[strongSwan] Query reg UDP encapsulation for IPv6

J.Witvliet at mindef.nl J.Witvliet at mindef.nl
Thu Apr 16 09:04:54 CEST 2015 

See below

-----Original Message-----
From: users-bounces at lists.strongswan.org [mailto:users-bounces at lists.strongswan.org] On Behalf Of Ruel, Ryan
Sent: donderdag 16 april 2015 1:23
To: Tom Rymes; users at lists.strongswan.org
Subject: Re: [strongSwan] Query reg UDP encapsulation for IPv6

Future proof in what way?

IPv4 addresses are 32 bits long and number about
7009430000000000000♠4.3×109 (4.3 billion).
IPv6 addresses are 128 bits long and number about
7038340000000000000♠3.4×1038 (340undecillion).

NAT was built as a stop-gap measure due to the limitation in the number of addresses with IPv4.  It happens to be quite effective, but not without it's many problems.

With IPv6, we are talking about an unimaginable amount of addresses!  Why would we want to re-introduce the pain of NAT?


/Ryan



On 4/15/15, 10:28 AM, "Tom Rymes" <trymes at rymes.com> wrote:

>On 04/15/2015 10:15 AM, Ruel, Ryan wrote:
>> Mukesh,
>>
>> I believe the idea is that for IPv6, NAT will not be needed (that's 
>> the beauty of having so much address space!).
>>
>> Technically, sure, you could NAT IPv6.  But why?
>>
>> /Ryan
>
>Ryan,
>
>Perhaps the best reason to address this is that the exact same thing 
>would have been said about IPv4 back in the day, so addressing this 
>issue now might make sense as a way of future-proofing things.
>
>Tom
>
-----Original Message-----

Ryan, you asked:" Why would we want to re-introduce the pain of NAT?...."

Let me first state that I agree that the whole technique of NAT (and PAT) has been abused for decades.
Because of the shortage of IPv4 addresses, you can share a single public address. Because Nat does it quite well, actual too well imho, it hindered in the deployment of IPv6.
And much worse is that some considered it as a security  measure they could rely on.

However, there are other situation where you can deploy the powerful NAT/PAT tool, hence they even implemented this for IPv6...
(Avoiding duplications, aiding with quick transitions, helping with configs in read-only situations, etc etc)

Hw



______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

More information about the Users mailing list