Rate of growth on IPv6 not fast enough?

Tue Apr 20 19:31:47 UTC 2010

Jack Bates wrote:
> .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various
> programs that dislike multiple connections from a single IP, and the
> crap load of vpn clients that appear on the network and do not support
> nat traversal (either doesn't support it, or big corp A refuses to
> enable it).

If this were really an issue I'd expect my nieces and nephews, all of whom are big
game players, would have mentioned it.  They haven't though, despite being behind
cheap NATing CPE from D-Link and Netgear.

Address conservation aside, the main selling point of NAT is its filtering of inbound
session requests.  NAT _always_ fails-closed by forcing inbound connections to pass
validation by stateful inspection.  Without this you'd have to depend on less
reliable (fail-open) mechanisms and streams could be initiated from the Internet at
large.  In theory you could enforce fail-closed reliably without NAT, but the rules
would have to be more complex and complexity is the enemy of security.  Worse, if
non-NATed CPE didn't do adequate session validation, inspection, and tracking, as
low-end gear might be expected to cut corners on, end-user networks would be more
exposed to nefarious outside-initiated streams.

Arguments against NAT uniformly fail to give credit to these security considerations,
which is a large reason the market has not taken IPv6 seriously to-date.  Even in big
business, CISOs are able to shoot-down netops recommendations for 1:1 address mapping
with ease (not that vocal NAT opponents get jobs where internal security is a
concern).

IMO,
Roger Marquis