[clug] IPv6 Australia?

Daniel Rose drose at nla.gov.au
Mon Jul 28 23:45:37 GMT 2008 

Sunnz wrote:
> Well the way I understand NAT is that it is simply a SPI filering that
> swaps the source address of outgoing packets from the LAN and simple
> drop all unsolicited incoming packets... it pretty much just adds a
> mapping of an address to a firewall, in other words, it is just a
> firewall, right?
> 

Yes and no.

RFC 1918:
 The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

So Internet infrastructure won't route packets to/from those addresses, it will almost always just drop the packets.  Combined with NAT, they let you have an enormous number of computers which communicate with each other just fine, but traverse a NATing router to reach the wider Internet.  Other hosts on the Internet will see a single IP address which appears to be very busy!

NAT used with fully routable addresses can allow full traversal, IIRC.  It's not so much the NAT that provides the security as the fact that a packet to 192.168.0.3 won't (can't, we hope) arrive on the external Interface.  That was my experience with one particular OS's implementation anyway.


> Anyway, NAT might as well be used with IPv6:
> 
> http://www.techworld.com/networking/features/index.cfm?featureid=4167&pagtype=all
> 
> I personally don't see anything so bad about NAT that some people
> behind IPv6 consider it as an ugprade to drop it?

It is a hack to allow RFC1918-type hosts access to the Internet.  It's not come about by design, it wasn't meant to work that way.  It's not pure! It violates the peer-to-peer nature of the open Internet!

It wastes CPU cycles.  It makes it harder for external people to get information about a host.  It means that one "Natted" user can get the public IP blacklisted and cause trouble for their peers.

It allows lazy networkers to make new netblocks every time they think they need one, leading to cascading NATs and messy networks.

That's about all I have.  These aren't strong, practical reasons why NAT is bad.  I think NAT deployed by an ISP would be a problem, certainly for many of us it would be, but overall I can't see a strong practical reason why NAT should be shunned, I just know that it feels wrong!


> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux


-- 
Daniel Rose
National Library of Australia

More information about the linux mailing list