On 2/11/22 6:22 AM, Marc Haber wrote:
> Probably you have become so intimate with NAT and the other crutches
> we need to keep v4 alive that you're dearly missing them when they're
> not needed.
I don't think so.
> For v4, yes. IPv6 was carefully crafted not to need it.
The thing that IPv6 has over IPv4 is the number of IP addresses. But
/utilizing/ those IP addresses brings inherent problems, not the least
of which is additional routing burden.
Consider the use case of what I call the "Customer Interface Router".
Picture any business wherein each location is locally owned while having
some loose affiliation with a corporate entity with different owners. A
very good example is car dealerships affiliated with a major brand or
service company. Wherein each individual location administers their
network with complete autonomy and corporate administers it's network
with complete autonomy. With that large topology in mind, consider the
potential, nay likely, complications with needing to establish
bi-directional communications between every single location and the
corporate entity such that systems at corporate can print to the
networked printer in the parts department. The C.I.R. functions as an
integration between each individual location and corporate.
NAT makes this trivial to do. Corproate sends traffic to the C.I.R.
which translates what's necessary for each individual site's local
network. Similarly each local site sends traffic to the C.I.R. which
translates what's necessary to interface with corporate.
Corporate doesn't have to worry about (de)conflicting subnets across
multiple sites. Local stores don't need to worry about (de)conflicting
subnets with coroprate, much less other stores. Neither corporate nor
local stores need to propagate route information for each other's networks.
Corporate sends traffic to 192.0.<site #>.<printer #> to print orders in
the aprts department. The local manager connects to 198.51.100.<server
#> to access corproate's vehicle inventory system.
The NAT on the C.I.R. acts as an abstraction alyer allowing each side to
operate with almost complete autonomy from each other. I asy almost
because nominally each side can't have the /same/ subnet. However, even
taht can be accomodated by using two C.I.R.s back to back to do double
translation.
I have written this email using IPv4 addresses because they are simpler
/ shorter to type (and more mussle memory). But the exact same concept
applies to IPv6 as it does to IPv4.
The underlying issue is only compounded if you try to add another entity
to this scenario, say an external financing company or insurance
company. Each additional entity that needs to be integrated adds
complexity to /routed/ IP addresses at an exponential rate. Conversely
NATing C.I.R.s scale linearly.
The Customer Interface Router is only one scenario. I've run into other
more exhotic scenarios wherein I needed (as in didn't have a choice) to
have the same subnet in two different locations that couldn't actually
sahre the subnet (TL;DR: D.R. environment replicating part of corporate)
where each saw the other side as different subnets so that the could
have routed communications. Linux's net-map IPTables target (prefix
translation) made this ... possible. Backups of servers from one side
could be restored on the other side without readdressing or any other
changes and they could still communicate with what they needed to
communicate with.
Aside: I'd say the IP part was trivial, but the other parts of the
stack were anything but trivial.
So ... Network Address Translation is a /valuable/ tool to have in the
tool box and it has far more uses than what most people think of. Just
because the most common use is to allow private IPv4 addresses to share
a single public IPv4 address doesn't mean that it's the /only/ use.
To directly reply to your opening comment:
> Probably you have become so intimate with NAT and the other crutches
> we need to keep v4 alive that you're dearly missing them when they're
> not needed.
Nope. NAT actually *SIGNIFICANTLY* simplifies many of the different
networks that I've helped administer over the last 20 years. The C.I.R.
is one of the simpler examples. Getting Microsoft's Active Directory
Domain Controllers to be happy thinking that each is in the same subnet
when they are not, for DR purposes, is another use case for NAT (prefix
translation). These are things that can't easily be done with actual
routed IP addresses, irrespective of if they are IPv4 or IPv6.
Aside: The reason for the DR configuration was so that there could be a
production Active Directory Domain Controller in the D.R. environment
that was always online and replicating with the production corporate
network. The D.R. side /needed/ to have the same IP addresses as the
production side so that production (member) servers could be restored
without modification and /just/ /work/. But the D.R. and production
networks couldn't be connected as a L2 environment for many reasons.
Not the least of which is that production had to be online at the same
time various D.R. tests were happening. The simplest solution was to
let each side think that it was the network it was configured for and to
lie to it about what the other side's network was. Thus each side would
send traffic to the other side's fake IP address, NAT would happen in
the middle to actually estabish the communications. It worked
wonderfuly well.
Further Aside: I challange you to explain to me how routed addresses,
IPv4 or IPv6, can work as well as NAT does in either the C.I.R. or D.R.
environment.