Why anyone in their right mind would like to use NAT64

classic Classic list List threaded Threaded
47 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Why anyone in their right mind would like to use NAT64

Daniel Ouellet
Hi,

Just saw a few questions and patch for NAT64 on misc and tech@ and I am
really questioning the reason to be fore NAT64 and why anyone in their
right mind would actually want to use this?

NAT always makes connectivity less efficient anyway and was really
designed to alleviated the lack of IPv4 address years ago and was sadly
used as a firewall setup by what I would call lazy admin instead if a
properly configure one.

Call me stupid and I will accept it, but regardless of this why?

NAT was sadly a quick way to setup security and over time become even
more sadly what some security suppose to be expect call the defacto way
to do security.

NAT needs to process every packets, changed the header both in incoming
and outgoing traffic and as bandwidth keep increasing only make the
totally not optimize NAT table getting bigger as more traffic is present
and increase jitter, latency, etc. Much more powerful router needs to be
used and many of the sadly loved firewall appliance by some admin like
the SonicWall and the like running out of power on intensive UDP traffic
and do not allow the end users to actually get the benefit of their
increase line capacity that are more common these days!

There is even more then this above, but I will spare the list with more
as my question is really why NAT64?

IN IPv6, the smallest assigned to remote site is so big anyway and based
on the RFC recommendation to provide a /48 to remote site and even a /56
to a single house, how could anyone possibly think he/she would even run
of IP's and need NAT64?

Isn't it just a side effect of a sadly miss guided use of NAT in IPv4 as
a firewall carry over to a IPv6 world instead of starting to do proper
setup now that IP's will be plentiful anyway?

Anyone have any possible explication that would actually justify the use
of NAT64 that I obviously overlooked?

Why us it other then for lazy firewall setup these day?

I would appreciate a different point of view that I obviously appear to
have overlooked as I really don't see why it even exists.

Best,

Daniel

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Jussi Peltola
On Wed, Oct 24, 2012 at 12:43:12PM -0400, Daniel Ouellet wrote:
> Hi,
>
> Just saw a few questions and patch for NAT64 on misc and tech@ and I
> am really questioning the reason to be fore NAT64 and why anyone in
> their right mind would actually want to use this?

To reach v4 only hosts, d'oh?
 
> IN IPv6, the smallest assigned to remote site is so big anyway and
> based on the RFC recommendation to provide a /48 to remote site and
> even a /56 to a single house, how could anyone possibly think he/she
> would even run of IP's and need NAT64?
 
This is a utopic dream, the reality is /64 or /128s in many places. This
is useless for anyone with a router unless you start playing with proxy
ndp which will end in tears, or NAT. But I really do not see what on
earth does this have to do with NAT64 at all.

> Isn't it just a side effect of a sadly miss guided use of NAT in
> IPv4 as a firewall carry over to a IPv6 world instead of starting to
> do proper setup now that IP's will be plentiful anyway?
 
NAT will not go away, there are plenty of corner cases where it is
useful (like managment networks where you cannot put each management
interface in a vrf.) Companies will also very likely want to keep
private addresses internally; NAT is easier for many cases than having a
separate routable address on every host.

NAT is a necessary evil, and it really is not that bad when operated
voluntarily by the same party as the end-hosts behind it. The real
problem is CGN; I doubt any ISP is going to NAT when it is not
absolutely necessary because it is expensive and painful.

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Peter Nicolai Mathias Hansteen
In reply to this post by Daniel Ouellet
Daniel Ouellet <[hidden email]> writes:

> Just saw a few questions and patch for NAT64 on misc and tech@ and I
> am really questioning the reason to be fore NAT64 and why anyone in
> their right mind would actually want to use this?

The main reason why NAT64 was developed is that in some scenarios it
looked like it would save money for budget-constrained organizations of
various kinds.

Typically these are sites who need various types specialized equipment
that is designed to be super-reliable and is insanely expensive to
replace.  Some of these sites are now facing the requirement to run IPv6
while they also have significant amounts of equipment that needs to be
kept running for a hard to determine number of years more even though it
is old enough that the manufacturers have declined to offer upgrades
that would enable the devices to support IPv6.

- Peter

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Simon Perreault-2
In reply to this post by Daniel Ouellet
One use case: ISP who wants to provide IPv4+IPv6 to customers, but does
not have enough IPv4 addresses for everyone, so has to NAT anyway, and
wants to simplify the operation of its edge network by running only one
protocol.

Quite popular with 3GPP folks since they have zillions of customers and
are already NATing them in IPv4-only, and their handsets all run
applications coded in a high-level language like Java and therefore
support IPv6 by default. The notable exception being Skype...

