The pfSense Store

Author Topic: Why NAT66 is needed  (Read 1729 times)

0 Members and 1 Guest are viewing this topic.

Offline ineti

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Why NAT66 is needed
« on: June 17, 2012, 05:59:40 am »
Please please make NAT66 available on pfSense. I would gladly donate for it. Here's the reason why I think it's mandatory:


----------------
It seems, that there is still an ongoing "war" about the sense - or nonsense - of using Network Address Translation (NAT) in IP6 networks (also known as NAT66, NPTv6)

The NAT opponents fear that once NAT is established (again) it will be heavily used and all of it's disadvantages, like breaking the end-to-end principle, will live on forever.

The NAT defenders postulate the use of NAT for some special cases.

Let's take a closer look what NAT really is, what it is used for and then have a look at the assumptions of both parties. And to anticipate it:
There is currently a de facto need for NAT66, which seems to be totally ignored.

As you probably know IPv4 addresses are limited. It has been early realized that the humanity is soon running out of IPv4 addresses with a maximum length of 32bits.

If you have 20 computer systems connected to the Internet all of them should have a public IP address. If your company has 2000 systems it would be relevant more.

To put it briefly: With NAT you could map your internal network with non-public and therefore non-routed IP addresses to one or some public IP addresses and save a lot of public addresses. That was probably the main purpose NAT was ever invented.


Now with IPv6 you have IP addresses with a length of 128bit which gives you nearly a inexhaustible
space of addresses. So why should you still need NAT and "hide behind one address" if every one of your systems could have a public -and worldwide reachable- IP address as it always should have been?

Let's have a look at the main points of our wranglers:


A. NAT gives you security?

Well, NAT is not a security feature - it never has been. Network security on layer-3 and above is provided by firewalls not by something like address translation or even port translation.

But you can use NAT to hide your internal network topology. If you use public IP addresses there is a higher chance someone gets a fast understanding of your layer-3 network topology. With NAT that topology becomes intransparent. Why should the whole world know how many seperate clients are on your network? Of course you can eliminate the scanning of your infrastracture, but not the outgoing traffic, that still enables someone to separate single systems.

So the security argument can't be disproved. It should be everybodies choice to use NAT or not. In that way you cut the freedom of choice.

B. Nat is needed for multi homing?

NAT is not needed for multi homing -> see RFC


C. NAT is needed for smaller networks, especially home networks?

You need at least a 64bit IPv6 network to run some of the basic IPv6 features like auto configuration.
If your ISP only assigns a 64bit network to you, you could of course create smaller subnets like 66, 72 or whatever. But you will loose autoconfiguration for sure. Not everybody wants to run DHCPv6 at home, not every IPv6 enabled router has a DHCPv6 server on board to substitute that loss. And of course not everybody has the knowledge to configure that kind of service.

Well you could say, that the ISPs have to allign larger subnets. They don't! If you look at larger German providers a lot of them allign /64 networks. End of story. The normal user doesn't care about that fact, he has one subnet and it's enough for him. With NAT this problem wouldn't occur; you could create as many private networks as large as you'd like.

But how about the professional users, that are able to deploy a DHCPv6 server and subnet their network for themselves? Well that would be nice. But what if your mandatory-provider-given router doesn't support static routing to other subnets? And if so, what if that router doesn't support subnets smaller than /64?
And what if you can't change your router settings cause it's provisioned by your provider?

All of this is currently happing in Germany with nearly all cable providers and a lot of DSL providers.

You are the "poor" guy and you need NAT66 to circumvent your misery...

Well the last aspect could be changed, either by your ISP or by router manufactures. But your faith lies in their hands. That shouldn't be the case when using standard technology.
But that's a different problem.


In fact: NAT always gives you the ability to deploy your network as you like and to use the hardware you like. NAT has worked very well for the last decades and could work much longer without any problems.

So here again: You lose opportunities, flexibility and freedom of choice without NAT.
Less is not always more.


Conclusio:

Most people won't need NAT support and won't use it anymore. That is a good fact because of the end-to-end-principle. But there are circumstances where NAT has to be available, just because of pregiven facts or reasonable wishes.










Offline stephenw10

  • Hero Member
  • *****
  • Posts: 8167
  • Karma: +8/-0
    • View Profile
Re: Why NAT66 is needed
« Reply #1 on: June 17, 2012, 06:35:10 am »
NPt is already included in 2.1 snapshots. See:
http://doc.pfsense.org/index.php/Multi-WAN_for_IPv6

Steve

Offline ineti

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Why NAT66 is needed
« Reply #2 on: June 17, 2012, 06:46:07 am »
Hi,

thank you for your fast reply.
Would it be possible with NPT to "hide" networks behind one iP. I thought NPT is not "classic" NAT?

Best wishes,

Marcus

Offline ineti

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Why NAT66 is needed
« Reply #3 on: June 17, 2012, 06:52:42 am »
I read the NPT article.

Could I do the following trick?

Setup

Provider Router with a 64bit public IPv6 network ---> pfSense with NPT ------> two internal LANs like fd00::1/64 or fd00::2/64

When traffic goes from fd00::1 to fd00::2 the source IPs are kept; but when traffic from fd00::1 or fd00::2 goes outside their prefixes are translated to the public prefixes of the provider-give network prefix? Is that right?





Offline stephenw10

  • Hero Member
  • *****
  • Posts: 8167
  • Karma: +8/-0
    • View Profile
Re: Why NAT66 is needed
« Reply #4 on: June 17, 2012, 07:09:13 am »
I don't know because I'm not using IPv6 yet.  :-[
However from what I understand it should be possible, yes. At least to some extent. Here is an earlier discussion:
http://forum.pfsense.org/index.php/topic,45442.0.html

You should probably ask this in the IPv6 or 2.1 snapshot sub-forums.

More reading for me...  ;)


Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Why NAT66 is needed
« Reply #5 on: June 17, 2012, 05:25:17 pm »
I read the NPT article.

Could I do the following trick?

Setup

Provider Router with a 64bit public IPv6 network ---> pfSense with NPT ------> two internal LANs like fd00::1/64 or fd00::2/64

When traffic goes from fd00::1 to fd00::2 the source IPs are kept; but when traffic from fd00::1 or fd00::2 goes outside their prefixes are translated to the public prefixes of the provider-give network prefix? Is that right?

This is what NPT allows you to do, we've had that for a long time.

Offline ineti

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: Why NAT66 is needed
« Reply #6 on: June 18, 2012, 03:05:58 pm »
Thx a lot. One of the strenghts of pfSense really is that forum, too!