NAT shows its ugly face in the IPv6 world.
Lately theres been some fuzz in the corners about the need for NAT in the new world order of IPv6.
I think its a poor design choice and ill give my reason below.
One of the reasons why people seem to feel like they need NAT, is accessibility to IPv4 only content. While i agree this is certainly a concern, it is being rendered less and less important each day as more content providers run dual-stack (or some other form of proxying). Either way, you as a user can get directly to more and more IPv6 content by the day.
Second is “security”. I put this in quotes as i really dont think its real security. Security through obscurity, which is what NAT really provides for you today, is no security at all. Alot of “attacks” are application attacks in which its the service behind your NAT device thats being targeted, not the IP stack itself. Even if its a DDoS attack, the first thing to break down is your NAT device anyway.
End-to-End connectivity. This is an issue in our networks today and it will not go away with NAT64. All the reasons why breaking this has been documented elsewhere plenty of times, so i will leave it at that.
Carrier-grade NAT. What all the proposals really call for, is carrier-grade NAT. If you take a look at the video from TechwiseTV as i have linked to below, you’ll see that their NAT64 device is an ASR1000. This is carrier grade iron. I dont want any carriers to handle any translation for me. Give me the direct pipe instead.
Another is complexity. If you take a look at a typical flow through NAT64 (and DNS64), you’ll see all the steps needed to perform a simple request/response from host to host. You need to “synthesize” your quad A records with some useful IPv4 information, this requires your DNS infrastructure to support it.
And finally (in my reasoning) is probably the worst of them all. If we get all the above working, it will _never_ get replaced with a true, native IPv6 network. Dont install a bad design and hope for it to be removed at a later date.
So please. Make the effort to go native instead of going NAT.
Thanks.