The CNET Lounge forum

General discussion

IPv6 and NAT, a treatise

by tylerlarson / February 7, 2008 3:25 PM PST

As explained in episode 655, IPv6 does, indeed, make NAT routers unnecessary as far as their original purpose is concerned. NAT is a bit of a hack that arose from the difficulty of reserving IP addresses in the limited IPv4 space, and has maintained a sort of "kludge" status among the designers of Internet protocols -- a hack they'd just as soon forget about. Protocols designed for IPv6 (such as IPSec) are decidedly unfriendly (and downright nonfunctional) in the face of NAT because it is intended and expected that NAT never be used on an IPv6 network. (Yes, really.)

Using a NAT router for security has become popular and recommended because it's nearly impossible to get wrong. This is because NAT "fails closed" -- which is to say, no inbound connections are possible without being explicitly permitted. This level of security is deeply associated with NAT, because at the time, you would never find a router without NAT set up in that configuration -- after all, who would want a device to NOT WORK by default? As everyone says, those were simpler times....

But while NAT forces security upon you, it isn't NECESSARY for security. The same "secure by default" configuration in easily available using a router without NAT, but which has similar firewall capability. Here are the basic technical ingredients:
1: Drop all inbound TCP connection attempts
2: Drop all inbound UDP packets unless an outbound packet has been recently seen with corresponding port numbers and IP addresses
3: Drop all non-UDP, non-TCP traffic
4: .... profit!
This is EXACTLY the same rules and mechanisms that a NAT router follows, but without the need to translate addresses. Obviously, an interface should also be provided to allow people to add additional exceptions, just like they can in NAT routers now. The advantage is that a lot of the sticky points associated with NAT routers go away -- things like Skype, VPNs, and gaming will just work better, and an entire class of messy, unreliable hacks will finally disappear.


Post a reply
Discussion is locked
You are posting a reply to: IPv6 and NAT, a treatise
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: IPv6 and NAT, a treatise
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
by Ankhwatcher / February 8, 2008 9:34 AM PST

mmm... I remember south park.

Collapse -
by Nicholas Buenk / February 9, 2008 1:56 AM PST

If ISP's continue to charge people extra for having multiple IP's, you might still want to use NAT.

Collapse -
for home use
by mementh / February 9, 2008 5:49 AM PST
In reply to: Well...

nats make total sense to have just one ip.

for buisness use/web serving.. its needed..

so i suspect unless you need idividual ip's... you should be ok.

Collapse -
by HBeaker / February 10, 2008 11:39 PM PST

Tyler - very nicely put (and dig the South Park reference).

It seems that for many, 'router' is synonymous with 'NAT'. This is unfortunate. When I learned networking back in the days when we were still trying to figure out if OSI or TCP/IP were going to "win" the protocol wars -- the way it was taught to me was that the device is determined by which layer of the ISO model it operates on. Repeaters = layer 1 (physical), Bridges = layer 2 (data link), Routers = layer 3 (network), etc... In today's networking, there are devices that complicate this (layer 3 switches, for example), but for the most part - I still find it helpful to remember the ISO model... And, it's helpful to remember that NAT is an ugly bolt-on for a router. Performing NAT to a reserved private IP address forces the router to do more than just routing -- it needs to keep track of all the sessions initiated, which is unnecessary overhead.

IPv6, as you state so well, will eliminate the need for NAT, allowing routers to do what they are designed to do -- route. It obviously will NOT eliminate the need for security, so we will still need firewalls.

So, Linksys, D-Link, and others will release IPv6 versions of consumer-grade firewall/routers which will behave much like today's NAT/routers, but without NAT. They will hopefully have user-friendly interfaces that allow folks to open-up ports as desired. What good will our IPv6-enabled refrigerator be if we can't actually see it from work? Obviously, there will be people out there who misconfigure their devices (just like today), but this will not be the fault of the protocol or absence of NAT.

That's on the consumer-end. For the enterprise, it's going to get really interesting. For example, if you want your VoIP infrastructure to remain internal-only, an easy way to do that today is to use private IP address space. Even if you accidentally fail to configure your firewalls right, those IP's aren't visible to the Internet at large. I am sure there will be provisions for private addressing in IPv6 (though I don't know what those are). At any rate, the enterprise implications of IPv6 are far greater than the consumer implications. For the consumer, it will be a one-to-one swap out of a similar box. For the enterprise... well, I bet it's a good time to have a CCNE and be for hire.

Popular Forums
Computer Help 47,885 discussions
Computer Newbies 10,322 discussions
iPhones, iPods, & iPads 3,188 discussions
Security 30,333 discussions
TVs & Home Theaters 20,177 discussions
HDTV Picture Setting 1,932 discussions
Phones 15,713 discussions
Windows 7 6,210 discussions
Networking & Wireless 14,510 discussions

Tech for the school year

Smart tech for smart students

Forget the pencils and notebooks. Gear up your students with these portable and powerful note-taking machines.