Much-maligned feature being added to IPv6

Standards body weighs network address translators for next-gen Internet

In a high-tech twist of irony, the Internet engineering community is adding a feature to IPv6 that the upgrade to the Internet's main communications protocol was supposed to eliminate.

One of the design goals for IPv6 was that it would rid the Internet of network address translation (NAT), gateways that match increasingly scarce public IPv4 addresses with private IPv4 addresses used inside corporations, government agencies and other organizations. 

NAT is deployed in routers, servers and firewalls, and it adds complexity and cost to enterprise networks. Internet purists hate NATs because they break the end-to-end nature of the Internet; this is the idea that any end user can communicate directly to another end user over the Internet without middle boxes altering their packets.

But because it has taken so long to migrate the Internet from IPv4 to IPv6 -- IPv6 is 10 years old and not yet widely deployed -- and because IPv4 addresses are running out faster than Internet users are able to roll out the preferred method of IPv4-to-IPv6 transition known as dual-stack operation, the Internet engineering community has come to the conclusion that it must create special NAT devices to translate between IPv4-only and IPv6-only hosts.

"When the chips are down, NATs may be the only way we are going to get IPv6 added to the Internet," says Fred Baker, a Cisco Fellow who was chair of the IETF when IPv6 was designed. "If we have IPv4-only and IPv6-only networks, both of which we have now, NATs are the only way they will connect."

IPv6 NAT proposals

The Internet's leading standards body, the Internet Engineering Task Force, will discuss the issue of NATs for IPv6 at a meeting in Dublin, Ireland, later this month.

IETF Chair Russ Housley says NATs are "necessary for a smooth transition from IPv4 to IPv6." 

Housley says most IETF participants are resigned to the fact that NATs are required to translate between IPv4 and IPv6 until all of the Internet's hosts and routers support IPv6.

"The engineers and computer scientists that make up the IETF wish that the original plan had come to pass. But, of course, it didn't," Housley says. "Given the current situation, the IETF participants are seeking a pragmatic solution, and there is rough consensus that this is the best way forward."

Housley says the IETF needs to have a NAT-for-IPv6 specification ready for deployment in the next year or two. But he's holding out hope that someday NATs will be eliminated from the Internet.

"The desire is for these NAT devices to be needed only during the transition period," Housley says. "That transition will certainly not be quick, but when it is over, the need for NAT should go away."

Baker, who chairs the IETF's IPv6 Operations working group, which  has been leading the effort to develop NATs for IPv6, says it has been an "amusing debate" within the IETF. That's because there is a group of people who hate NATs and another group of people who work for companies that make money selling NATs, and sometimes people from both groups work for the same company.

The bottom line is that "we need NATs for IPv6," Baker says. The IETF leadership "says some translation approach is necessary."

IPv4 address depletion

Prompting the development of NATs for IPv6 is the current estimate that the Internet will run out of IPv4 addresses in 2011.  IPv4 uses 32-bit addresses and can support 4.3 billion devices -- not enough for the world's 6.5 billion people and all the Internet-connected PCs and cell phones they own.

IPv6 uses 128-bit addresses and can support a virtually limitless number of devices -- 2 to the 128th power -- connected directly to the Internet. IPv6 also has built-in security and network management enhancements. IPv6 backers have long touted the removal of NATs from the Internet as one of the key reasons for migrating from IPv4 to IPv6. 

Despite its benefits, IPv6 has been slow to catch on outside of Asia, where IPv4 addresses are scarce. In the United States, the federal government is leading the way to IPv6 adoption

Alain Durand, chair of the IETF's Softwires working group and a long-time IPv6 proponent, says the IETF must rethink how IPv6 will be deployed because of looming IPv4 address depletion. Durand is director of Internet governance and IPv6 architecture in the Office of the CTO at Comcast.

"The original master plan 15 years ago was that everybody was going to deploy IPv6, and all the devices would be both IPv4 and IPv6 dual stack. The whole universe would be this way long before IPv4 addresses ran out. Well, it didn't happen that way," Durand says.

The pressure for the IETF to develop NATs for IPv6 is coming from carriers and early IPv6 adopters such as the Chinese government.

When IPv4 addresses are depleted, carriers will give their new customers IPv6 addresses. But all of the PCs, printers and gaming systems owned by these customers won't be upgraded to IPv6. That's why carriers need a mechanism to translate between IPv4 and IPv6 addresses.

