On Sun, 2011-01-02 at 21:01 -0500, Genes MailLists wrote: > On 01/02/2011 08:54 PM, Genes MailLists wrote: > > > >> Probably the simplest approach is to use a router appliance that groks > >> IPv6 for the WAN, and IPv4 for the LAN. On a Linux system, if you want > >> it to be your firewall--and a lot of us are hard-headed enough to do > >> so--I'd put in two NICs and use only the outward-facing NIC for IPv6, > >> confguring the internal for IPv4. > >> > > > > Thanks for your thoughts ... I was slowly coming to exactly that > > solution ... > > > > Then I think you're saying NAT is here to stay .. in which case how > > exactly on a linux border firewall with internal ip4 and external ip6 > > does one NAT ? > > > > Do we build a ip4 NAT to ip4 - and then route that nat'ed ip4 to ip6 ? > > > > > > If you are correct - then the obvious solution is to make ip6 NAT ... > which was designed out of the thing ... NAT is a vile and evil abomination which was created in a half assed effort to extend the life of IPv4. There are still protocols which simply will not work over NAT and that situation is about to get exponentially worse. Now that IANA is truly running out of IPv4 blocks and it won't be more than a year or two before the RIRs are running out (the UK is projecting end of new global IPv4 addresses available to the consumer level by the end of 2011 or early 2012) now they are taking a bad situation and making it even worse. Now they are taking CGN or NAT444 (plain ole NAT is known as NAT44 in that parlayence). That's carrier grade NAT. That's NAT in front of NAT. IOW, NAT at your ISP and it's going to break all sorts of things. Got those nice helpers in your NAT gateway to help with all those protocols that won't operate over NAT's brokenness? Yeah, they're all broken again. Got that VPN gatway ported through? Not when this happens. Think the ISP will fix it? Not when his NAT is mapping customers on a port and address n-to-m mapping that changes dynamically. At the last ARIN conference I saw a list of games and applications which are known not to work over CGN. Too bad. The IPv4 address you may get in the future from your ISP is not going to be guaranteed to even be a global v4 address any more. Whatcha gonna do? Change providers? They're all going to be in the same boat as their subscribers exceed their pools with smart devices like smart phones and such. Just not enough IPv4 address to go around even for everyone to just get one. Anyone dragging their feet has no ground on which to boo hoo. As it so happens, renumbering IPv6 is trivial. It's way easier than IPv4 and you don't need NAT. You simply add your new prefix to your router and set the lifetime of your old prefix real low. Wait for a while, then remove the old prefix. All your autoconf'ed machines will have renumbered themselves You don't need to renumber the EUI (the lower 64 bits) and they get the upper prefix from the router. If you're using dhcp6, you'll have to do some updates there, but that's also centrally located. Anyone using static addressing outside of routers is shooting themselves in the foot. I've renumber my networks several times shifting providers form Hurricane Electric to Hexago (formerly FreeNet6) to OCCAID. Even with multiple subnets (you get 65,536 subnets in a single /48 network allocation available to you) it's pretty easy and it's transparent. You don't have to disrupt the network or take anything down to renumber. Try renumbering, really renumbering, an IPv4 network sometime. NAT has been used as a crutch and an excuse for too many things. I'm glad to see that world continue to get worse with the advent of CGN. Maybe people will start to wake up and realize that continuing to struggle with this patchwork quilt of hacks and workarounds for broken transports is a lot worse than just making the change and being done with it. AFA IPv4 vs IPv6 internal vs external goes, why not use both in both? They do coexist, you know. You don't have to choose one and not the other. You can even have global IPv6 will sitting behind your tonka toy NAT44 or even a NAT44 behind a NAT444 at your ISP. You can have both. Why not have the best of both possible worlds? You won't even know when you're accessing one and not the other. For reference, I find the IPv6-only fedora repositories to be much more responsive. Probably thanks to the lighter load I enjoy and they enjoy. I also find that my downloads from Europe over IPv6 are often faster, but then the routing is simpler and the core backbones are all carrying IPv6 in parallel or even as the backbone protocol. My nearest OCCAID POP is just down the road aways, downtown so it's a short hop and I'm on the global v6 backbone with no v4 transport or tunnels. > gah ... Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
