Tuesday, December 10, 2013

IPv6 NAT66 and NPTv6 - it seems there is still a lot of confusion

I've written previous posts on NPTv6 but it seems I didn't do a particularly good job explaining the different between NPTv6 and NAT66 and there is still a lot of confusion understanding what the actual difference is between the two. While both are doing network translation they are doing it differently.

The difference is pretty simple. NAT66 performs the same function we have with NAT44. It is a stateful network address translation on a router or firewall. It will take an IPv6 address on one network interface and translate it to a new IPv6 address on the other network interface and forward the packet. It may perform some sort of application fix up to keep certain protocols and applications from having problems. It requires resources (CPU and memory) on the router or firewall to do this and the returning traffic will have to come through the same device because it is keeping a state table of all the translations it is performing.

NPTv6 is different then NAT66 in that only the leftmost prefix portions of the address are translated. This means that the device doing this translation do not need to keep state at all. So NPTv6 is stateless and therefore in theory can scale better and also be distributed across many devices doing the same function (regardless of forwarding changes and asymmetrical routing). The internal prefix and the external prefix sizes must match so if you want to use NPTv6 you need to do some work to make sure things match up. In other words, your internal network may have a /64 ULA prefix that you want to use NPTv6 to give it access to the IPv6 Internet. You will need a /64 of global unicast address space to allow the router or firewall to do the NPTv6 function with. If you have a /48 internally that you want to use NPTv6 with then you will require a /48 for that externally.

There are some minor variations of these two. NAT66 can, in theory also provide PAT functions allowing the overload of a single IPv6 address by multiple IPv6 addresses behind it. This really is not needed with IPv6 at all as there are more than enough IPv6 addresses to go around. In theory SLB64 looks like NAT66 because it is providing a shared VIP to access a resource and translating traffic appropriately.

As a general rule of thumb, those in the IPv6 community see NPTv6 as a potential tool to solve some corner case issues and they see NAT66 as not desirable. There really is no reason to run NAT66 and if you do require any sort of NAT function then you should be using NPTv6. Unless we want to repeat all the mistakes we have made with NAT44 over the years (and now NAT444 with CGN solutions) then adopting NAT66 is a poor choice.

Obviously this debate is ongoing and it could end up that NAT66 ends up winning but I am hopeful that won't be the case.
- Ed

4 comments:

bckcntryskr said...

Nice post and explanation. I am in the just say no to NAT camp. Keep up the good work Ed.

Anonymous said...

I think using NAT66 is a political decision. From a technical point of view I agree with your opinion, that NAT66 shoud not be used at all.

But there are point of views:
Using ipv6 even end customers get a /64 network assigned and each single device in their private network gets a global ipv6 address as well: your pc, laptop, smart phone, game console, set top box, smart tv, even your tooth brush and fridge.

From a security view, one has to create at least two networks: one accessible from the global ipv6 internet, the other without (ULA is your friend). But how do you do a software update of your fridge then?
One other concern is, that I do not want the whole world know, how many (and what kind of) devices I use in my private network.

So technically I agree with you about the neccessity of nat66, but politically, especially thinking of the whole gchq-nsa situation, I disagree.

Best

chris

Anonymous said...

I think using NAT66 is a political decision. From a technical point of view I agree with your opinion, that NAT66 shoud not be used at all.

But there are point of views:
Using ipv6 even end customers get a /64 network assigned and each single device in their private network gets a global ipv6 address as well: your pc, laptop, smart phone, game console, set top box, smart tv, even your tooth brush and fridge.

From a security view, one has to create at least two networks: one accessible from the global ipv6 internet, the other without (ULA is your friend). But how do you do a software update of your fridge then?
One other concern is, that I do not want the whole world know, how many (and what kind of) devices I use in my private network.

So technically I agree with you about the neccessity of nat66, but politically, especially thinking of the whole gchq-nsa situation, I disagree.

Anonymous said...

thank you its simple to anderstand with this explanation