IPv6 fc00::/7 - Unique local addresses

Thu Oct 21 18:58:51 UTC 2010

> From: Ray Soucy 
> Sent: Thursday, October 21, 2010 5:49 AM
> To: Owen DeLong
> Cc: NANOG list
> Subject: Re: IPv6 fc00::/7 - Unique local addresses
> 
> See... You're falling into the same elitist mindset that I was trapped
> in a year ago.
> 
> Perception is a powerful thing.  And Joe IT guy at Mom and Pop dot com
> (who's network experience involves setting up a Linksys at home) loves
> his magical NAT box firewall appliance.  Over the last year I've been
> trying to fight the NAT war and have gotten pretty beat down.  It
> doesn't matter if *we* know NAT is wrong, undesirable, and breaks the
> Internet... we all live in the large scale, multi-homed, BGP, mega
> Internet land.

And BetaMAX was a much better format than VHS, too, from a technical
standpoint. It doesn't matter which is "better", it matters what people
want.  Telling people they can't have what they want leads to someone
somewhere providing them with what they want and making a fortune on it.

> Start working with smaller shops, and you'll find the typical setup is
> a bunch of switches and a "VPN Firewall" picked up from Best Buy, or
> maybe a Sonicwall or something.  These guys couldn't manage public
> IPv4 let alone public IPv6, because the term "private" gives them that
> warm and fuzzy false sense of security and lets them change their ISP
> without reconfiguring a single thing (they often wouldn't know where
> to start anyway).

I am not sure there really is a such thing as a "secure" network.  If
you can somehow get a host inside a network to send the first packet to
you, you are in.  Yeah, all those filters and NATs prevent you from
being able to send the first packet, but as long as people are dragging
in laptops, thumb drives, opening email attachments, and browsing the
web, there is no such thing as a "secure" network if it has internet
access.  Even the deepest packet inspection won't make you secure of the
traffic going back and forth abides by the protocol rules.  Is that
really a file upload and download going on, or is it a bi-directional
tunnel disguised as file transfers that never end and is someone now
doing a complete scan of your network from one of your employee's
workstations?

Having a lock on the door is fine, but for a door to be useful, you must
be able to open it from the inside. And when you take a delivery, are
you sure what is in that box is what is really on the packing slip? And
if you take it out of the box and look on it, is it still *really* what
it says on the packing slip?  Sort of like a birthday cake arriving at a
prison.

> They *will* fight you, and tell you to your face that if you want to
> take NAT away from them it will be from their cold dead hands.

And it isn't NAT in and of itself that is attractive.  Those people
aren't talking about static NAT where you are just translating the
network prefix.  They are talking dynamic port-based PAT so that the
translation doesn't exist until the first packet goes in the outbound
direction.  Like it or not, that DOES provide some barrier of entry to
someone outside wishing to initiate a connection from the outside.  You
cannot predict in advance what outside address/port will be associated
with which inside address/port or if any such association even exists
and a lot of people have already made up their minds that the breakage
that causes for various things is offset by the perceived benefit of
that barrier and worth the price of dealing with that breakage.

> Why? Because we've had 10 years of "consultants" selling NAT as the
> best thing for security since sliced bread.
> 
> Maybe we could get them to do it the right way if they had some sort
> of IPv6 appliance that dumbed things down, but it simply doesn't exist
> yet.  When it is created, it will be created by the people with the
> NAT mindset wishing to maintain the status quo.
> 
> At least that's my prediction...

I tend to agree with that.  Not saying that I think that is the best way
to go, mind you, just saying that I can see such a thing happening and
all the jumping up and down on NANOG isn't going to change that because
it is the end user that decides in the end what gets built and what
doesn't.  So either put into the protocol a specific prohibition of NAT,
engineer the protocol so NAT can't possibly work, or get ready to accept
that you are going to be dealing with it.

> We need to keep in mind that most on this list is likely at a
> completely different level than anything you'd find in the SMB
> community.

I have tried making that point privately to many individuals but it
doesn't seem to click and is taken as if I am "defending" or somehow
rationalizing that "dumbed down" behavior when I am simply acknowledging
the existence of it.  Sort of like when your daughter starts dating that
ne'er-do-well up the street.  Sometimes it just is what it is and you
can point out the potential problems until the cows come home but it
isn't really going to matter. There are billions more of "them" than
there are of "us" to put it in tribal terms.

In fact, I will say that the lack of such NAT features is exactly WHY
IPv6 hasn't caught on in many networks.

  They can't afford to hire "networking" people, they hire
> "IT" people who are tasked with anything related to technology and
> usually completely understaffed.  Thus they want the quick, painless,
> easy solution.

If it doesn't have a GUI checkbox, it doesn't exist.   So they configure
a NAT pool, and maybe put a packet filter on the router ahead of it and
they are "done" as far as they are concerned.  Changing providers means
touching the network in two places.  