IPv6 deployment excuses

Masataka Ohta mohta at necom830.hpcl.titech.ac.jp
Tue Jul 5 02:34:17 UTC 2016


Jared Mauch wrote:

>> Are you saying, without NAT or something like that to restrict
>> reachable ports, the Internet, regardless of whether it is with
>> IPv4 or IPv6, is not very secure?
>
> 	I'm saying two things:
>
> 	1) UPnP is a security nightmare and nobody (at scale)
> will let you register ports with their CGN/edge.

Don't do that. Just have static port forwarding. UPnP
may be used as a channel to advertise the forwarding
information but you can also do it manually (for reverse
translation, configuring a global IP address and a range
of port numbers is enough).

> 	2) We are an industry in transition.  Internet connectivity
> will soon be defined by v6 + v4, not v4+ sometimes v6.

Yeah, we have been so for these 20 years.

> 	Our services need to work for the broadest set of users.  Many
> people are now used to the non-e2e results of a NAT/CGN environment.

Exactly. And, as e2e transparency over NAT can be offered to
exceptional people, we can live with IPv4 forever.

							Masataka Ohta




More information about the NANOG mailing list