[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does IPv6 preclude use of a NAT gateway?

Scott Ferguson (prettyfly.productions@gmail.com on 2011-07-12 12:13
+1000):
> > I am puzzled by this discussion. Without going into any features of 
> > IPv6, the reason NAT works for IPv4 that I have been taught is the 
> > 192.168.xxx.xxx are illegal on the actual internet.
> 
> Correction (pedantic semantics), not *illegal*, just not supposed to
> be used in Class A environments (because it won't work). You *will*
> find class C addresses used on internet exposed boxen - you just
> won't be able to load the links (DNS doesn't cope with duplicate IP
> entries).
I apologize for nitpicking your pedanticity, but classful addressing
was deprecated at around the same time IPv6 was designed (1994).
Besides, 10.0.0.0/8 *is* a class A network.

To both you and the GP: the addresses 10.0.0.0/8, 172.16.0.0/12 and
192.168.0.0/16 are neither "illegal" nor "not supposed to be used"; they
are explicitly reserved for internal network use. So yes, they will be
blackholed by properly configured Internet routers, but that is by
convention only.


> An "alternative" explanation is that NAT makes addresses available
> that DNS can't resolve. eg, many boxen behind IPV4 routers have an IP
> address of 192.168.x.x (Class C) - but their modem has a class A
> address that is listed with DNSs.
I'm confused here. You seem to be implying that you can use public DNS
names to make privately-homed servers available over the Internet? Just
how is that supposed to work, technically?

As an aside, 192.168.x.x is not a class C network. It is a collection
of 256 (-1) class C networks.

> Your firewall determines what packets from either direction are
> allowed through. NAT only provides the protection of turning off the
> lights to stop burglars - poor analogy, but my point is that there
> are many ways of seeing in the dark house without using your light
> (where light is externally exposed IP addresses).
If you want to do an analogy, I would suggest comparing it to a
corporate switchboard that advertises the company's customer service as
its caller ID. You can call people from inside, and they can talk to
you, but as soon as you hang up, the other side will not be able to
reach you if they call you back.

NAT, by design, is unable to forward unknown packets. That is its only
security virtue, and it is a technical limitation. A firewall, in
contrast, forwards or drops packets by policy. Case in point: your ISP
is perfectly capable of reaching your internal servers if you have NAT
but no firewall.


Regards,
Arno
Reply to: