[Openswan dev] Qustion about Nat-t
Michael H. Warfield
mhw at WittsEnd.com
Tue Mar 3 16:16:25 EST 2009
On Tue, 2009-03-03 at 15:32 -0500, Paul Wouters wrote:
> On Tue, 3 Mar 2009, Michael H. Warfield wrote:
> > > > *) NAT is a kludgey way of extending the IPv4 address space.
> > > > IPv6 is an incomparably better way of extending the IPv4
> > > > address space.
> > > > *) A basic principle of engineering is to aim for the moving
> > > > target. NAT is the way of the past. The future will be
> > > > more and more IPv6.
> > > The move to more ipv6 will only happen with more 6to4 and 4to6
> > > NAT's, and horribly DNS kludges to make ipv4-only systems talk
> > > to ipv6-only systems and visa versa.
> > According to a recent Goggle experiment, where they "enrolled" a random
> > sampling of visitors to their site into an IPv6 experiment, the US now
> > ranks 5th in percentage of clients
> > This was largely thanks to Mac's and Airport
> > Extreme base stations which comprised half of the US traffic that worked
> > and utilized IPv6. I'm sure the client users never even recognized it
> > was happening.
> Exactly, they were behind a NAT. A specific 4to6 NAT. Now what will your ipv4 IPsec
> client do? Connect to an ipv6 IPsec via NAT? Probably the 4to6 is clever enough
> not to attempt that job and let this client out as ipv4 NAT.
> > than IPv4 /32 routable host addresses (whether they exist or not). Oh,
> > and I should note, those IPv6 networks are production space only. I
> > don't include the 2002::/16 6to4 space or the 2001::/32 Teredo space, or
> > any other transition space or address space outside of the global
> > unicast space.
> So you're excluding the 2002::/16 6to4 space you quoted above as the "real"
> IPv6 deployment of the US.
> > Still... This is real world. It really is out there and it really
> > does work and people really are using it.
> Just to recap, i am fine and happy for IPv6. But to say it is now ready
> to replace IPv4-NAT without itself requiring NAT is silly.
> > 1) Most Windows users (unfortunately) have administrative rights and
> > IPv6 is trivial to set up on Windows if it isn't already set up (below).
> Most windows users are behind a $60 router that does not do IPv6, nor does
> their ISP give them IPv6.
One last point (Last - I swear - I should have done this in one message
- my bad)... I had this "debate" with Peter Bieringer and the IPv6 init
group years ago. "Technically" 6to4 does not work over NAT. But
"actually" 6in4 does for the large majority of cases (of various NAT
devices). In fact, all the Linux based routers and NAT devices do
support it (more or else because they don't do anything to dick it up).
It's just a bit tricky. If you are using static SIT tunnels (not 6to4)
you just configure your endpoints with the public server pointing at
your public address, and then enable protocol 41 to pass through (or you
can use protocol forwarding - both options work). The NAT will and does
work. As it so happens, this also works with 6to4 but their (the v6
init group) init logic prohibits it on private address space. The
problem is that if you have two boxes behind your NAT device and they
hit the same IPv6 external address at the same time, that creates a NAT
state table collision and it face-plants (duh). OTOH, if you have one
box behind your NAT device playing 6to4 (and you've jimmied the Linux v6
init logic to ignore the prohibition and hard code your public address)
and then configure it to advertise out a /64 out of the /48 to the rest
of your machines that will also work just as well and never create a
So, yeah, it can even be done with the vast majority of $60 routers out
there, it's just not out-of-the-box dain bramaged simple. I've done it
but I wouldn't recommend it to anybody who's unwilling to go dumpster
diving in the v6 init scripts on Linux. So, no... Not for most Windows
users. But all Windows users have Teredo at their disposal, so that's a
non-issue. They don't need 6to4. Linux users have to install "miredo"
and find a public Teredo server (I have one) in order to use Teredo and
that's only for end nodes anyways and doesn't support routing networks.
> > 2) Several ISP's in the US have IPv6 now available for some degree of
> > difficulty (Verio, Sprint, MCI, Speakeasy). Not sure why Comcast isn't
> > providing IPv6 yet, since it's using IPv6 to control settop boxes and
> > cablemodems (Nanog presentation from a couple years ago) so they've got
> > it in their infrastructure.
> I understood comcast *needed* ipv6 because their 10/8 space was full.
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20090303/a65b780b/attachment.bin
More information about the Dev