v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
mohacsi at niif.hu
Thu Feb 5 08:47:48 UTC 2009
On Wed, 4 Feb 2009, Roger Marquis wrote:
> Perhaps what we need is an IPv6 NAT FAQ? I'm suspect many junior network
> engineers will be interested in the rational behind statements like:
> * NAT disadvantage #1: it costs a lot of money to do NAT (compared to what
> it saves consumers, ILECs, or ISPs?)
Yes it cost more money in OPEX. Try to detect malicious host behind a NAT
among thousand of hosts.
> * NAT disadvantage #3: RFC1918 was created because people were afraid of
> running out of addresses. (in 1992?)
Yes. One of my colleague, who participated in development of RFC 1918
> * NAT disadvantage #4: It requires more renumbering to join conflicting
> RFC1918 subnets than would IPv6 to change ISPs. (got stats?)
This statement is true: Currently you encounter more private address
usage than IPv6 usage.
> * NAT disadvantage #5: it provides no real security. (even if it were true
> this could not, logically, be a disadvantage)
It is true. Lots of administrator behind the NAT thinks, that because of
the NAT they can run a poor, careless software update process. Majority of
the malware infection is coming from application insecurity. This cannot
be prevented by NAT!
> OTOH, the claimed advantages of NAT do seem to hold water somewhat better:
> * NAT advantage #1: it protects consumers from vendor (network provider)
Use PI address and multi homing.
> * NAT advantage #2: it protects consumers from add-on fees for addresses
> space. (ISPs and ARIN, APNIC, ...)
No free lunch. Or use IPv6.
> * NAT advantage #3: it prevents upstreams from limiting consumers'
> internal address space. (will anyone need more than a /48, to be asked in
You can gen more /48, or use ULA.
> * NAT advantage #4: it requires new (and old) protocols to adhere to the
> ISO seven layer model.
This statement is a bullshit.
> * NAT advantage #5: it does not require replacement security measures to
> protect against netscans, portscans, broadcasts (particularly microsoft
> netbios), and other malicious inbound traffic.
Same, if your implement proper firewall filtering.
More information about the NANOG