Why would you use IPv6 internally?

Question

Of course, I realize the need to go to IPv6 out on the open Internet since we are running out of addresses, but I really don't understand why there is any need to use it on an internal network. I have done zero with IPv6, so I also wonder: Won't modern firewalls do NAT between internal IPv4 addresses, and external IPv6 addresses?

I was just wondering since I have seen so many people struggling with IPv6 questions here, and wonder why bother?

score 59 · Accepted Answer · edited Jun 17 '15 at 13:15

59

There is no NAT for IPv6 (as you think of NAT anyway). NAT was an $EXPLETIVE temporary solution to IPv4 running out of addresses (a problem which didn't actually exist, and was solved before NAT was ever necessary, but history is 20/20). It adds nothing but complexity and would do little except cause headaches in IPv6 (we have so many IPv6 Address we unabashedly waste them). NAT66 does exist, and is meant to reduce the number of IPv6 addresses used by each host (it's normal for IPv6 hosts to have multiple addresses, IPv6 is somewhat different than IPv4 in many ways, this is one).

The Internet was supposed to be end-to-end routable, that is part of the reason IPv4 in invented and why it gained acceptance. That is not to say that all address on the Internet were supposed to be reachable. NAT breaks both. Firewalls add layers of security by breaking reachability, but normally that it's at the expense of routability.

You will want IPv6 in your networks as there is no way to specify an IPv6 endpoint with a IPv4 address. The other way around does work, which enables IPv6-only networks using DNS64 and NAT64 to access the IPv4 Internet still. It's actually possible today to ditch IPv4 all together, though it's a bit of hassle setting it up. It would be possible to proxy from IPv4 internal addresses to IPv6 servers. Adding and configuring a proxy server adds configuration, hardware, and maintenance costs to the network; usually much more than simply enabling IPv6.

NAT causes it's own problems too. The Router has to be capable of coordinating every connection running through it, keeping track of endpoints, ports, timeouts, and more. All that traffic is being funneled through that single point usually. Though it's possible to build redundant NAT routers, the technology is massively complex and generally expensive. Redundant simple routers are easy and cheap (comparatively). Also, to re-establish some of the routability, forwarding and translating rules have to be established on the NAT system. This still breaks protocols which embed IP addresses, such as SIP. UPNP, STUN, and other protocols were invented to help with this problem too - more complexity, more maintenance, more that could go wrong.

edited Jun 17 '15 at 13:15

RichVel

3,594

answered May 26 '11 at 19:21

Chris S

78,185

3

I always liked NAT since it kept internal networks that much more segregated from external networks. Does your answer mean that when we eventually transition totally to IPv6, every computer, even internally, will have real routable IP addresses? – KCotreau May 26 '11 at 19:24
30

The router the NAT was running on is what separated the networks, that router will still separate the networks, nothing has changed except the router has to be programmed correctly for IPv6. Routable yes, not necessarily reachable (firewall rules will likely block most traffic). – Chris S May 26 '11 at 19:26
1

@kcotreau: Yes, that is what it means. – Satanicpuppy May 26 '11 at 19:38
2

-1. Factually wrong. NAT for Ipv6 is now officially in development ;) – TomTom May 26 '11 at 21:05
13

@Tomtom: Anyone who thinks they need it doesn't know they need a firewall instead. There is literally no problem that NAT is the best solution for, other than problems caused by scarcity of addressing. There is no scarcity of addressing in IPv6 (yet!). It might well be in development, but that doesn't mean it's not a stupid idea :) – growse May 26 '11 at 21:32
@growse that doesn't change the fact that ipv6 NAT is in the works :http://arstechnica.com/old/content/2008/07/after-staunch-resistance-nat-may-come-to-ipv6-after-all.ars as an example – Jim B May 26 '11 at 21:37
6

@JimB - as far as I'm aware there's been at least 4 different IPv6 NAT proposals that have been in development and all of them have failed. Given that that page is almost 3 years old, I'm going to guess that by now it's failed too – Mark Henderson May 26 '11 at 21:41
@Mark - thta was just the first hit the all knowing search engine supplied. searcing for drafts the latest I found (there is a bunch) seemed to be a plea to avoid NAT and that doesn't expire till 9/2011 (https://trac.tools.ietf.org/html/draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat-00) I could be wrong- I haven't the heart to actually plod thru them. – Jim B May 26 '11 at 21:53
2

