[ale] {Disarmed} Re: IPv4 devices on IPv6 network

Michael H. Warfield mhw at WittsEnd.com
Sun Jul 1 12:39:36 EDT 2012


On Sun, 2012-07-01 at 10:07 -0400, Justin Goldberg wrote:
> Certain IPsec VPN tunnels won't work over CGNAT? Hmmm, maybe now the
> ipv6 naysayers will give up their ranting (you know, the ones that say
> that there's no point to ipv6 other than more IP addresses). Maybe now
> they'll see NAT for the kludgy hack that it is and how it violates the
> end-to-end principle.

IPSec NAT-T UDP using ESPINUDP encapsulation will work.  IPSec over TCP
(Cisco and a couple of others) will work.  Basic IP protocol 50/51 IPsec
will not work as most NAT devices refuse to NAT those protocols, or
limit them to to just one tunnel (which would be problematical for CGNAT
at an ISP).  The option of mapping a protocol across a NAT, common way
to bypass the failings of NAT for some protocols and tunnels, also won't
work with CGNAT since the ISP is the one controlling the NAT and chances
of them being willing to add NAT mappings in (even if it could be don't
without conflict between customers) is slim to none.

Mike

> On 6/30/12, Michael H. Warfield <mhw at wittsend.com> wrote:
> > On Sat, 2012-06-30 at 12:44 -0400, Michael Campbell wrote:
> >> On Sat, Jun 30, 2012 at 1:10 AM, Alex Carver
> >> <agcarver+ale at acarver.net>wrote:
> >>
> >> > Hi everyone,
> >> >
> >> > Got a "plan ahead" question for you.  I've got a handful of
> >> > firmware-based devices that are IPv4-only never to be made IPv6 capable
> >> > (PLCs, some print servers, data loggers, etc.)
> >
> >> This may not affect you, and just an FYI, but...you mention AT&T later,
> >> so
> >> be aware that at least with U-Verse, they have said that LANs (on uVerse)
> >> can no longer use the 10.0.0.0/8 addresses.  There is rumor that this is
> >> due to AT&T moving to a corporate wide NAT where their whole network is
> >> going to be behind a NAT, and that your AT&T modem/router is going to be
> >> given a 10.*.*.* address in that space.   This is supposed to happen
> >> 6-Jul.
> >
> > I saw one message about that couple of months ago, with no confirmation
> > and which others are saying that AT&T people are denying.  What you are
> > talking about is CGNAT (which I referred to in my previous message) or
> > NAT444 and they are NOT support to use 10./8 for that!  There is an IETF
> > RFC specified block of addresses for Carrier Grade NAT (CGNAT).
> >
> >> The other rumor is that you can have an externally visible IP4 IP for an
> >> additional $15/mo.  I don't know how this works with existing static IP
> >> users, and personally I've subscribed to a third party VPN provider
> >> through
> >> which I can forward ports back to my machine so I can have an externally
> >> visible machine, since I do run services that I need to get to from
> >> outside
> >> AT&T's network.
> >
> > Be aware that not all VPNs will work through CGNAT.  IPSec NAT-T will.
> > OpenVPN will.  Cisco AnyConnect / OpenConnect will.  VPNC will.  Most
> > SSL / DTLS ones will.  Other proprietary ones are a crap shoot.
> >
> >> So, now we wait.  I'm not a network guy, so I assume there's a way to
> >> segregate your LAN from theirs even if they do this, but people here
> >> smarter than I can debate the feasibility and wisdom of doing so =)
> >
> > Regards,
> > Mike
> > --
> > Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> > http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of
> > all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> >
> 
> 
> -- 
> Looking for better conference calls? Try Uberconference:
> 
> http://uberconference.com/zevcxTpX
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120701/a890b2c0/attachment.bin 


More information about the Ale mailing list