Internet and e-mail policy and practice
including Notes on Internet E-mail


2011
Months
Jul

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Internet


04 Jul 2011

A politically incorrect guide to IPv6, Part II Internet

In a previous message we looked at the question of how hard it will be to get IPv4 address space once the original supply runs out. Today we'll look at the other end of the question, how much v4 address space do people really need?

The end to end principle says, more or less, that all computers on the Internet are in principle the same, any of them can be a server, any can be a client, and the Net should just be a dumb pipe between them, allowing people to invent new applications without having to get permission from, or even notify anyone in between. While this idea has great appeal, for consumers Internet connections, it's much more common to have several kinks in the pipe.

The most common kink is called NAT, Network Address Translation, which means what it sounds like, the addresses on one side of the NAT equipment (typically the router next to or built into a cable or DSL modem) are different from the ones on the other side, and the NAT translates them. The most common use of NAT is on home networks, where a bunch of computers in the home all have different addresses on the local network, but the NAT router has only a single address on the public Internet. (If your PC has an address like 192.168.x.x or 10.x.x.x, that's a private address behind a NAT.) The advantage for the ISP is that no matter how many computers the customer has, they only need a single IP address per customer.

One advantage for the user is that they don't have to deal with their ISP when they add or remove computers on their local network, since the NAT router can do all the management needed on the private network. An equally important one is that NAT provides considerable protection from malicious software elsewhere on the net, since the malware can't connect to computers behind the NAT unless the NAT has been specifically configured to permit it. It also means that even if the ISP changes the address it assigns to the router (which they typically do every few months), the addresses of the computers within the house don't change.

To conserve space, it's not uncommon to use two levels of NAT, so that all the computers in a household sit behind one layer of NAT, and all the houses in a neighborhood sit behind a second "carrier grade" NAT, sharing a small set of public IP addresses. Double NAT is widely considered a perversion of the way the Internet is supposed to work, but I can report from experience that my ISP stuck me behind a double NAT and it was several months before I noticed.

For a long time, quite possibly forever, networks will run dual stack with both IPv4 and IPv6 operating in parallel. It's straightforward to set up a network with NAT on its v4 addresses, but not on its v6 addresses. As ISPs migrate, they can give every customer a chunk of v6 address space so each computer on the home network has a unique address, while using single or double NAT on their v4 addresses. A user's PC connecting to a server via IPv6 will use its real untranslated address, while one connecting via IPv4 will be translated. So it would make sense to first move services to IPv6 that don't work well with NAT, and move with the other ones later, perhaps much later.

There are two reasons that a service might not work well with NAT. One is that the service passes IP or port addresses in its data stream, and the other is that it needs to contact a server behind a NAT. The only popular service that passes IP addresses is FTP, and the workarounds to make FTP clients work behind NAT are well understood, so it's not a problem. But the services that want to run servers behind NAT are peer-to-peer, which most ISPs are not crazy about. Some P2P services are fine, Skype or multiplayer games. But many are not, because they suck up every bit of available bandwidth or are primarily used to exchange illegal material, or often both. (Bittorrent is the usual example.) So perhaps if full end to end IPv6 connectivity doesn't show up as fast as the v6 advocates hope, there's a reason.

In the next (and probably last) installment, I look at e-mail, the service that works the worst with IPv6.


posted at: 15:22 :: permanent link to this entry :: 5 comments
posted at: 15:22 :: permanent link to this entry :: 5 comments

comments...        (Jump to the end to add your own comment)

Not all services work with NAT.
Think hosting providers, for example.

NATs may work for IPv4 providers, but given the reality of torrents and P2P software, NATs won't scale (You get 65535 usable ports per IP, and that's a few BT clients).

Servers still need IP space, and those won't work with NAT. (Think one SSL enabled server per organization). Even though lots of servers don't need SSL, quite a few of them do.

And IPv6 needs to be end-to-end.

(by Devdas Bhagat 22 Feb 2011 22:48)


IPv6 Evangelist, Hurricane Electric
IPv4 NAT does not provide security. IPv4 NAT depends on stateful inspection.

Stateful inspection provides security. NAT just modifies packet headers in ways that confuse many applications.

There is no need for NAT on IPv6 and many many reasons not to do so.

FTP only has this problem if you ignore PASV which has been widely used for years. The services that more commonly require special tricks to operate through one layer of NAT (and don't cope well with multiples or special varieties of NAT or NATs that don't have uPNP) include Voice over IP, Instant Messaging, Peer to Peer filesharing, Some types of multi-player games, video on demand, and more.

FWIW, I regularly use BitTorrents as a fine method of acquiring open-source software and other legitimate content. I also provide a certain amount of outbound service of files I already have during those times I am obtaining content via torrents. I've rarely seen it consume more than about 7Mbps down or 1Mbps up. (My connection is 50+Mbps down and 10+Mbps up). The service provider arguments against P2P usually come from service providers that don't like competing content on their pipes and should be viewed with a certain amount of suspicion.

(by Owen DeLong 28 Feb 2011 19:38)


What developments has limited address space held up?
my ISP stuck me behind a double NAT and it was several months before I noticed.

This strikes me as the wrong sort of reasoning. Because of the widespread use of NAT, most applications try to work in spite of it. Infrastructure should be as general as possible (well, and sufficiently cheap) in order to support the most important applications: those we haven't thought of yet. It's not good to justify a "kink" in the infrastructure by the fact that people haven't done the things that would be messed up by the kink.

In fact, NAT seems to be a very sensible thing to do when a number of boxes act together as a single virtual host. But not a good thing to be forced to do by lack of address space, which appears to be the main reason for doing it today.

(by Mike O'Donnell 01 Mar 2011 18:31)


NAT not for security (piling on)
IPv4 NAT does not provide security.

I usually don't like to pile on in an argument, but I hear the idea that NAT is good for security so much from people who I think are experts that I'd like to nail it whenever possible.

Packet filtering can be good for security. NAT is already opening and fiddling with packets, so presumably packet filtering for security purposes can share some code with NAT. But I have never seen, and cannot conceive, a good reason why the change of IP address itself helps security.

(by Mike O'Donnell 01 Mar 2011 18:36)


What developments has limited address space held up?
my ISP stuck me behind a double NAT and it was several months before I noticed.

This strikes me as the wrong sort of reasoning. Because of the widespread use of NAT, most applications try to work in spite of it. Infrastructure should be as general as possible (well, and sufficiently cheap) in order to support the most important applications: those we haven't thought of yet. It's not good to justify a "kink" in the infrastructure by the fact that people haven't done the things that would be messed up by the kink.

In fact, NAT seems to be a very sensible thing to do when a number of boxes act together as a single virtual host. But not a good thing to be forced to do by lack of address space, which appears to be the main reason for doing it today.

(by Mike O'Donnell 01 Mar 2011 18:38)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
26 days ago

A keen grasp of the obvious
Italian Apple Cake
584 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.