Factually simplified; there have been no successful NATv6 Projects. There have also been IPv6 prefix remapping initiatives, using link/site local addresses internally and mapping them to global IPs for external routing at the site gateway(s) (though this is not implemented in the same way as NAT, it's somewhat similar). – Chris S May 26 '11 at 21:55
1

"just because it is public, does not mean it is reachable." Of course I realize that, but it is still a bit harder to make a configuration mistake by accident with NAT. – KCotreau May 26 '11 at 22:41
15

I know this will sound offensive, so I'm apologizing up front, but if you aren't the cook stay out of the kitchen. People understand if they work on their own car they might break something that causes a world of damage... Same goes for computer security, if you don't know how, you'll likely end up doing more harm than good. You do have a point, that NAT makes some levels of security easier (most notably and almost exclusively that your internal network isn't Internet routable). Even on most NAT routers today this is only a default setting, and the "security" provided by NAT can be disabled. – Chris S May 27 '11 at 03:23
1

Chris S concepts on NAT are way wrong; one of the best features of NAT besides the artificial expansion of IPv4 schema is SECURITY. NAT is the layer that hides the real IP of a host that if directly connected to Internet can be the target of all the imaginable attacks. Happily talking about getting rid of NAT without encouraging extra security measures is just plain ignorance. – Pat Feb 15 '13 at 14:01
10

Lets not start bandying around words like 'SECURITY' without a sensible discussion about vulnerabilities and threats. What specific vulnerability does NAT protect? What specific 'attacks' are you talking about? Are they the same attacks that the rest of the professional world mitigates with a stateful firewall? If so, NAT's not really buying you much. – growse Feb 15 '13 at 14:29
@growse let's put it in a different way; can you tell me that NAT does not have security implications??? Of course it does have security implications. if you think other way you and your upvoter fellas get the books. – Pat Feb 15 '13 at 20:39
6

Maybe I'll repeat the question, just in case you missed it. It's a simple question, shouldn't be too difficult to answer: What specific vulnerability does NAT protect? If you like, I could rephrase: What specific security risk does NAT mitigate? – growse Feb 15 '13 at 21:48
@growse It does protect your "real" IP by hiding it; just see the Log of an Apache server on a public IP and you'll see what I'm talking about. Do you have an idea how many people today get connected to internet protected ONLY by a NAT layer??? before you challenge me you better GET THE BOOKS. – Pat Feb 16 '13 at 00:05
7

Why is my device's IP address a secret? Why does it need to be hidden? What security risk do I run by having my IP address public? – growse Feb 16 '13 at 00:28
@growse sorry no time for answering kindergarten questions... just go and ask for help to the ones that just upvoted you. – Pat Feb 16 '13 at 01:34
6

Ah, simple questions are beneath you. Well, that says a lot. – growse Feb 17 '13 at 00:36
Would you ever put a home refrigerator, a smart TV, a printer, or a small IoT device like the Raspberry Pi on a public facing ipv6 address? If they need to update some cloud service they could update from behind a firewall outbound no UPnP. 2020 I have a router which claims to have an IPv6 Firewall it looks exactly like the port forwarding of IPv4, isn’t that basically the PAT part of NAT? Would you put a Windows 10 PC on a public ipv6 that you have to reboot to get security updates? Common sense and experience says to me I want those hidden by PAT to a single public IP. – John Ernest Oct 14 '20 at 00:21
I read through this somewhat heated discussion and it seems like the whole point is that it doesn't matter if your IP address is public, as long as it is behind a firewall that doesn't let through any incoming traffic. This is almost definitely the default configuration of your router, which means that out of the box, IPv6 offers the exact same security as IPv4. Just make sure that you don't go into the settings and disable the firewall and you're fine. The router I got from my ISP doesn't actually allow me to disable the firewall, so you might have to install custom firmware to disable it. – Erik B Mar 11 '23 at 05:03

petrus · Answer 2 · 2013-12-20T08:45:40.773

24

Running out of internal (rfc1918) ipv4 addresses can also be a very valid reason to go ipv6.

