Reply to post:

OK, this time it's for real: The last available IPv4 address block has gone

Orv Silver badge

...your firewall config just expanded from securing ONE IP to an entire subnet on a protocol you aren't familiar with.

That doesn't actually make your firewall config more complex if the default is "block all incoming," which is what you're arguing we should use NAT to do anyway. (This is assuming a bridge-style "transparent" firewall, but those are common even on IPv4 networks at this point.)

...everyone is using NAT and there are no inherent problems with a proven technology that serves a practical purpose.

If you think NAT isn't broken, it's because you're used to the brokenness. I started using it when it was called "IP masquerading" and was an experimental Linux kernel module. It's always been hacky and buggy, people now just think the breakage is normal.

Besides the problem I noted earlier, there are others:

- Double NAT. Right now most traffic only has to traverse one layer of NAT, at the home router. It does usually work OK if you only go through one layer of it. Try to go through two -- say, you're using a mobile hotspot (NAT'd on the phone) on a mobile carrier that's also using NAT -- and things start to break. FTP simply stops working, for example, even in passive mode. As time goes on we'll be seeing more and more levels of NAT applied and more and more protocols will fall apart.

- Peer-to-peer protocols that work across the Internet but fail if you try to use them with someone on your LAN, because the IP addresses don't match up. I've played some online games that I could play with literally everyone in the world except my own family.

- Idle TCP/IP connection timeouts. After 5-10 minutes of silence, a lot of home routers will decide a TCP/IP connection is no longer needed and drop it to free up space in the NAT table. This is why SSH sessions over home routers tend to drop if you step away for a few minutes. This has resulted in a lot of hacky keepalive systems that send useless data every minute or so just to keep the channel open.

- The security disaster that is UPnP, which exists mostly to give NAT'd devices an automated way to request port forwarding.

Anyway, the fact is that IPv6 *does* support a form of NAT. It's called Network Prefix Translation. But it's not commonly implemented because it doesn't actually serve a useful purpose.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020