi Janos mohacsi at niif.hu
Thu Feb 5 08:47:48 UTC 2009




On Wed, 4 Feb 2009, Roger Marquis wrote:

> Perhaps what we need is an IPv6 NAT FAQ?  I'm suspect many junior network
> engineers will be interested in the rational behind statements like:
>
> * NAT disadvantage #1: it costs a lot of money to do NAT (compared to what
> it saves consumers, ILECs, or ISPs?)

Yes it cost more money in OPEX. Try to detect malicious host behind a NAT 
among thousand of hosts.

>
> * NAT disadvantage #3: RFC1918 was created because people were afraid of
> running out of addresses. (in 1992?)

Yes. One of my colleague, who participated in development of RFC 1918 
confirmed it.


>
> * NAT disadvantage #4: It requires more renumbering to join conflicting
> RFC1918 subnets than would IPv6 to change ISPs. (got stats?)

This statement is true: Currently you encounter more private address 
usage than IPv6 usage.


>
> * NAT disadvantage #5: it provides no real security. (even if it were true
> this could not, logically, be a disadvantage)

It is true. Lots of administrator behind the NAT thinks, that because of 
the NAT they can run a poor, careless software update process. Majority of 
the malware infection is coming from application insecurity. This cannot 
be prevented by NAT!

>
> OTOH, the claimed advantages of NAT do seem to hold water somewhat better:
>
> * NAT advantage #1: it protects consumers from vendor (network provider)
> lock-in.

Use PI address and multi homing.

>
> * NAT advantage #2: it protects consumers from add-on fees for addresses
> space. (ISPs and ARIN, APNIC, ...)

No free lunch. Or use IPv6.

>
> * NAT advantage #3: it prevents upstreams from limiting consumers'
> internal address space. (will anyone need more than a /48, to be asked in
> 2018)

You can gen more /48, or use ULA.

>
> * NAT advantage #4: it requires new (and old) protocols to adhere to the
> ISO seven layer model.

This statement is a bullshit.

>
> * NAT advantage #5: it does not require replacement security measures to
> protect against netscans, portscans, broadcasts (particularly microsoft
> netbios), and other malicious inbound traffic.

Same, if your implement proper firewall filtering.

Best Regards,
 		Janos Mohacsi





More information about the NANOG mailing list