IPv6 NAP: There is no need for NAT in IPv6

1. IPv6 NAP: There is no need for NAT in IPv6 Eric Klein, MSc. Leon Recanati Graduate School of Business Administration and the Netvision Institute for Internet Studies, Tel Aviv University Note: Based on IETF draft standard Local Network Protection for IPv6 <www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt>

2. Background IPv6 - NAP Summary IPv4 - NAT IP Allocation Addresses Allocation Address Translation • Originally IP addresses were allocated in a “classful” method • Class A 126 Class As • Class B 16,384 Class Bs • Class C 2,097,152 Class Cs • Class D Multicast addresses • Class E Reserved for experimental use Hosts per server: .................................... 16,777,214 ........................................... 65,532 ............................................... 254 • For more on: • IP Classes see RFC 791 • Class D Addresses see RFC 1112

3. Background IPv6 - NAP Summary IPv4 - NAT IP Allocation Addresses Allocation Address Translation IPv4 Address Allocation History • 1981 – IPv4 protocol published • IP addresses used to uniquely identify and locate IP devices • 1985 – 1/16 of total space • 1990 – 1/8 of total space • 1995 – 1/3 of total space • 2000 – 1/2 of total space • 2002.5 – 2/3 of total space This consumption despite increasingly intense conservation efforts Current estimates predict that all IPv4 addresses will be used between 2008 and 2015, the most common prediction is sometime in 2010. Source: Neil Lovering, Cisco Systems “IPv6 and Semantic Interoperability” (http://colab.cim3.net/file/work/SICoP/2006-04-2728/NLovering04272006.ppt )

4. Background IPv6 - NAP Summary IPv4 - NAT IP Allocation Addresses Allocation Address Translation • RFC 1918 opened up the reserved spaces for private networks with the following private address spaces: • Class A: 10.*.*.* • Class B: 172.16.*.* - 172.31.*.* • Class C: 192.168.*.* • This was not based on a planned action, but was the reaction to common practice codified in order to prevent future problems • Most NAT implementations use one of these 3 ranges rather than a registered address range, or as was the practice prior to these utilizing any address space that the network administrator wanted to use. This enabled the deepening shortage to be offset by thousands of sites utilizing these addresses behind NAT routers. Then in 1993 came Classless Inter-Domain Routing (CIDR) which allowed those large blocks of addresses to be opened up as they became available. Effectively increasing the pool of available addresses. So each time a Class A address was returned to the pool, instead of one company benefiting, hundreds benefited. - For more on CIDR See RFCs 1517, 1519, and 1817

5. Background IPv6 - NAP Summary IPv4 - NAT IP Allocation Addresses Allocation Address Translation In the early 1990’s the two most compelling problems facing the IP Internet are IP address depletion and scaling in routing. Long-term and short-term solutions to these problems are being developed. The short-term solution is CIDR (Classless Inter-Domain Routing). The long-term solutions consist of various proposals for new internet protocols with larger addresses (IPv6). Until the long-term solutions are ready an easy way to hold down the demand for IP addresses is through address reuse. This solution takes advantage of the fact that a very small percentage of hosts in a stub domain are communicating outside of the domain at any given time. Thus it was possible to use fewer addresses publicly while using Network Address Translation to support a large pool of numbers inside an organization. For Example: In most home networks there is only one IP address assigned that is publicly announced, and thus addressable by outside services. This does not stop you from having more than one computer on a home LAN. This is done via NAT in the broadband router that connects the home to the public internet. 2 3 Without NAT = 5 public addresses 1 IP Address Internet 4 With-NAT = 1 public address 5

6. Background IPv6 - NAP Summary IPv4 - NAT Why Nat? NAT Requirements IPv4 Problems • Originally NAT was designed because there were not enough addresses available from the different ISPs. • “Our ISP will only give me one address and I need to support many computers.” • Over time other uses of NAT were found and became the “reason” for its implementation: • “It offers security by hiding the network topology.” • “It is easier to configure DCHP on a NAT pool when setting up the network.” • “When we merge sites, manage multiple sites, it is easier to renumber.” • For more on DHCP see RFCs 2131 and 2132

