Problems with removing NAT from a network

Mon Jan 10 00:57:29 UTC 2011

On 01/09/2011 07:46 AM, Matthew Kaufman wrote:
> On 1/8/2011 3:16 AM, Leen Besselink wrote:
>>
>> Hello Mr. Kaufman,
>>
>> In the upcoming years, we will have no IPv6 in some places and badly
>> performing IPv4 (CGN, etc.) with working IPv6 in others.
> Right. So we're discussing just how "badly performing" the IPv4 can be
> and still be acceptable as "access to the IPv4 Internet for your
> customers".
>
> I am arguing that CGN (NAT44 to get additional IPv4 to dual-stack)
> doesn't break nearly as much as NAT64/DNS64 does, and that in fact
> NAT64/DNS64 breaks *so much* that you probably can't/shouldn't sell it
> to your customers as "access to the IPv4 Internet".
>

I think there will be CGN's and NAT64/DNS64 which will add extra latency
and may be overloaded at times. But I also currently still see a
fragmented IPv6 Internet where not everyone can reach everyone. So
currently IPv6 isn't ready and IPv4 is still working, but for how long ?

> Note that for a *very* long time... much longer than there will be new
> IPv4 addresses available... there will be a whole lot of places that
> have good IPv4 and no IPv6. (As you note above)
>

Personally I hope there be a lot of places where we have good IPv4 and
good IPv6. Looking at the history of IPv6 I would have liked to see more
of that today.

Yes, it will be a long time before IPv4 will suck in a lot of places.
But that is no reason for not deploying IPv6 in the network everywhere
now. That is what we are doing.

>> If I was Skype I would make really sure that all my relay nodes and
>> login servers have IPv6 with enough bandwidth or can easily upgrade the
>> bandwidth where neede. And make sure atleast IPv6-client and
>> IPv6-servers communication works everywhere where there is IPv6.
> Clearly that would be needed to serve the IPv6-only users well.

And the dual-stack customers, CGN with IPv6 customers and NAT64/DNS64
customers who want to talk to IPv6-only users.

>>
>> For your customers it is really easy. When Skype does not work, people
>> will jump ship where they can and maybe use Google Talk or whatever.
> Ah. But you're taking the bet that when Skype does not work on *your*
> network that provides IPv4 access via NAT64 people won't "jump ship"
> to a provider that uses CGN or even has enough native IPv4 addresses
> left around.

I couldn't care less about what Skype does, it was just advice. I'm in
the content-/hosting-business. Most of what we have on our network is
websites. For that I can only choose between 2 things publish no AAAA
record in DNS or publish an AAAA-record in DNS for our hosted websites.
I could try to do this selectively or per network basis like Google
does, but that is about it.

As IPv6 is a reality, all I can do is choose when to add the AAAA-record.

>> I suggest making sure you include both IPv4 and IPv6 addresses in your
>> protocol, maybe it needs to be extended. So that the client at the other
>> end can choose what IP-version to use. Or can try both. Maybe the
>> login-server can help to decide for the client. But those login servers
>> will need to have good IPv6 connectivity to be able to do so.
> But none of that solves the problem of talking from an IPv6 client
> that has broken IPv4 access (NAT64) to a an IPv4 client that has no
> IPv6 access.
>

I'm just suggesting you add it to give you more flexibility. If you have
more information and more paths to/from and between your customers you
have more options to allow them to talk directly.

I've seen a discussion about DNSSEC and DNS64/NAT64 as well and it would
be really good to have some pointers maybe in the additional section of
the DNS-response or something like EDNS0 to tell us that the
DNS64-translation has happend. NAT64/DNS64 will suck if they do deploy
it, I would rather see CGN too. To be honest I don't think that will be
great either on the long run. I would like to see everyone deploy IPv6
already.

Take for example the access-provider for my home connection, it looks
like their network will be ready for IPv6 maybe next year. From my
experience with deploying IPv6 their are always problems which need
extra time. So next year might be on time, but who says they will make
that 'deadline'.

>> I'm sorry if it sounds a bit like fear mongering, but to me it sounds
>> like common sense that if a business is not prepared when the
>> environment that business operates in changes and that business does not
>> adapt to the changes in time that business might suffer.
> But that's true of ISPs when they choose how to deal with the lack of
> additional IPv4 space but continued customer demand to reach the IPv4
> Internet, too, isn't it?
>

Yes, as a content-/hosting-provider or creator of a network application
as yourself I hope that everywhere where IPv6 has been deployed it works
well.

If it is true what someone else mentioned that the mobile operators
choose to all deploy NAT64/DNS64 then that sucks. But I fully understand
it, if they as an industry can't get the equipment manufacturers to
deliver them products which don't cost them twice as much if they deploy
IPv4 and IPv6 at the same time then they have a hard choice to make. It
looks like they already made their choice. The mobile stack has many
parts and paying twice for a lot of those parts is a hard to sell to
management.

> Matthew Kaufman
>