As soon as you provide IPv6, you have a huge chunk of your traffic that
is IPv6: Google, Facebook, Youtube, Akamai, etc. So NAT64 is only used
for the remaining mom and pop shops, and www.openbsd.org. And that
fraction of IPv4-only hosts is diminishing and all signs point to that
trend continuing.

So these 3GPP providers can go from "NAT everything" to "NAT a little"
by deploying NAT64. Why would anyone in their right mind not consider that?

Simon

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Kurt Mosiejczuk
In reply to this post by Daniel Ouellet
Daniel Ouellet wrote:

> Anyone have any possible explication that would actually justify the use
> of NAT64 that I obviously overlooked?

The one use I could think of us to make your internal network
independent of your ISP.  Right now, if you change ISPs, your network
prefix changes and your whole network has to be renumbered.

I read about it in the following article earlier this year.
http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/

I'd be happy to have it pointed out to me how the article is wrong, but
it seemed to point out the ugly corners the IPv6 folks don't talk about.

--Kurt

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Denis Fondras
In reply to this post by Daniel Ouellet
Hello,

Le 24/10/2012 18:43, Daniel Ouellet a écrit :
> Hi,
>
> Just saw a few questions and patch for NAT64 on misc and tech@ and I am
> really questioning the reason to be fore NAT64 and why anyone in their
> right mind would actually want to use this?
>

What is your proposal to allow a v6-only network to reach a v4-only server ?

Denis

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Theo de Raadt
In reply to this post by Kurt Mosiejczuk
> > Anyone have any possible explication that would actually justify the use
> > of NAT64 that I obviously overlooked?
>
> The one use I could think of us to make your internal network
> independent of your ISP.  Right now, if you change ISPs, your network
> prefix changes and your whole network has to be renumbered.

But IPV6 is such a brilliant network for creating provider cartels and
monopolies! The business case is solid!

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Simon Perreault-2
In reply to this post by Kurt Mosiejczuk
Le 2012-10-24 14:25, Kurt Mosiejczuk a écrit :
> The one use I could think of us to make your internal network
> independent of your ISP.  Right now, if you change ISPs, your network
> prefix changes and your whole network has to be renumbered.
>
> I read about it in the following article earlier this year.
> http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/
>
> I'd be happy to have it pointed out to me how the article is wrong, but
> it seemed to point out the ugly corners the IPv6 folks don't talk about.

What you need to multihome is either BGP or NAT. Exactly as in IPv4.
Nothing has changed. The only new thing with IPv6 is that there's more bits.


However, with more bits you have the possibility of using a "nicer" form
of NAT in that statelessly maps one prefix to another:

http://tools.ietf.org/html/rfc6296


And here's a draft with more info on how to apply it to multihoming:

http://tools.ietf.org/html/draft-bonica-v6-multihome-03


Simon

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Claudio Jeker
On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:

> Le 2012-10-24 14:25, Kurt Mosiejczuk a écrit :
> >The one use I could think of us to make your internal network
> >independent of your ISP.  Right now, if you change ISPs, your network
> >prefix changes and your whole network has to be renumbered.
> >
> >I read about it in the following article earlier this year.
> >http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/
> >
> >I'd be happy to have it pointed out to me how the article is wrong, but
> >it seemed to point out the ugly corners the IPv6 folks don't talk about.
>
> What you need to multihome is either BGP or NAT. Exactly as in IPv4.
> Nothing has changed. The only new thing with IPv6 is that there's
> more bits.

But less PI space. Since some evangelists belive in the superiority of
IPv6 and try everything to make it impossible to get routable PI space.
At the moment IPv6 is a step backwards in all regards.
If the idea would be to get everybody to use v6 then the RIR should give
out IPv6 ranges like candy -- if you have a PI IPv4 space you should get a
PI IPv6 space. But instead people still dream of the 10k routing table...

I know one thing for sure. In the next few years the internet will suck.
--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Jussi Peltola
In reply to this post by Kurt Mosiejczuk
On Wed, Oct 24, 2012 at 02:25:07PM -0400, Kurt Mosiejczuk wrote:
> I read about it in the following article earlier this year.
> http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/
 
Everybody except a few zealots have accepted the fact that NAT will
exist in ipv6 just like v4. The difference is that you are no longer
forced into using NAT by address scarcity, you get to choose if you want
to use it or not.

That article paints a picture of NAT as some kind of silver bullet that
solves everything; I'll not bother arguing against that.

The article also completely misses some of the proposed solutions, like
running multiple prefixes for multihoming, and having a ULA prefix for
internal communication and a dynamically assigned global one for external
connectivity. Yes, you get to change DNS entries for your
publicly-accessible hosts when you change ISPs if you use provider
allocated addresses - how does NAT help with this again, except add the
extra work of changing NAT translation rules?

