owen at delong.com
Tue Feb 1 17:11:57 CST 2011
On Feb 1, 2011, at 2:43 PM, David Barak wrote:
> From: Owen DeLong <owen at delong.com>
> David Barak
> Need Geek Rock? Try The Franchise:
>> If you're determined to destroy IPv6 by bringing the problems of NAT forward
>> with you, then, I'm fine with you remaining in your >IPv4 island. I'm willing to
>> bet that most organizations will embrace an internet unencumbered by the
>> brokenness that is NAT and >move forward. I do not think that lack of NAT has
>> been a significant barrier to IPv6 adoption, nor do I think it will be.
> Lack of NAT may or may not continue to be a barrier to IPv6 adoption. However,
> it certainly *has* been a barrier to IPv6 adoption - I have had customers tell
> me that explicitly, and I have no reason to doubt them.
I'm sure there are a few isolated places where IPv6 might have been adopted if
it hadn't been for the fact that nobody has educated them on the alternatives.
However, I'm not convinced there are very many of them. Most of the people I have
had more detailed conversations with go something like this:
X: We con't implement IPv6 because there's no NAT and we depend on NAT.
O: Why do you depend on NAT? All it does is conserve addresses?
X: We use it for address obfuscation and security. We have to meet PCI-DSS
and other audit criteria.
O: Well, the latest PCI-DSS doesn't require NAT. Additionally, you can get
better address obfuscation with privacy addresses. All the security in NAT
comes from stateful inspection. You can still do that in IPv6, you just don't
rewrite the address in the packet.
X: You've got an answer for everything, don't you?
O: Well, I've been doing IPv6 for a few years now. It works pretty well for
me and I'm really glad I don't have to deal with the problems caused
X: Well, OK, but, even if we ignore NAT, we're still not ready to do IPv6.
Then we discuss their real issues stopping them from going to IPv6.
So... I think there are a lot more people using NAT as an excuse than
there are people that would actually implement IPv6 if we just gave
In any case, I think as they find their NATv4 environment becoming
an island disconnected from the internet, they'll probably reconsider
that decision. I'm OK with waiting until that time for those people to
connect to IPv6.
More information about the NANOG