"Fanboy" series - IPv6 and NATs - YouTube
-
NATs are annoying as hell.
-
NATs are annoying as hell.
Reading the comments from you NAT haters, I wonder if someone named Nat beat you up in the school yard when you were a kid. Or perhaps NAT is a micro-aggression that triggers you?
Of the countless "annoying as hell" things that ISPs do, NAT is pretty low on my list. How about monopolistic business practices, pathetically sh*tty customer service, high price for low bandwidth, data caps, overcharging for modem rental, bundling TV channels, censorship, providing your personal information to other companies without your consent, fighting network neutrality, and so on.
Aside from you disliking the idea of NAT, does the extra few milliseconds it adds to the latency it hurt you or prevent you from using the internet? Aside from slightly slowing things down, it's essentially transparent.
-
NAT is not just annoying. It breaks things. For example, IPSec authentication headers won't work with it. Also, things like VoIP and some games require another hack called STUN to get around the fact that the devices don't know their real address, and other issues. One thing NAT is not, is a security feature. NAT provides nothing that a properly configured stateful firewall can't do. NAT was developed to deal with the IPv4 address shortage and provides no other benefit. These days, we have IPv6 available, with a huge number of addresses available. For example, I have a /56 prefix from my ISP. That provides 2 x 10^72 addresses, in the form of 256 /64 prefixes. Each /64 prefix contains 18.4 billion, billion addresses, which is the entire IPv4 address space squared!
So, the sooner the world moves to IPv6 and dumps NAT, the better.
-
People are so conditioned to NAT that they don't understand a NAT-free world. And forget how much effort has to go into making certain applications and protocols work across NAT.
It has just always been that way.
To a fish, explain "wet."
NAT on IPv4 is just the way it is.
NAT on IPv6 is simply unacceptable. As is lack of honoring a DUID and changing delegated prefixes at-will. Add those to your list of heinous ISP practices.
-
What's even more unacceptable is those who are so stuck on IPv4 they won't move to IPv6. I was talking to one guy recently, who was installing the firewall for a customer and even though the ISP was providing IPv6, in addition to IPv4, he refused to use it. I've been to a few other sites where the ISP is providing both, but only IPv4 is used.
A really big part of the problem here is Bell Canada, who don't even provide IPv6 to most of their customers. A few other ISPs do, but not them. There's another company called Telus, based in western Canada, who provides IPv6. They also share cell networks with Bell. So, if you're a Telus customer, you get IPv6 on your cell phone out west, but not in Ontario or Quebec, where Bell Canada is. My ISP, Rogers, also provides my cell network. I get IPv6 on both home and cell Internet connections. My cell phone also has to use 464XLAT to connect to IPv4 only sites and to support IPv4 only apps, as native IPv4 isn't even available on the cell network.
-
What's even more unacceptable is those who are so stuck on IPv4 they won't move to IPv6. I was talking to one guy recently, who was installing the firewall for a customer and even though the ISP was providing IPv6, in addition to IPv4, he refused to use it. I've been to a few other sites where the ISP is providing both, but only IPv4 is used.
There's often good reasons behind this, especially in enterprise networks. IPv6 presents a new set of challenges around security and these are issues that many IT administrators don't have the bandwidth, skills, or systems to deal with.
For instance, many IPv4 networks will use known IP host addresses for filtering traffic. IPv6 breaks much of this. The bottom line is security practices and systems that rely on known IP addresses don't work with IPv6. That includes pfSense.
For my own part, I've had IPv6 on my network for a few years now, and limitations with pfSense have caused me to restrict segments of my network to IPv4, as this allows me the sort of fine-grained controlled filtering over those parts of the network that I need. IPv6 prevents me from applying almost any sort of control, yet alone "fine-grained".
pfSense isn't alone in this. There are many other network security devices which do not cope with IPv6 security very well.
For any substantial network that requires selective filtering of traffic**, given many firewalls*** don't support this in any useful way for IPv6, the most practical and sensible way to secure the network is to disable IPv6.
Cheers,
Keith
** after all, isn't this what firewalls are supposed to do
*** including pfSense -
There's often good reasons behind this, especially in enterprise networks. IPv6 presents a new set of challenges around security and these are issues that many IT administrators don't have the bandwidth, skills, or systems to deal with.
I suspect in many cases it's ignorance and refusing to learn. Any current CCNA should know about IPv6, as it's been on the test for years. And yes, I have met those who insist IPv4 is good enough. It's not and hasn't been since the day NAT became necessary to conserve IPv4 addresses.
For instance, many IPv4 networks will use known IP host addresses for filtering traffic. IPv6 breaks much of this. The bottom line is security practices and systems that rely on known IP addresses don't work with IPv6. That includes pfSense.
If you need a known IP host, use the MAC based address or the primary address in Windows. You don't use the privacy addresses, which change regularly.
For the most part, IPv6 works exactly the same as IPv4, with minor difference such as ICMP neighbor solicitation instead of ARP. The routing and filtering principles are exactly the same, differing only in IP address size. Of course, IPv6 brings in things like Unique Local Addresses, but that's no different than using RFC 1918 addresses in IPv4. It also brings in less configuration, as addresses can be automatically assigned, without using a DHCP server.
