[Openswan dev] Qustion about Nat-t

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 3 15:59:29 EST 2009

On Tue, 2009-03-03 at 15:32 -0500, Paul Wouters wrote:
> On Tue, 3 Mar 2009, Michael H. Warfield wrote:
> > > > *) NAT is a kludgey way of extending the IPv4 address space.
> > > >  IPv6 is an incomparably better way of extending the IPv4
> > > >  address space.
> > 
> > > > *) A basic principle of engineering is to aim for the moving
> > > >  target.  NAT is the way of the past.  The future will be
> > > >  more and more IPv6.
> > 
> > > The move to more ipv6 will only happen with more 6to4 and 4to6
> > > NAT's, and horribly DNS kludges to make ipv4-only systems talk
> > > to ipv6-only systems and visa versa.
> > 
> > 	According to a recent Goggle experiment, where they "enrolled" a random
> > sampling of visitors to their site into an IPv6 experiment, the US now
> > ranks 5th in percentage of clients
> > This was largely thanks to Mac's and Airport
> > Extreme base stations which comprised half of the US traffic that worked
> > and utilized IPv6.  I'm sure the client users never even recognized it
> > was happening. 
> Exactly, they were behind a NAT. A specific 4to6 NAT. Now what will your ipv4 IPsec
> client do? Connect to an ipv6 IPsec via NAT? Probably the 4to6 is clever enough
> not to attempt that job and let this client out as ipv4 NAT.
> > than IPv4 /32 routable host addresses (whether they exist or not).  Oh,
> > and I should note, those IPv6 networks are production space only.  I
> > don't include the 2002::/16 6to4 space or the 2001::/32 Teredo space, or
> > any other transition space or address space outside of the global
> > unicast space.

> So you're excluding the 2002::/16 6to4 space you quoted above as the "real"
> IPv6 deployment of the US.

	Sorry.  Just to clarify.  I'm excluding 2002::/16 in counting up the
number of routable IPv6 networks, since each and every IPv4 address
(unicast or not, routable or not) has an entire IPv6 /48 subnet assigned
to it with that prefix.  That route is present in the routing tables and
would be an additional 4 billion routes.  That would not be fair to
count that route in comparing IPv4 with IPv6 (since IPv4 would then
intrinsically lose immediately), so I exclude it from my count, even
though it is routable and present in the core routes.

	Just as a reference point.  Based on that criterion (of not "counting"
6to4 autoroutes or Teredo routes or 6bone (now defunct) routes), the
number of IPv6 routable networks passed the number of IPv4 routable
addresses sometime back around June of 2005.  Almost 4 years ago.

> > 	Still...  This is real world.  It really is out there and it really
> > does work and people really are using it.
> Just to recap, i am fine and happy for IPv6. But to say it is now ready
> to replace IPv4-NAT without itself requiring NAT is silly.
> > 	1) Most Windows users (unfortunately) have administrative rights and
> > IPv6 is trivial to set up on Windows if it isn't already set up (below).
> Most windows users are behind a $60 router that does not do IPv6, nor does
> their ISP give them IPv6.
> > 	2) Several ISP's in the US have IPv6 now available for some degree of
> > difficulty (Verio, Sprint, MCI, Speakeasy).  Not sure why Comcast isn't
> > providing IPv6 yet, since it's using IPv6 to control settop boxes and
> > cablemodems (Nanog presentation from a couple years ago) so they've got
> > it in their infrastructure.
> I understood comcast *needed* ipv6 because their 10/8 space was full.
> Paul
> _______________________________________________
> Dev mailing list
> Dev at openswan.org
> http://lists.openswan.org/mailman/listinfo/dev

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20090303/e7886738/attachment.bin 

More information about the Dev mailing list