One of the most common myths about IPv6 (Internet Protocol Version 6) is that it will restore the so-called end-to-end principle of the Internet. This article explains how the current ubiquity of Network Address Translation (NAT) across today's enterprise WANs make this very unlikely.
Network Address Translation and the end-to-end principle of the Internet
One of the core design principles of the Internet is usually referred to as the end-to-end principle and argues in favor of a dumb network, with most of the intelligence residing at the hosts. This principle leads to an architecture in which the network simply forwards datagrams from a source host to a destination host (or set of hosts), without much further interpretation of the forwarded datagrams.
As the simple Internet architecture evolved, a proliferation of network devices violated this principle. Network Address Translation (NAT) and Port Address Translation (PAT) -- an extension of NAT -- are prime examples. NATs were essentially introduced to conserve scarce IPv4 network addresses (by sharing network addresses among a number of hosts); for example, NATs are the de facto standard for connecting an entire home network to the Internet by means of a single IPv4 address, typically assigned by an Internet Service Provider (ISP). NATs violate the end-to-end principle by rewriting the IPv4 addresses and transport port numbers of the forwarded datagrams. NATs also prevent direct communication from hosts in the external network to hosts behind the NAT (as NATs typically require that communication be initiated from within the internal network). Network Address Translation is said to increase the fragility of the network, since failure of the NAT will typically affect the entire network behind the NAT. Additionally, NATs represent a challenge to applications that would benefit from end-to-end connectivity, such as peer-to-peer networking.
While the introduction of NAT was essentially motivated by the need to share scarce IPv4 network addresses, a number of other benefits were realized from the use of NAT:
- NATs reduce host exposure.
- They provide host privacy/masquerading.
- NATs can hide network topologies.
- They give enterprises IP address independence from ISPs.
Address independence, in particular, has been the main reason for which even many organizations with plenty of public IPv4 addresses have deployed NAT.
However, since it is widely -- and mistakenly -- believed that the only motivation for NAT is the sharing of scarce IPv4 addresses, it is usually assumed that IPv6 eliminates the need and motivation for NAT and that the deployment of IPv6 will thus restore the end-to-end principle of the Internet.
The myth of IPv6 restoring the end-to-end principle of the Internet
A careful analysis of the role played by Network Address Translation (NAT) in the current Internet architecture and the current strategies for deploying IPv6 can help dismantle this well-established myth of IPv6 restoring the end-to-end principle of the Internet.
Firstly, as noted above, NATs provide valuable features other than the sharing of scarce network addresses, such as address independence. NATs allow organizations to use the so-called private address space (or Unique Local IPv6 Unicast Addresses in IPv6) within the organizational network, so that renumbering internal IP addresses is not necessary when switching providers. This has probably been one of the reasons why an IPv6 version of NAT -- called NAT66 -- is one of the most wanted IPv6 features.
Secondly, it is very likely that the security architecture of IPv4 networks will be adopted for the emerging IPv6 networks, because people tend to resist change, among other reasons. Hence, the typical IPv6 subnet will be protected by a stateful firewall that only allows returns traffic (i.e., the IPv6 subnet only allows communication instances that are initiated from inside the network).
Finally, IPv6 transition/co-existence technologies will lead to the deployment of a plethora of NATs, both in the IPv4 and IPv6 Internet. In the IPv4 Internet, different flavors of NAT (CGN, A+P, etc.) will be deployed, so that native IPv4 connectivity can be provided to new nodes, even once the IPv4 address space is exhausted. In the IPv6 Internet, the IPv6/IPv4 translators -- like NAT64 -- will be deployed, so that IPv6-only nodes can communicate with IPv4-only nodes. This, together with other IPv6 transition/co-existence technologies, will certainly increase, at least in the short and near term, the complexity of both the IPv4 and IPv6 Internet and the intelligence required on the once-dumb network.
Not only will it be unlikely that IPv6 will restore the end-to-end principle of the Internet, but NAT will likely increase in the short to near term: It turns out that NAT, which has been deemed an “evil” for a long time, has become a desired feature in IPv6 and a key component of the IPv6 transition.
About the author: Gont is a networking and security consultant, who has worked on a number of projects on behalf of the UK National Infrastructure Security Coordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI). As part of his work for these organizations, he has authored a series of documents with recommendations for network engineers and implementers of the Internet protocol suite. Gont is an active participant at the IETF, where he contributes to several working groups, and has authored a number of RFCs (Request for Comments) and Internet-Drafts. He is a regular speaker at a number of conferences, trade shows, and technical meetings about information security, operating systems, and Internet engineering. More information is available at his website.