IPv6 uptake

Mon Feb 19 15:16:52 UTC 2024

On Mon, Feb 19, 2024 at 6:52 AM Mike Hammett <nanog at ics-il.net> wrote:
> "We can seriously lose NAT for v6 and not lose
> anything of worth."
>
> I'm not going to participate in the security conversation, but we
> do absolutely need something to fill the role of NAT in v6. If it's
> already there or not, I don't know. Use case: Joe's Taco Shop.
> Joe doesn't want a down Internet connection to prevent
> transactions from completing, so he purchases two diverse
> broadband connections, say a cable connection and a DSL connection.

Hi Mike,

In IPv6's default operation, if Joe has two connections then each of
his computers has two IPv6 addresses and two default routes. If one
connection goes down, one of the routes and sets of IP addresses goes
away.

Network security for that scenario is, of course, challenging. There's
a longer list of security-impacting things that can go wrong than with
the IPv4 NAT + dual ISP scenario.

There's also the double-ISP loss scenario that causes Joe to lose all
global-scope IP addresses. He can overcome that by deploying ULA
addresses (a third set of IPv6 addresses) on the internal hosts, but
convincing the internal network protocols to stay on the ULA addresses
is wonky too.

There's also 1:1 NAT where Joe can just use ULA addresses internally
and have the firewall translate into the address block of the active
ISP. However, because this provides a full map between every internal
address, protocol and port to external addresses and ports (the entire
internal network is addressible from outside), it has no positive
impact on security the way IPv4's address-overloaded NAT does.

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/