[governance] Why we need IPv6 and why you should care
Thomas Narten
narten at us.ibm.com
Tue Feb 26 22:15:26 EST 2008
"Ian Peter" <ian.peter at ianpeter.com> writes:
> My understanding is that the major deployment of NATs is with corporate
> networks and government networks. Am I right?
Depends on how you count. In sheer numbers, it's probably home users.
Probably 90+% of all home users are behind a NAT box. In the US
home/office market (characterized by cheap -- under $50 -- "routers")
they all perform NAT. Indeed, they are arguably not even proper
routers, because the NAT functionality is integral and *cannot* be
disabled. When I last looked (a few years back), I couldn't find an
off-the-shelf (cheap) router in which I could disable NAT. In talking
to others, this is the norm.
Bottom line: everyone is using NATs. Home users, small businesses, and
major enterprises.
> And isn't the capacity to ensure that you cannot make a direct
> connection from Internet to any one of hundreds of thousands of
> computers in corporate networks fundamental to network security as
> currently practiced? In other words, aren't they going to want to
> have NATs for network security, IPv6 or no IPv6? So won't NATs just
> live on?
You just demonstrated how much of an uphill battle it will be to
change the NAT mindset. People have been sold on the idea that NATs
provide security (which has to be good, right?). And yes, they do. But
that is because they have a built-in firewall. It is the firewall that
provides the security. You don't need the NAT functionality to get the
security part...
Well, it is also true that if you put your computer in a locked room
and make the doors one-way exits only, you also get security. And NATs
in a sense do that, because they only allow outgoing connections (by
design), so it's not really possible to allow inbound connections ---
whether hostile or friendly.
With a proper firewall, you can configure the security. That is, you
can select wich incoming connections to allow (i.e., those from safe
protocols/applications), while disallowing others. You have a choice.
With NAT, there is only one setting: disallow all incoming traffic.
> > Consider a cell phone with an IP address (the model of all future
> > devices...). Life sure would be a straightforward if "phone calls"
> > simply consisted of the caller being able to initiate a direct
> > connection to your cell phone. That simply doesn't work in a world
> > full of NATs.
> But does it work anyway within IPv6, which, like its predecessor, was not
> designed for mobility? Isn't one of the unresolved technical issues with
> IPv6 mobility
It is just as resolved (or unresolved) in IPv4 as in IPv6, in some
sense. So I am not sure what this means or if this is (again) supposed
to suggest that IPv6 is not yet finished and more needs to be done.
IPv6 provides an enlarged address space. That is the key benefit.
It doesn't solve a range of other problems that people wish it would
solve.
> and multihoming? Doesn't multihoming mean that if I change away from
> my home base (as one tends to do with a mobile phone) the IPv6
> address will have to change, i.e when a node changes its point of
> attachment to the Internet, its address becomes topologically
> incorrect? I understood that the change of the point of attachment
> is still problematic?
Multhoming is just as problematic in IPv6 as it is in IPv4. In other
words, there is no magic solution here. People often wish IPv6 solved
this problem better than IPv4 does, but wishing doesn't make it so.
One of the big frustrations with IPv6 for many is that it doesn't
solve a whole lot of problems that would have been nice to solve. But
it turns out that many of those problems are fundamentally hard to
solve, and its simply not as simple as saying "since we have to
upgrade to IPv6 anyway, let's fix a bunch of other things too". IPv6
has "fixed" some of the easy things that we know how to fix. For the
more substantative problems (like multihoming or a better mobility)
people are still figuring out how best to solve those problems.
Solutions simply aren't on the table today.
Thomas
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.cpsr.org
To be removed from the list, send any message to:
governance-unsubscribe at lists.cpsr.org
For all list information and functions, see:
http://lists.cpsr.org/lists/info/governance
More information about the Governance
mailing list