Comcast explained at Nanog37 why they were going ipv6 for their management addresses.

20 Million video customer
x 2.5 STB/customer
x 2 ip addresses/STB
--------------------  
= 100 Millions IP addresses

And this is only for video, not data/modems.

They exhausted the RFC1918 pools in 2005. Then they used public addresses pools (as nat isn't an option for management), and went ipv6 to solve their needs.

edited Dec 20 '13 at 08:45

answered May 26 '11 at 20:40

petrus

5,327

3

What about the non-mega corporations? – Cypher May 26 '11 at 20:55
1

well, there is still all other answers ;) – petrus May 26 '11 at 23:17
I don't think that any corporation is going use more than 16,777,216 INTERNALLY...Sure, externally for their customers. Nobody disputes that we need more public IP addresses. – KCotreau May 26 '11 at 23:18
6

I wasn't talking about the public/wan ip address of a router, but the management ip addresses on a cable modem or set-top box. So yes, Comcast and all large cable providers do need more than 2^24 ip @. – petrus May 26 '11 at 23:27

score 15 · Answer 3 · answered May 26 '11 at 20:16

15

Couple of reasons:

IPv6 doesn't support broadcasting. It is replaced with multicasting. Broadcasting enables one node to send traffic to all nodes on a subnet. Management of broadcast domains is a major issue with keeping large IPv4 networks running fast and smoothly. Multicasting requires that nodes that want to receive "broadcast"-style actually "sign-up" for it, so the network isn't flooded with traffic that hits all hosts.
IPv6 supports IPsec style encryption natively.
IPv6 supports autoconfiguration. It's possible for hosts behind a router to configure themselves without the need for DHCP, although you still need a DHCP server to hand out DHCP options such as DNS server, TFTP server, etc.

answered May 26 '11 at 20:16

LawrenceC

1,212
7
14

3

IPv6 allows renumbering of an entire subnet with almost no complication. It also allows merging of subnets. It has incredibly granular control over multicast traffic... there are even more reasons but its been forever since I took my IPv6 course. – Matthew May 26 '11 at 20:43
4

These are all popular myths, here's the bit more info: IPv6's multicasting is mandatory for basic functionality: for example to do a IPv4's ping broadcast equivallent you ping6 to FF02::1 for all regular nodes, and FF02::2 for all routers. IPv6's IPSec does not change ANYTHING from IPv4. You don't get any security for free. Still gotta configure all the modes, and deal with key distribution. IPv6's autoconfiguration is utter junk; by default it's as insecure as MAC<->IPv4, and it does NOT hand out DNS. If you want DNS you gotta install DHCPv6, so no gain there. – Marcin Jun 15 '11 at 03:18
1

I consider the 3rd point a weakness of ip6. How many times have you checked to see whether a machine had received an IP as part of the troubleshooting process? That part just got more difficult. – Joel Coel Jun 20 '11 at 23:41

score 14 · Answer 4 · answered May 26 '11 at 21:28

My old job, at a large University, would use an IPv6 allocation internally. They were assigned an IPv4 /16 back in the day and even today is passing out IPv4 addresses to nearly every internal client. The RFC1918 networks were restricted to the telecom-only network and certain specialized usages (the PCI standards required RFC1918 usage until October 2010).

Because of this, they were actively planning to use IPv6 internally as well. There were some hardware issues still to work out, the edge switches weren't supporting v6 well enough, but the core was ready. The idea was that getting v6 support at the publicly visible end (okay, the publicly responsive end) of the network would involve 70% of the work to deploy it to everyone, may as well do the extra 30% and go end-to-end with it.

Having lived with a public IP allocation for so long, our people were very aware of the adage: "just because it is public, does not mean it is reachable." As Chris S said, routeable does not imply reachable.

That is why at least one class of organization would deploy IPv6 internally: because they're already using non-RFC1918 IPv4 internally.

John Gardeniers · Answer 5 · 2011-06-15T03:04:49.657

Working for a small company I can only think of reasons NOT to use IPv6.