7. Background IPv6 - NAP Summary IPv4 - NAT Why Nat? NAT Requirements IPv4 Problems

8. Background IPv6 - NAP Summary IPv4 - NAT Why Nat? NAT Requirements IPv4 Problems

9. Background IPv6 - NAP Summary IPv4 - NAT Untraceable Addresses History IPv6 Solutions Private Addresses • Started in 1994 IPv6 was originally conceived of as the evolution of the IP address pool and an update of the protocol architecture. • IPv6 has been heralded as the savior of the Internet by offering all sorts of catch phrases: • “An IP address for everyone alive today born in the next 100 years.” • “It is more secure than IPv4 because it has IPSec built in.” • And others. • As you have heard in the other presentations in this panel, IPv6 is coming, some would say that it is already here as services are available from many different ISPs while software and hardware vendors are including support for the protocol for up to the past 4 years. • There is a reality that you need to understand: • IPv6 is being resisted by companies that don’t want to spend money to upgrade but it is mandated by many governments starting in 2008.

10. Background IPv6 - NAP Summary IPv4 - NAT Untraceable Addresses History IPv6 Solutions Private Addresses

11. Background IPv6 - NAP Summary IPv4 - NAT Untraceable Addresses History IPv6 Solutions Private Addresses • In IPv4 there was no way to officially have private addresses, so Network Admins would randomly choose a set of addresses and use them internally. Initially this was fine as LANs were local only. This became a problem when the addresses chosen were registered to other companies and then the various LANs were connected to the Internet. To solve this NAT and the private address spaces were assigned. • In IPv6, learning from the past, Unique Local Addresses (ULAs) were defined with the following characteristics: • For all practical purposes a globally unique prefix. • Allows networks to be combined or privately interconnected without creating address conflicts or requiring renumbering. • If accidentally leaked outside of a network via routing or DNS, it is highly unlikely that there will be a conflict with any other addresses. • ISP independent and can be used for communications inside of a network. • Well-known prefix to allow for easy filtering at network boundaries. • In practice, applications may treat these addresses like global scoped addresses.

12. Background IPv6 - NAP Summary IPv4 - NAT Untraceable Addresses History IPv6 Solutions Private Addresses The main goal of untraceable IPv6 addresses is to create an apparently amorphous network infrastructure, as seen from external networks, to protect the local infrastructure from malicious outside influences and from mapping of any correlation between the network activities of multiple devices from external networks. When using untraceable IPv6 addresses, it could be that two apparently sequential addresses are allocated to devices on very different parts of the local network instead of belonging to devices adjacent to each other on the same subnet. Since IPv6 addresses will not be in short supply even within a single /64 (or shorter) prefix, it is possible to generate them effectively at random when untraceability is required. They will be globally routable IPv6 addresses under the site's prefix, which can be randomly and independently assigned to IPv6 devices. The random assignment is intended to mislead the outside world about the structure of the local network. As the DHCP algorithm can include a random seed, two hosts connecting one after the other can have addresses that are non-sequential.

13. Background IPv6 - NAP Summary IPv4 - NAT Conclusions Status of the Draft Acknowledgements • Companies that have traditionally relied on NAT for security and ease of numbering will no longer need it under IPv6. • For companies where multiple networks/segments exist, but must maintain independence between them like • Service Providers with both public ISP and private management networks • Large corporations with special security requirements for some subnets (finance dept., legal dept., Development vs. Live networks, etc.) • It is possible to assign specific ULAs to those special areas, filter them at the router while maintaining global connectivity.

14. Background IPv6 - NAP Summary IPv4 - NAT Detail Info Draft Name:draft-ietf-v6ops-nap-06.txt (WG <v6ops> submission) Version:06 Intended Status: Informational Current State: Approved-announcement to be sent (14-02-2007) Conclusions Status of the Draft Acknowledgements Status of the draft standard Local Network Protection for IPv6 Approved-announcement to be sent: The IESG has approved the document for publication, but theSecretariat has not yet sent out on official approval message. • A RFC number should be assigned within 2 months due to the backlog in the RFC editor. • Latest version can be found at: • www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-06.txt

15. Background IPv6 - NAP Summary IPv4 - NAT Conclusions Status of the Draft Acknowledgements • I would like to thank my fellow authors: • Gunter Van de Velde of Cisco Systems • Diegem, Belgium • Tony Hain of Cisco Systems • Bellevue, WA. USA • Ralph Droms of Cisco Systems • Boxborough, MA USA • Brian Carpenter of IBM • Vernier, Switzerland

16. Thank You Eric Klein EricLKlein@Softhome.net This Presentation can be found at: http://www.tau.ac.il/~ericklei/ISOC-IL-2007-No-Need -For-NAT.pdf