[Openswan dev] Qustion about Nat-t

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 3 15:52:22 EST 2009

On Tue, 2009-03-03 at 15:32 -0500, Paul Wouters wrote:
> On Tue, 3 Mar 2009, Michael H. Warfield wrote:
> > > > *) NAT is a kludgey way of extending the IPv4 address space.
> > > >  IPv6 is an incomparably better way of extending the IPv4
> > > >  address space.
> > 
> > > > *) A basic principle of engineering is to aim for the moving
> > > >  target.  NAT is the way of the past.  The future will be
> > > >  more and more IPv6.
> > 
> > > The move to more ipv6 will only happen with more 6to4 and 4to6
> > > NAT's, and horribly DNS kludges to make ipv4-only systems talk
> > > to ipv6-only systems and visa versa.
> > 
> > 	According to a recent Goggle experiment, where they "enrolled" a random
> > sampling of visitors to their site into an IPv6 experiment, the US now
> > ranks 5th in percentage of clients
> > This was largely thanks to Mac's and Airport
> > Extreme base stations which comprised half of the US traffic that worked
> > and utilized IPv6.  I'm sure the client users never even recognized it
> > was happening. 
> Exactly, they were behind a NAT. A specific 4to6 NAT. Now what will your ipv4 IPsec
> client do? Connect to an ipv6 IPsec via NAT? Probably the 4to6 is clever enough
> not to attempt that job and let this client out as ipv4 NAT.
> > than IPv4 /32 routable host addresses (whether they exist or not).  Oh,
> > and I should note, those IPv6 networks are production space only.  I
> > don't include the 2002::/16 6to4 space or the 2001::/32 Teredo space, or
> > any other transition space or address space outside of the global
> > unicast space.
> So you're excluding the 2002::/16 6to4 space you quoted above as the "real"
> IPv6 deployment of the US.
> > 	Still...  This is real world.  It really is out there and it really
> > does work and people really are using it.

> Just to recap, i am fine and happy for IPv6. But to say it is now ready
> to replace IPv4-NAT without itself requiring NAT is silly.

	I would agree there, sort of.  It (IPv6) is ready.  It's the chumps in
the middle that need to get their act together.  There is no REASON why
all these $60 routers can't have v6 6to4 enabled and active right now,
right out of the box.  DD-WRT has it and look at all the routers that
free firmware supports!  It's not v6 that's not ready, it's the
incompetent vendors who could easily support it and continue to not.
But those times are a changing as well (as both the Airport Extreme and
the DD-WRT firware show).  IPv6 was designed (with malice a forethought)
with no flag day.  They made it so easy, it's taking forever, because
nobody (outside of the US government) has any deadlines or pressures to

> > 	1) Most Windows users (unfortunately) have administrative rights and
> > IPv6 is trivial to set up on Windows if it isn't already set up (below).

> Most windows users are behind a $60 router that does not do IPv6, nor does
> their ISP give them IPv6.

	But that same $60 router does pass Teredo (doesn't recognize or care
about it, just passes it) just fine.  Too bloody well, in fact.

	Teredo utilizes a form of the STUN (Simple Tranport of UDP over NAT)
protocol for providing peer-to-peer connectivity over NAT when both ends
are NAT'ed.

	My personal opinion is that the Teredo RFC is proof positive that the
IETF has a sense of humor.  An earlier draft of Teredo was named
"Shipworm".  Teredo is a species of shipworm which is a molusk that
drills holes in the wooden hulls of boats and docks and piers and rots
them from the inside out.  Yup...  Definitely a sense of humor.  That's
exactly what Teredo does to the security of a firewall (and by
extension, a NAT device).

> > 	2) Several ISP's in the US have IPv6 now available for some degree of
> > difficulty (Verio, Sprint, MCI, Speakeasy).  Not sure why Comcast isn't
> > providing IPv6 yet, since it's using IPv6 to control settop boxes and
> > cablemodems (Nanog presentation from a couple years ago) so they've got
> > it in their infrastructure.

> I understood comcast *needed* ipv6 because their 10/8 space was full.

	Yup.  And multiple private address spaces and non-unique addresses was
simply not going to cut it.  Exactly.  But their infrastructure has to
already be dual stack IPv6 enabled for that to work.  They have it from
their core out all the way to their side of the user interfaces.

	Real question for them is when they do provide it, do they provide
individual addresses and advertise routes so everyone in an equivalent
IPv4 subnet is on the same SLA or do they provide a /64 or a /48?

	DSL providers have a tricker problem.  PPPOE is, after all, PPP.  IPv6
on PPP works like a charm but that's a /128 on a PtoP link.  How do they
handle handing off a network?  I just heard a week or so ago that
Speakeasy was delivering native IPv6 to their end users.  I have no idea
what their delivering there.  There are issues for them to work out, for

> Paul

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20090303/060dbabd/attachment-0001.bin 

More information about the Dev mailing list