Problems with removing NAT from a network

Mark Andrews marka at
Wed Jan 5 23:35:09 CST 2011

In message <AANLkTinXp-C96rdb2+06v1kqwFdiehy6_2=ohOOm86Tx at>, Came
ron Byrne writes:
> On Wed, Jan 5, 2011 at 8:31 PM, Mark Andrews <marka at> wrote:
> >
> > In message <AANLkTimkgPYKY_AkA5px4-ca-3=oufhGbnenRkPmpTE1 at
> m>, Came
> > ron Byrne writes:
> >> On Wed, Jan 5, 2011 at 6:42 PM, Dobbins, Roland <rdobbins at> wro=
> te:
> >> >
> >> > On Jan 6, 2011, at 9:38 AM, ML wrote:
> >> >
> >> >> At least not without some painful rebuilds of criticals systems which=
>  ha=
> >> ve these IPs deeply embedded in their configs.
> >> >
> >> > They shouldn't be using IP addresses in configs, they should be using =
> DNS=
> >>  names.  Time to bite the bullet and get this fixed prior to their=
>  eventu=
> >> al forced migration to IPv6.
> >> >
> >>
> >> Somebody should tell the about this being a bad practice,
> >> many of their images are linked to ip addresses directly and will
> >> certainly fail in the future (this year, mobile) networks that will
> >> use NAT64/DNS64.  I am sure users will find other places to view their
> >> news when fails to work in these ipv6-only networks.
> >
> > Which is one of the reasons why DS-lite is a better solution for
> > providing legacy access to the IPv4 Internet than NAT64/DNS64.
> > DS-lite only breaks what NAT44 breaks.  DS-lite doesn't break new
> > things.
> Thanks for the tip.  But, there are legitimate business reason in
> various different types of networks for various strategies,

Indeed.  I just which DS-lite was thought of about the same time
as NATPT was.  That way network operators would have the code in
things like cell phones today rather than the next gen resulting
in them being forced to use NAT64 and with that all the additional
problems it causes.

The network operator is going to be running a big/distributed NAT
box of one description or another to share the available IPv4
addresses.  It just a matter of which packets its processing.  The
end choice may come down to which DHCP options the client requests
or doesn't.  i.e. return DNS64 nameservers if the client doesn't
request the DS-lite configuration parameters.

> thanks for plugging the one your organization makes.

We also ship a DNS64 implementation.

>  					      I am tired of the IPv6
> transition flavor of the day war.  The reality for content folks is
> that there will be IPv4 host, IPv6 hosts, and dual stack hosts.
> Content needs to be dual-stack to reach everyone the best way
> (native), but if they lack dual-stack and they use IPv4 literals, they
> are going to lose eyeballs. End of story.

Agreed they will loose eyeballs.  HTTP and IPv4 literals is one of the
easier problems to be mitigated.  Its the rest of the places where IPv4
addresses are passed that causes problems.

> Content folks-- do yourself a favor and follow Roland's advice (also
> in RFC 1958) and don't use address literals, use names.
> And, you will notice that the list at
> shows only a few web site,
> because there are only a few that have this design flaws.  If you know
> others, strengthen your case  and add them to the list so that all
> parties can benefit.  Otherwise, it is just a few poorly designed
> internet services that will be in a rush to fix services when users
> complain.... or there web pages hits start trending down while their
> competitors trend up.
> Cameron
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list