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Theo de Raadt
In reply to this post by Claudio Jeker
> On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
> > Le 2012-10-24 14:25, Kurt Mosiejczuk a écrit :
> > >The one use I could think of us to make your internal network
> > >independent of your ISP.  Right now, if you change ISPs, your network
> > >prefix changes and your whole network has to be renumbered.
> > >
> > >I read about it in the following article earlier this year.
> > >http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/
> > >
> > >I'd be happy to have it pointed out to me how the article is wrong, but
> > >it seemed to point out the ugly corners the IPv6 folks don't talk about.
> >
> > What you need to multihome is either BGP or NAT. Exactly as in IPv4.
> > Nothing has changed. The only new thing with IPv6 is that there's
> > more bits.
>
> But less PI space. Since some evangelists belive in the superiority of
> IPv6 and try everything to make it impossible to get routable PI space.
> At the moment IPv6 is a step backwards in all regards.
> If the idea would be to get everybody to use v6 then the RIR should give
> out IPv6 ranges like candy -- if you have a PI IPv4 space you should get a
> PI IPv6 space. But instead people still dream of the 10k routing table...
>
> I know one thing for sure. In the next few years the internet will suck.

I could not say it better myself.  I agree completely.

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Simon Perreault-2
In reply to this post by Claudio Jeker
Le 2012-10-24 14:54, Claudio Jeker a écrit :
> But less PI space. Since some evangelists belive in the superiority of
> IPv6 and try everything to make it impossible to get routable PI space.
> At the moment IPv6 is a step backwards in all regards.

Wait wait wait... what RIR doesn't take "multihoming" as a valid
justification for getting IPv6 PI space?

Simon

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Jussi Peltola
In reply to this post by Simon Perreault-2
On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
> What you need to multihome is either BGP or NAT. Exactly as in IPv4.
> Nothing has changed. The only new thing with IPv6 is that there's
> more bits.
 
Oh? I have two internet connections plugged directly into my desktop box
at home, it is multihomed and there is no BGP or NAT. This does need
some policy routing to work with uRPF filtered access lines.

With IPv6 multihoming should work trivially: plug two access lines into
a switch, get RAs from both, get addresses from both on your end-host,
and your end-host needs to select the proper route for each source
address. Again, no NAT or BGP. Applications will need to support hosts
having multiple addresses in the future, and happy eyeballs seems to
have made browsers do that.

There is also a considerable advantage against "multihoming" where hosts
only have 1 address configured: if the application tries to use all
source addresses available, you can get to google even if one of your
access lines has no connectivity to them; with BGP multihoming you will
not, with v4 NAT style multihoming you possibly can if it does
round-robin and you try again.

Add SCTP to this puzzle, and you should be able to roam seamlessly from
WLAN to 3G to WLAN without your ssh sessions breaking. mosh already more
or less does this. With multiple addresses and default routes per host,
and SCTP or multipath TCP, you should also be able to load-share one
connection among multiple internet connections.

End hosts need to get smarter, instead of the network adapting to their
stupidity. But I'm not holding my breath.

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Simon Perreault-4
Le 2012-10-24 15:12, Jussi Peltola a écrit :

> On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
>> What you need to multihome is either BGP or NAT. Exactly as in IPv4.
>> Nothing has changed. The only new thing with IPv6 is that there's
>> more bits.
>
> Oh? I have two internet connections plugged directly into my desktop box
> at home, it is multihomed and there is no BGP or NAT. This does need
> some policy routing to work with uRPF filtered access lines.
>
> With IPv6 multihoming should work trivially: plug two access lines into
> a switch, get RAs from both, get addresses from both on your end-host,
> and your end-host needs to select the proper route for each source
> address.

Source-based routing is arguably not multihoming, depending on your
definition of multihoming. It's not new to IPv6 either.

> Again, no NAT or BGP. Applications will need to support hosts
> having multiple addresses in the future, and happy eyeballs seems to
> have made browsers do that.
>
> There is also a considerable advantage against "multihoming" where hosts
> only have 1 address configured: if the application tries to use all
> source addresses available,

Oh, that's the new thing you're proposing: happy eyeballs on source
addresses. Interesting...

> you can get to google even if one of your
> access lines has no connectivity to them; with BGP multihoming you will
> not,

If you can't trust the routes you receive over BGP, you're kinda screwed
anyway.