We don't even have an IPv6 public address, so why on Earth would we run it internally?
We would have to replace our firewall, which I love dearly, as it doesn't (yet) support IPv6
We don't have a way to assign, let alone control, IPv6 addresses
Only half of our PCs supports IPv6
None of our manufacturing plant supports IPv6
Our switches don't support IPv6
I've never even seen a printer that supports IPv6
IPv6 is much harder to use from the command line - pretty important point for me
I would need to get fully up to speed on IPv6 - hard to do when I'm uninterested
... and a whole lot of other reasons I can't think of just now

It just doesn't make sense for a company like ours to make the change, as it would take considerable expense and effort with absolutely nothing to gain from it.

Quite frankly, I like NAT and the benefits we get from dealing with local addresses. If it ever becomes necessary (as opposed to being a geek want-to-do) for us to interact with IPv6 on the Internet we'll do so at the gateway.

I'm not expecting this current IPv6 fad to become a necessity for the very vast majority of the world, internally at least, for a decade or more. As I expect to be retired by then there's not a whole lot of incentive for me personally to waste time and effort on it.

Edit:

I'm getting downvotes but not a single logical and sensible opposing view. Makes me think it's just a bunch of bandwagon jumping geeks who want to follow the trend without thinking about it. There has to be a REASON to make such a drastic change to a network and I don't have one. Further, I strongly suspect only a very few SF users do have one.

score 7 · Answer 6 · answered May 26 '11 at 20:29

IPv6 does offer some potential real-world improvements over IPv4, such as a simpler auto-configuration and auto-discovery mechanism, it's also safer in the sense that it becomes unfeasible for malware to replicate across a network by port-scanning an IP range -- there are just too many IPs. But those improvements aren't particularly dramatic, and certainly not worth the switching cost.

But note that it's not an either/or decision, you can run both in parallel, and if you develop software, you probably should, as many people have mentioned, for testing purposes. There's no reliable way to make a program IPv6-compatible without having an internal IPv6 infrastructure to test on. Most modern OSes will set up an internal IPv6 network automatically between them -- it's just a matter of using it.

10 years ago I built a bit of software for an employer customers use to fetch program updates. When building the network component, I had to decide between building in IPv6 compatibility, or just assuming all IP addresses will be 4 bytes. I decided to take the simple route, saving myself about 4 hours of work, and made the application IPv4-only. I figured it would be replaced in a few years anyway. They're still using it today, and are therefore locked out of some smaller markets.

dtoubelis · Answer 7 · 2011-06-20T23:34:16.743

We are talking two things here - running internal network on pure IPv6 or running IPv4/IPv6 dual-stack. I think it is premature to talk about running pure IPv6 - on many operating systems it is even impossible using IPv6 without IPv4. However, you may consider running dual-stack for the following reasons (a) if you develop software (b) in order to prepare your network for inevitable migration to IPv6. If you situation is A then you should act now, if it is B then by my estimate you have about 1-2 years to think about it (but the sooner you start the more prepared you will be).

My situation is A and we are running dual-stack for 6 month now. During this time we identified and solved some issues with our public/private DNS, address allocation, DHCP, routing, firewalling and we could not even anticipate many of these issues without trying. Now, we are fully IPv6 ready and we even have IPv6 public access via tunneling. From my experience I can say with confidence that IPv6 is much simpler and more elegant solution in comparison to ageing IPv4, so I'll be very happy when time comes to switch to IPv6, but before this time comes - dual-stack is the way to go.

score 4 · Answer 8 · edited Oct 07 '21 at 06:47

Aside from lager address space, absence of broadcast, IPSec and simpler auto-configuration there are some "not so known" advantages of IPv6:

Bigger address space means that address has more bits that can be used as data storage. For example hop-count between two nodes then can be a function of their IPv6 addresses e.g.:
IPv6 address can be in format PREFIX:Country&Region:DC&Line:Rack&Unit:VM&ID so closer nodes will have more Most-Significant-Bits same. This is just an example, of course "closeness" metrics could be stored in some kind of external database like DNS TXT|SRV records.
There are some techniques of using address space of IPv6 for cryptographic purposes such as Cryptographically Generated Addresses (CGA) and SEND (SEcure Neighbor Discovery)
When IPv6 is enabled all nodes in network have link-local IPv6 address(if not configured otherwise). So there is a chance that you can access even mis-configured node.
You can get nodes' MAC addresses directly from link-local IPv6 address (if IPv6 privacy extensions are not configured)
There is no way you can possibly use IPv4 in subnets with thousands of nodes - your network will be overloaded with broadcast traffic (e.g. ARP).
You can query node for additional information using node information, e.g. in BSD you can query host for ICMPv6 Node Information Node Addresses:

