[Openswan dev] Qustion about Nat-t

Paul Wouters paul at xelerance.com
Tue Mar 3 15:32:17 EST 2009

On Tue, 3 Mar 2009, Michael H. Warfield wrote:

> > > *) NAT is a kludgey way of extending the IPv4 address space.
> > >  IPv6 is an incomparably better way of extending the IPv4
> > >  address space.
> > > *) A basic principle of engineering is to aim for the moving
> > >  target.  NAT is the way of the past.  The future will be
> > >  more and more IPv6.
> > The move to more ipv6 will only happen with more 6to4 and 4to6
> > NAT's, and horribly DNS kludges to make ipv4-only systems talk
> > to ipv6-only systems and visa versa.
> 	According to a recent Goggle experiment, where they "enrolled" a random
> sampling of visitors to their site into an IPv6 experiment, the US now
> ranks 5th in percentage of clients

> This was largely thanks to Mac's and Airport
> Extreme base stations which comprised half of the US traffic that worked
> and utilized IPv6.  I'm sure the client users never even recognized it
> was happening. 

Exactly, they were behind a NAT. A specific 4to6 NAT. Now what will your ipv4 IPsec
client do? Connect to an ipv6 IPsec via NAT? Probably the 4to6 is clever enough
not to attempt that job and let this client out as ipv4 NAT.

> than IPv4 /32 routable host addresses (whether they exist or not).  Oh,
> and I should note, those IPv6 networks are production space only.  I
> don't include the 2002::/16 6to4 space or the 2001::/32 Teredo space, or
> any other transition space or address space outside of the global
> unicast space.

So you're excluding the 2002::/16 6to4 space you quoted above as the "real"
IPv6 deployment of the US.

> 	Still...  This is real world.  It really is out there and it really
> does work and people really are using it.

Just to recap, i am fine and happy for IPv6. But to say it is now ready
to replace IPv4-NAT without itself requiring NAT is silly.

> 	1) Most Windows users (unfortunately) have administrative rights and
> IPv6 is trivial to set up on Windows if it isn't already set up (below).

Most windows users are behind a $60 router that does not do IPv6, nor does
their ISP give them IPv6.

> 	2) Several ISP's in the US have IPv6 now available for some degree of
> difficulty (Verio, Sprint, MCI, Speakeasy).  Not sure why Comcast isn't
> providing IPv6 yet, since it's using IPv6 to control settop boxes and
> cablemodems (Nanog presentation from a couple years ago) so they've got
> it in their infrastructure.

I understood comcast *needed* ipv6 because their 10/8 space was full.


More information about the Dev mailing list