Both Comcast and Free, a French ISP, are considering rolling out NATs as part of their IPv6 implementations. Comcast has proposed to the IETF a NAT-and-tunneling combination called Dual-Stack Lite, while Free has proposed a mechanism that the carrier used to deploy IPv6 to 1.5 million consumers in France.  

Durand's proposal includes traditional IPv4 NATs housed inside carrier networks along with IPv6-to-IPv4 tunneling at the edge of the network. Durand says this approach is the only realistic alternative to multiple layers of NATs translating between private IPv4, public IPv4 and public IPv6 addresses. 

"We have found a way to combine tunnels and classic IPv4 NATs to provide IPv4 services to our customers after the exhaustion of IPv4 addresses," Durand says, declining to comment on the irony of the situation. "That's what really matters."

The Chinese government used NATs to interoperate between the Chinese Education and Research Network (CERNET), which is IPv4-only, and CERNET2, the next-generation Chinese Internet backbone that is IPv6-only. 

Baker says the Chinese have been using a NAT approach dubbed IVI for about two years. "That makes it a strong contender in a world of rough consensus and running code," Baker says of IVI.

IPv6 NAT proposals

For the past year, the IETF's IPv6 Operations working group has been discussing how best to develop NATs for IPv6.

The IETF first considered network address translation with IPv6 in 2000, when it created a document entitled RFC 2766, Network Address Translation - Protocol Translation (NAT-PT). NAT-PT provided a mechanism for the dynamic allocation of public IPv4 addresses for IPv6-only nodes to allow IPv6-only nodes to communicate with IPv4-only nodes.

Last year, the IETF announced that NAT-PT causes too many deployment problems and security vulnerabilities. The rationale for avoiding NAT-PT, including the fact that it leaves networks open to denial-of-service attacks, is described in RFC 4966, Reasons to Move the Network Address Translation-Protocol Translation (NAT-PT) to Historic Status.  

After much debate, the IPv6 Operations Working Group in May issued a document that outlines the requirements for NATs for IPv6. This document will be sent to the IETF leadership for approval this summer, Baker said. 

Also working on NATs for IPv6 are the IETF's Behavior Engineering for Hindrance Annoyance (BEHAVE) working group, which specializes in issues related to the use of NATs over the Internet, as well as the Softwires working group, which is developing tunneling and other mechanisms to ease the transition between IPv4 and IPv6.

"The work is important," says Dan Wing, chair of BEHAVE. Wing, a Cisco engineer, says BEHAVE will spend a significant amount of time at its face-to-face meeting in Dublin discussing NATs for IPv6.

The issue of NATs for IPv6 also is on the agenda for the Internet Area's open meeting in Dublin.

"We are going to evaluate NAT designs that avoid the problems described in RFC 4966," Wing says. "After the Dublin meeting, the [IETF leadership] will decide how to split the effort between the SOFTWIRE, INTERAREA, V6Ops and BEHAVE working groups."

The IETF is looking at five approaches for NATs for IPv6. 

Choosing the best and simplest NAT approach for IPv6 is a priority for the IETF.

"A big concern of mine is that we'll make a NAT solution so good that no one moves to IPv6," Baker quips.

Geoff Huston, chief scientist at APNIC and an expert on IPv4 address depletion, says it's important for the IETF to develop high-quality NATs for IPv6 instead of ignoring the requirement as it did with NATs for IPv4.

"Frankly, it's a NAT-dense Internet these days, and I for one would rather see the world as it is than steadfastly maintain a position of high principle in the face of reality," Huston says. "The challenge to the IETF is whether it is prepared to shed its biases here and figure out what would makes NATs in IPv6 slightly less odious than what we did in IPv4."

Huston says NATs are useful for addressing, packet filtering and other functions. He says the real problem with NATs is that they lack standards, and that is an area where the IETF can make improvements in NATs for IPv6.

"The IETF's position of ignoring NATs some years back forced NAT software builders to exercise their own creativity when designing their version of NATs," Huston says. "This variation of NAT behavior is a far, far worse problem than NATs themselves."

Huston says NATs for IPv6 are "absolutely vital" for the transition from IPv4 to IPv6.

"Without NATs we might as well all go home, as we cannot drive through this transition process with a completely depleted IPv4 pool of addresses without a whole lot of additional NAT capability, both as traditional NATs and as protocol translating NATs," Huston says.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022