$ ping6 -a Aacgsl ::1

PING6(72=40+8+24 bytes) ::1 --> ::1
136 bytes from ::1: 
  fe80::beae:c5ff:fe43:44a(TTL=infty)
  fe80::beae:c5ff:fe43:212(TTL=infty)
  ::1(TTL=infty)
  fe80::1(TTL=infty)
  2a02::9222(TTL=infty)

score 2 · Answer 9 · answered May 27 '11 at 14:21

I can think of two reasons to use IPv6 for an internal host.

You may find in the future that this host now needs to be externally available at least on certain ports.
You may find that this host needs to connect to another host who has also chosen the same internal address. For example you need to connect to 10.0.0.5 at Acme corporation and your own address at Emca corporation is also 10.0.0.5. I remember this happening at a previous job, we had both used the same internal addresses.

I would say that in the modern world most computers are not 100% internal. Most desktops can make some limited connections to the outside world or vice versa.

score 1 · Answer 10 · answered May 26 '11 at 19:42

1

The only good reason to go IPv6 internally is to be ready when the world switches to IPv6, and I think that's a pretty bad reason, given the rate of adoption. Since most internal IPs won't be externally reachable, it wouldn't be a big deal to translate the rest.

My corporation will probably never switch to IPv6 internally. It would require a fundamental shift in policy so massive I can't honestly conceive how it could come about. A lot of people would have to get killed, and a lot of inexplicable hiring choices would have to be made. Likewise, any attempt by individual business units to switch to IPv6 on their LANs would be squashed with prejudice by the corporate networking overlords based on interoperability and maintainablity concerns (we allow a lot of leeway locally, but not that much.)

Basically, if switching to IPv6 was painless, we'd have done it years ago.

answered May 26 '11 at 19:42

Satanicpuppy

5,965

16

"My corporation will probably never switch to IPv6 internally." <- that's a pretty bold and perhaps naive statement IMHO. – EEAA May 26 '11 at 20:00
4

@erika: They will when it becomes difficult to get hardware that supports IPv4. Until then, no. There is no business case for it. They'd be more likely to ditch internal networking entirely, and host their entire business in the cloud somewhere. – Satanicpuppy May 26 '11 at 20:05
3

What happens when Google or some other external service drops support for IPv4. Not being able to connect to people outside of your network will be a problem in the future. – Zoredache May 26 '11 at 20:40
3

@zoredache: We're talking internal support here. Even now, it's not hard to bridge IPv4 to IPv6, as long as you don't need every machine to be available externally. Hell, our current hardware supports that. – Satanicpuppy May 26 '11 at 20:44
2

Remember that all windows boxes since vista run dual stack out of the box. There is no reason NOT to let it stay on as implemented – Jim B May 26 '11 at 21:39
2

I remember lots of places which "would never switch to this new-fangled tcp/ip stuff" because netbeui or decnet or IPX were good enough. I wonder how that's working out for them? We've not "switched" where I work now, nor are we near to doing so but for the past few years we've specified that all new network infrastructure purchases must be able to support IPv6 properly. – Rob Moir May 26 '11 at 21:45
2

The IPv6 presentation I saw at LinuxFestNW was heavy on denigration and proselytizing, but really thin on usable implementation details. I still haven't found a good article of how to manage multiple internet uplinks from different providers when your ISP assigns your entire block. – Magellan May 26 '11 at 21:47
1

@robert: Uh, yea, that's exactly the same as switching to a different yet compatible addressing system. Good call. I'll just call up the guys, and we'll switch over a couple hundred subnets spread across the entire continental US, many of which will contain computers that will have significant issues with the new addresses. Just so we can be wildly ahead of the entire world. – Satanicpuppy May 26 '11 at 21:51
2

