Rate of growth on IPv6 not fast enough?

Leen Besselink leen at consolejunkie.net
Tue Apr 20 15:31:46 CDT 2010


On 04/20/2010 09:31 PM, Roger Marquis wrote:
> Jack Bates wrote:
>> .01%? heh. NAT can break xbox, ps3, certain pc games, screw with various
>> programs that dislike multiple connections from a single IP, and the
>> crap load of vpn clients that appear on the network and do not support
>> nat traversal (either doesn't support it, or big corp A refuses to
>> enable it).
>
> If this were really an issue I'd expect my nieces and nephews, all of 
> whom are big
> game players, would have mentioned it.  They haven't though, despite 
> being behind
> cheap NATing CPE from D-Link and Netgear.
>
> Address conservation aside, the main selling point of NAT is its 
> filtering of inbound
> session requests.  NAT _always_ fails-closed by forcing inbound 
> connections to pass
> validation by stateful inspection.  Without this you'd have to depend 
> on less
> reliable (fail-open) mechanisms and streams could be initiated from 
> the Internet at
> large.  In theory you could enforce fail-closed reliably without NAT, 
> but the rules
> would have to be more complex and complexity is the enemy of 
> security.  Worse, if

As others have mentioned on the list, this is wrong. NAT is the one that 
makes things
much more complicated in fact. And even NAT can be tricked.

But I do have a question:

Do you think TCP-port 53 for DNS are only used for domain-name transfers ?

> non-NATed CPE didn't do adequate session validation, inspection, and 
> tracking, as
> low-end gear might be expected to cut corners on, end-user networks 
> would be more
> exposed to nefarious outside-initiated streams.
>
> Arguments against NAT uniformly fail to give credit to these security 
> considerations,
> which is a large reason the market has not taken IPv6 seriously 
> to-date.  Even in big
> business, CISOs are able to shoot-down netops recommendations for 1:1 
> address mapping
> with ease (not that vocal NAT opponents get jobs where internal 
> security is a
> concern).
>
> IMO,
> Roger Marquis
>
>





More information about the NANOG mailing list