← Back to context

Comment by gcb0

12 years ago

Why not just adopt ipv6 and connect to the box directly and intuitively when all ipv4 nat boxes in the middle die?

18 comments

gcb0

Reply
rlpb  12 years ago

This won't happen. When IPv4 dies, then so will NAT. But we'll all need IPv6 stateful firewalls at home. Generally, they'll block all incoming attempts to make new connections, and allow any outbound connection attempts.

Now you have the same problem. The same solutions will need to apply here, too. So NAT isn't really the fundamental problem here.

  • gcb0  12 years ago

    But a firewall I can open. heck most consumer routers came preinstalled with holes on the firewall/NAT for FTP,IRC,MSN and a bunch of long dead protocols that required the server to connect to the client...

    with ipv4+nat often I can't allow a connection because i don't have the IP visible. i'd have to have the server to add my internal IP (which will surely conflict) to their routing table passing trhu my external IP on the router.

    This is the problem ipv6 solves.

yxhuvud  12 years ago

We have had customers ask us if we support NAT for IPv6, so don't assume NAT will automatically die.

Sadly enough.

  • winthrowe  12 years ago

    I can kinda see edge cases where 1-1 NAT makes sense, depending on the product, or are they asking for NAPT like most people think of NAT?

    • yxhuvud  12 years ago

      The latter, AFAIK. It has been some months since the product manager in question forwarded the question to us.

      As for 1:1 NAT, we already support other solutions that have similar effects, such as scriptable proxying.

  • gcb0  12 years ago

    Nature will find a way :)

    your client will probably have it's market eaten by someone who understand the tech. hopefully.

    /me insert faster horse fallacy

hvidgaard  12 years ago

NAT'ing is such an ingrained way of doing things, and it also happens to be a great way to separate your network from the rest of the network/internet. I don't think it'll go away any time soon.

  • tjgq  12 years ago

    Please allow me to be pedantic here. What actually separates your network from the rest of the Internet is called a firewall. It is unfortunate that common usage has conflated the two terms to the point that many people believe they must be inside a NAT to be firewalled from the outside. It's actually one of many misunderstandings related to the IPv6 transition.

    • digitalsushi  12 years ago

      I like to explain it to friends like this-

      A Firewall is exactly the same thing as a bouncer at a club. The firewall-bouncer decides if you, the packet, get into the club. He might let you in, he might ignore you, he might tell you no.

      NAT is a dinner party at a house on a block. There's no bouncer. If you know the right house, you walk right in the front door. But there sure are a lot of houses! So it seems unlikely that someone will crash your party, but don't you trust the bouncer more, now that you're thinking about it?

      1 reply →

    • hvidgaard  12 years ago

      Don't get me wrong, I know the difference between NAT and a firewall, but NAT'ing automatically (and by definition) hides the network behind, firewall or not.

      3 replies →

    • sneak  12 years ago

      Most soho ipv6 routers (that also do v4 nat) do connection tracking for their v6 subnet, blocking inbound connection attempts by default, to emulate the security properties of v4 nat.

      This means that you still have the same "unconnectable from the outside" problem you have with v4 + nat.

      Yes, I too wish it weren't this way.

      2 replies →

  • gcb0  12 years ago

    NAT separates your network as much as buying 10.10.10.* and assigning 10.10.10.0-100 to the internal network.