@satanicpuppy ipv4 and 6 can coexist until you get rid of the older OSes that do not support it, and gain all of the improvements for the ones that do. The world is implementing IPv6 , well unless you leave google, microsoft, and comcast (off the top of my head) out of the world. – Jim B May 26 '11 at 21:58
1

@Jim B: The world has been implementing IPv6 for a decade. I don't see any reason to force it out across a massive WAN today, across, literally, tens of thousands of individual machines, many of which do not support IPv6 as they stand, and some of which will never be able to support it. It may be easy to reconfigure your tiny office. It is extremely difficult to reconfigure a large, diverse network. – Satanicpuppy May 26 '11 at 22:09
2

@satanicpuppy, I've worked with noetworks with well over 50,000 machines and as many as about 3000 indiviual sites around the globe. I have yet to have to reconfigure them for IPv6 in 1 day. I have also not suggested that you haev to reconfigure anything BUT your network. it starts with the network- not the device, but with such a massive network I think it's a safe bet that you already have ipv6 traffic circulating around that you don't even realize is there. – Jim B May 26 '11 at 23:13
@jim: So? A little subnet level windows chatter is irrelevant. How could I possibly justify even suggesting such a transition? How could I justify the budget or the man hours? Any cost benefit analysis I provided would have a fat cost on one side, and a skinny benefit on the other. – Satanicpuppy May 27 '11 at 00:19
@Satanicpuppy Wait a few years, until the complaints start trickling in from your users that they can't hit certain web sites, or from outside users saying that can't hit your web site. The bean counters will realize real quick that there's something to this IPv6 stuff. Organizations that say "oh, I've got 5 /20s of IPv4, I'll never need IPv6!" are ignoring reality: there are not enough IPv4 addresses to connect all the devices in the world. That's the business case: connecting to all the devices, not just the ones that bought their IP space early enough. – Shane Madden May 27 '11 at 01:32
@shane: You know that an IPv4 lan can be bridged to an IPv6 network. Right? Because it seems like you don't. This is a discussion about IPv4 vs Ipv6 on LANs, not the internet. – Satanicpuppy May 27 '11 at 04:52
@Satanicpuppy To connect to the IPv6 internet, your LAN devices need either an IPv6 address, or a tunneling protocol. The tunneling protocols aren't meant to be a replacement for an actual IPv6 implementation; test the throughput on a 6to4 or Teredo node even now. The idea with these tunneling protocols is to bridge the gap until most of the routing backbone and ISP endpoints of the internet are IPv6 capable. You'll notice that NAT64 and DNS64 are a big deal right now, but there's no NAT46 to be found to allow you to keep your 10.0.0.0/8 addresses; give some consideration to why that is. – Shane Madden May 27 '11 at 06:09
@shane: If I cared about going 6to4, you might have a point. The vast majority of machines do not need to be accessible from the outside world. – Satanicpuppy May 27 '11 at 12:13
1

@Satanicpuppy Right, but there will come a day that your internal devices will need to communicate with an IPv6-only node on the internet. All I'm saying is that on that day, you will need either a tunneling protocol with client-node awareness (eg teredo) or a dual-stack deployment. "Bridging", as you put it, isn't a good description. – Shane Madden May 27 '11 at 14:13

score 0 · Answer 11 · answered Mar 02 '16 at 01:18

0

IPv4 was intended that every device be directly on the Internet...until we ran out of address space. Then, we've spent the last 20 years locking it all down. Now, IPv6 by design wants to, once again, place every device directly on the Internet... the outcome will be the same. I totally agree that NAT is one layer of security that is not going to be abandoned without an equally effective, or better, replacement.

answered Mar 02 '16 at 01:18

Bart

21

1

Like a firewall? – Michael Hampton Mar 02 '16 at 01:21
3

NAT is not security. A firewall is what gives you security, not NAT. Firewalls don't need NAT. Both IPv4 and IPv6 firewalls work perfectly well without enabling NAT, you can enable NAT on a router which doesn't firewall, and firewalls don't even need to route. You can't seem to look pat the all-in-one consumer devices. It is often convenient to NAT, route, and firewall in a single device, but they are separate functions. – Ron Maupin Mar 02 '16 at 01:53
2