Simon

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Theo de Raadt
In reply to this post by Jussi Peltola
> On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
> > What you need to multihome is either BGP or NAT. Exactly as in IPv4.
> > Nothing has changed. The only new thing with IPv6 is that there's
> > more bits.
>  
> Oh? I have two internet connections plugged directly into my desktop box
> at home, it is multihomed and there is no BGP or NAT. This does need
> some policy routing to work with uRPF filtered access lines.
>
> With IPv6 multihoming should work trivially: plug two access lines into
> a switch, get RAs from both, get addresses from both on your end-host,
> and your end-host needs to select the proper route for each source
> address. Again, no NAT or BGP. Applications will need to support hosts
> having multiple addresses in the future, and happy eyeballs seems to
> have made browsers do that.

What happens if one of your links goes down for a day?

Do all your ssh sessions to everywhere in the world stay up?

The internet has non-transient traffic, too.

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Peter Hessler
In reply to this post by Daniel Ouellet
You have IPv4 only applications, that need to talk with the IPv6 internet.


On 2012 Oct 24 (Wed) at 12:43:12 -0400 (-0400), Daniel Ouellet wrote:
:Hi,
:
:Just saw a few questions and patch for NAT64 on misc and tech@ and I
:am really questioning the reason to be fore NAT64 and why anyone in
:their right mind would actually want to use this?

--
Pascal, n.:
        A programming language named after a man who would turn over
        in his grave if he knew about it.
                -- Datamation, January 15, 1984

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Theo de Raadt
In reply to this post by Jussi Peltola
> End hosts need to get smarter, instead of the network adapting to their
> stupidity. But I'm not holding my breath.

No, what you are really saying is that non-transient network traffic
(long lived TCP sessions) need to have the applications talking them
-- and obviously the protocols also -- modified, adding great
additional complexity, to sure that they can keep traffic moving when
the routing part of the protocol fails to do, uhm, ROUTING.

So, to make this clear with an example.

Basically to make IPv6 pseudo-"multihoming" work like IPv4
multihoming, ssh and sshd need to be modified that they can handle a
network break, and re-connect using another address.

(Yes, I know there are a few places where this can be solved, using
various tools now being discussed, which means the BIG GUYS can avoid
this problems, but the LITTLE PEOPLE can't).

Awesome.  Totally awesome.

Pushing additional complexity into applications is retarded.

The IETF is run by a bunch of idiots.

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Barbier, Jason
In reply to this post by Peter Hessler
Well expanding on the address space and numbering issue, that would be a
valid use for NAT but I honestly think it would be better to actually try
and fix that before trying to put a hack over the top of it. In theory you
could do it with routing tables but I could be retarded also so.

On Wed, Oct 24, 2012 at 12:24 PM, Peter Hessler <[hidden email]> wrote:

> You have IPv4 only applications, that need to talk with the IPv6 internet.
>
>
> On 2012 Oct 24 (Wed) at 12:43:12 -0400 (-0400), Daniel Ouellet wrote:
> :Hi,
> :
> :Just saw a few questions and patch for NAT64 on misc and tech@ and I
> :am really questioning the reason to be fore NAT64 and why anyone in
> :their right mind would actually want to use this?
>
> --
> Pascal, n.:
>         A programming language named after a man who would turn over
>         in his grave if he knew about it.
>                 -- Datamation, January 15, 1984
>
>


--
Jason Barbier

Pro Patria Vigilans

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Simon Perreault-2
Le 2012-10-24 15:29, Barbier, Jason a écrit :
> Well expanding on the address space and numbering issue, that would be a
> valid use for NAT but I honestly think it would be better to actually try
> and fix that before trying to put a hack over the top of it.

I'm going to wait a long time for a firmware update that makes my
IPv4-only printer speak IPv6.

Simon

> On Wed, Oct 24, 2012 at 12:24 PM, Peter Hessler<[hidden email]>  wrote:
>
>> >You have IPv4 only applications, that need to talk with the IPv6 internet.

Reply | Threaded
Open this post in threaded view
|

Re: Why anyone in their right mind would like to use NAT64

Jussi Peltola
In reply to this post by Theo de Raadt
On Wed, Oct 24, 2012 at 01:21:33PM -0600, Theo de Raadt wrote:
> What happens if one of your links goes down for a day?
>
> Do all your ssh sessions to everywhere in the world stay up?
>
> The internet has non-transient traffic, too.
 
No, I will have to re-start some of them. This is something that can
only be fixed by getting rid of the assumption about non-changing host
addresses. The other solutions do not scale to the size of the Internet;
I could get BGP at home but I don't want to, it is easier (and cheaper)
to just restart connections in the rare event of one line breaking.

v4 vs v6 has very little to do with this; the world wants roaming and
multi-homing, and BGP is not going to give it to the masses. NAT may
enable multi-homing, but it does nothing to help roaming (on the
contrary, state in the network makes it harder; and NATs tend to break
my idle SSH sessions even when there is no fault in any line)

Do your ssh sessions stay up if one of your upstreams starts blackholing
but still announces you a full table of routes?

123