[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))

Geoff Devine gdevine at cedarpointcom.com
Mon Nov 14 06:24:08 CST 2005 

My view on IPv6 conversion:

What doesn't kill us makes us stronger
-- Friedrich Nietzsche

I think it'll take 10 very painful years to make the conversion.  In my opinion, mobile devices, where you have rapid CPE device churn, will go first.  Residential broadband service (DSL, DOCSIS) will lag.  NAT postponed the inevitable by delaying reaching the point where we run out of IPv4 address space.  In the biggest residential broadband networks, we're already getting close to that point.

The "security" you get with NAT on an edge router/firewall can equally be provided in IPv6 by a session border controller/firewall.  It's just stateful message filtering policy.  This function isn't going to go away and the state of the art in deep packet inspection and policy is only going to improve.  In the enterprise space, you're always going to have a box on the edge to protect yourself.  In the residential space, I think this function will migrate from the home router to the service provider for most subscribers as service providers start offering security features as product differentiation.


Geoff Devine
Chief Architect
Cedar Point Communications

________________________________________
From: dan_york at Mitel.com [mailto:dan_york at Mitel.com] 
Sent: Monday, November 14, 2005 5:26 AM
To: Geoff Devine
Cc: Voipsec at voipsa.org
Subject: IPv6 and the demise (or not) of NAT (was Re: [VOIPSEC] Interactive Connectivity Establishment (ICE))


Goeff,  (or the (many?) others who have opinions on this subject) 

> Any solution to this problem is imperfect until we all migrate to IPv6
> where NAT is no longer necessary. 

(Realizing that this is a long-standing and simmering debate that can 
border on one of those "religious" issues - but still curious enough to 
hear people's opinions... ) 

But how realistic do you see that being?  As much as I agree that it would 
solve problems that we are facing, I'm very skeptical that NAT will go away 
anytime soon primarily because: 

1. Corporate enterprises are at this point wed to their RFC-1918 private 
   networks and I just don't see them justifying the expenditure of time, 
   money, effort to go through and completely re-do their IP numbering. 
   I know of a good number of companies where there are lab environments, 
   etc., that have static IP ranges and such, and so the renumbering would 
   be a fairly massive undertaking. 

2. Many (most?) IT security folks are strong believers in NAT as a 
   form of security.  I don't see them being terribly interested in giving 
   up that tool from their toolbox. 

3. NAT is widely deployed and available everywhere courtesy of the little 
   home routers you buy at your local electronics store.  It works and 
   works fine for the vast majority of people.  They aren't going to 
   change because to them nothing is broken. 

All of which isn't to say that we won't someday get to that 
NAT-less Nirvana, but I don't personally see NAT going away for a 
l... o... n... g... time.  (And we are therefore going to need ICE and 
friends to traverse NAT.) 

Just curious, 
Dan 

-- 
Dan York, CISSP, Director of IP Technology, Office of the CTO
Mitel Corporation   http://www.mitel.com/  dan_york at mitel.com
Ph: +1-613-592-2122   350 Legget Drive, Ottawa, ON, K2K 2W7 Canada
PGP key (F7E3C3B4) available for secure communication

More information about the Voipsec mailing list