Why do people still say things like this? NAT is not even a layer of security, and it wasn't designed to be one. It's just an ugly hack around inadequately long addresses. It's not an obstacle to most attackers. Downvoting because it's wrong and doesn't answer the question. – Falcon Momot Mar 02 '16 at 01:56
that post make me smile ;-) at first, then I thought, both thoughts are right - 1.) "the outcome will be the same." if we think long term, like countable number of years ahead for humanity. 2) "not going to be abandoned without an equally effective, or better, replacement." - again correct, the replacement is here already, but the point is correct. – Alex Martian Dec 18 '19 at 10:37

score -3 · Answer 12 · answered Jan 14 '15 at 14:08

Unfortunately, there is a lot of bad information in the vast majority of these answers and comments. It is so sad to see the blind leading the blind on this in such a prolific way.

NAT is not going anywhere and people that tell you "Oh, that NAT, what a terrible thing it is"..."Oh that NAT, it was nothing but a work around"...ad nasueum If they start using language like that, move on to a real professional network architect for advice, not a weekend networking armchair warrior.

Do you need to load balance traffic to internal servers from the Internet? Well guess what, with IPv6 you can't do it the way you have been doing it....unless you use NAT!

Yes, it is true. Some will say, oh you just use DSR/Direct server return load balancing. But they forget to tell you that you have to give up 1) Cookie insertion 2) Application acceleration 3) Port address translation

So if you want to run your internal servers on port 8080 but your external on port 80...Oh, so sad, no can do with IPv6....unless you are using good ole NAT! Not even with DSR.

Then add to that the "boasting" that people say "Oh, yeah all the IPv6 NAT proposals have failed...thank goodness" (and the empire dies to the sound of applause) You know what that means? NAT is going to be terrible, if it even works at all with IPv6, because all the IPv6 zealots are in denial about the need for NAT/PAT intrinsically and the people doing it are doing it reluctantly. So sad, so poorly managed

So what do you do now that the truth has set you free and you can rise above the throngs of lemmings trying to use scare tactics to force your compliance?

You buy or continue to use a Loadbalancer or Firewall that acts as the public/private broder of your network. Public side interfaces host the same VIPs you already have but with a complimenting IPv6 address if you need it. Everything north of the Loadbalancer/Firewall layer is also dual stack IPv4/IPv6. On the inside interfaces of the Loadbalancer/Firewall they are all IPv4 and your entire internal network is IPv4 and it stays that way as long as you like. It is only your business. The Loadbalancer does NAT/PAT between outside and inside...because it already is and needs to for full featured load balancing and because now it also solves your external IPv6 problem.

Oh and to the sarcastic person who asked "What single security purpose does NAT serve"

Security is about Availability at the most fundamental level. Think about it, before you dismiss it.

Load balancers provide that Availability/Security and you HAVE to use NAT/PAT to do it properly regardless of the version of IP you are using.

Citation regarding DSR fail: https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return

k thnx

I think your answer is trying to say that one needs NAT to have a nontrivial load balancer, but that is obviously not the case and does not address the question... — Falcon Momot, Mar 05 '16 at 10:38

score -4 · Answer 13 · answered Nov 25 '15 at 04:54

It is not a very good idea to use IPv6 on an internal network as many legacy devices would fail to communicate. Old copier / multifunction printers, medical equipment, old printing machines, older servers and network devices. The IPv4 scheme is much easier to manage imo.

score -12 · Answer 14 · answered Feb 15 '13 at 14:05

-12

The accepted answer is misleading

Chris S concepts on NAT are way wrong; one of the best features of NAT besides the artificial expansion of IPv4 schema is SECURITY. NAT is the layer that hides the real IP of a host that if directly connected to Internet can be the target of all the imaginable attacks. Happily talking about getting rid of NAT without encouraging extra security measures is just plain ignorance on the topic.

answered Feb 15 '13 at 14:05

Pat

3,579

5

How exactly is NAT a security layer? – MDMarra Mar 30 '13 at 09:37

Why would you use IPv6 internally?

14 Answers14

Linked