The biggest reason that IPv6 isn't used is deliberate ignorance on the part of those who should know better.
-
There's often good reasons behind this, especially in enterprise networks. IPv6 presents a new set of challenges around security and these are issues that many IT administrators don't have the bandwidth, skills, or systems to deal with.
I suspect in many cases it's ignorance and refusing to learn. Any current CCNA should know about IPv6, as it's been on the test for years. And yes, I have met those who insist IPv4 is good enough. It's not and hasn't been since the day NAT became necessary to conserve IPv4 addresses.
As a minimum, it's a second set of IP addresses to manage and to configure rules for. In other words, twice as much work to deal with IPv4 + IPv6 than it is to deal with IPv4 alone.
I actually think that resourcing is often more of an issue than not understanding the technology. In most of the enterprises I've encountered, IP network/security expertise is pretty thin on the ground, and the people are busy enough with IPv4.
Of course, they will have to deal with it eventually, and it's the same sort of "head in the ground" attitude which has led a lot of places to still be running Windows XP until the last minute.
But there are other reasons…
For instance, many IPv4 networks will use known IP host addresses for filtering traffic. IPv6 breaks much of this. The bottom line is security practices and systems that rely on known IP addresses don't work with IPv6. That includes pfSense.
If you need a known IP host, use the MAC based address or the primary address in Windows. You don't use the privacy addresses, which change regularly.
That requires the privacy extensions to be disabled on each machine. It's also not possible to configure at all on a lot of systems (e.g. Android).
IoW it's impractical, in many networks, to stop the addresses changing randomly.
For the most part, IPv6 works exactly the same as IPv4, with minor difference such as ICMP neighbor solicitation instead of ARP.
… and the major difference being that you cannot know the IP address in advance in many real-world cases, which kind makes filtering based on IP addresses impossible.
Cheers,
Keith
-
Of course, IPv6 brings in things like Unique Local Addresses, but that's no different than using RFC 1918 addresses in IPv4
Its a bit different ;) link-local doesn't route like you can route rf1918.. Its more akin to rfc3927 (169.254/16) in the ipv4 world.. Which causes all kinds of problems trying to use rfc1918 or even public IPv4 space and link-local at the same time etc..
ipv4 doesn't use one address as its global address and another address for outbound connects that then changes.
These sorts of issues can for sure bring problems to the enterprise networks which use firewalls that block at L3 and expect devices to only use 1 address to talk to each other on, etc.
Even if all the "techs" involved are up to speed on ipv6 - its hard to change the enterprise mindset, implement new security policies and enforcement methods, etc.
The biggest reason that IPv6 isn't used is deliberate ignorance on the part of those who should know better.
I would not agree with such a blanket statement at all.. And its not like a enterprise is going to say ok - NO ipv4 we are going to with hosts only get ipv6 and we will manage that.. They would have to bring up dual stack.. And now your IT staff has to manage both the ipv4 and the ipv6 and all the trouble and cost and time that will take.. Good luck getting that approved..
The biggest part of enterprise IT is what does this change get us.. How does it save us money? How does it save us time and effort? How does it make the network easier for the user, how does it make us more secure..
Try justification of bringing in all the extra headache of adding IPv6 to the network to an enterprise and see how fast they all jump on board ;)
How exactly do you sell it to the enterprise is the big issue in moving to ipv6.. It makes perfect sense in a scenario where you are out of IPv4 space.. But in an enterprise they have all of the rfc1918 space to work with.. And any overlaps in networks can be worked around with nats, etc. Or if you need more space its easier to just bring in public space and use it internally that is not even yours that your users will never have to get to.. Or just use the same space in different locations that do not talk to each other, etc.
While it will get there I am sure.. I am fairly sure I will be retired before ipv6 is mainstream on the enterprise local user network that is for sure..
-
For 7 years, I worked for a European company with 5-10 thousand employees. It took years of user complaints for the IT department to move from lotus notes / domino to microsoft outlook / exchange. The IT department liked it, probably because it kept them all busy. Never mind that the users hated it. That project dragged out for a long time due to budget constraints and still hasn't been completed. I don't see them implementing ipv6 when they haven't even got rid of one of the most hated software applications in computing history. (If you've ever used lotus notes, you will know what I mean.)
Now I'm working for another European company that's substantially larger than the previous company. Again, no sign of ipv6 being implemented. I think it's incorrect to say that the IT people haven't implemented ipv6 because they lack understanding. It's more that they are constantly having to justify their existence and keep their jobs from being outsourced to India. In the case of the current company, the IT helpdesk in fact is staffed in India. There are a lot more pressing IT issues than implementing ipv6.
-
i believe the reason enterprise lan isn't being converted to v6 is this:
why? whats the point?there isn't a single "good enough" reason for 99.99% of the lan-networks in the world, to migrate to v6. (at this point in time)
heck i think there will be nat4->6 gateways (wan on v6, lan on v4) long before any sane IT-admin would migrate without any compelling reason todo so.
