March 20 2012
In today's blog entry, I describe this month's Deadwood update, as well as
discuss why IPv6 should have NAT66 support.
When looking at the source code of DwCompress.c
, I discovered that input validation was not always
done. I have updated DwCompress.c
to have more input validation.
It can be downloaded here:
I plan to work on MaraDNS/Deadwood again one day next month, after the 20th,
unless a critical security bug is found.
NAT66 will be needed
There is a religious belief among some proponents of IPv6 (a proposed
method of increasing the network numbers the internet has, which we will
undoubtedly make standard during the 2010s because we're running out of
numbers in the current internet) that NAT--the
process of converting a single routable IP like 22.214.171.124 in to
multiple local private IPs like 192.168.1.196--should never be done.
Indeed, the expansion of IPs that IPv6 gives us removes one reason to
have NAT. But people who dismiss NAT as being "evil" ignore some of
the other benefits of NAT:
- NAT causes a network to have a built-in firewall. Yes, it is
possible to have a firewall without NAT. However, NAT's natural
default configuration is one where computers on an internal
network are invisible from the big bad internet.
- NAT hides the network topology from external attackers.
- NAT allows one to add as many IPs as needed to one's internal network
without needing to get IPs from one's ISP. Anti-NAT fanatics claim
that ISPs will always give customers a generous number of ISPs
(keep in mind that a /96 in IPv6 is as big as all of today's
internet; IPv6 is huge); these
claims ignore the fact that, without NAT, you can only have a large
internal network if your ISP lets you. Indeed, low-cost hosting
providers with IPv6 today sometimes only give their customers 16 IPv6 IPs.
- NAT allows one to change ISPs or use multiple ISPs at the same time
without needing to revise the numbering of their internal network.
Changing IPs on even a small network is non-trivial; I had to spend
a good part of Sunday afternoon revising my home network to use a
/16 (65,000 IPs) instead of a /24 (256 IPs), and this network only has
a handful of computers on it. (Since you asked: I use a lot of virtual
machines for my work and it's logistically simpler to give each computer
their own /24 than to split up a single /24).
I am not ignoring the disadvantages of NAT: It makes peer-to-peer
applications, such as Skype, harder to implement. However, implementing
peer-to-peer through NAT is a solved problem, and making services
on an internal network available to the external internet is trivial
with most NAT firewalls.
LWN recently had an interesting discussion about IPv6
(NAT44, for the record, is the technology used in most of today's internet,
allowing a single IPv4 IP to represent a number of internal machines on a
network. I remember when NAT44 was called "IP masquerade". NAT66 is the
technology to allow a small pool of IPv6 IPs to represent a large number
of internal machines on a network. NAT64 and NAT46 are something else
To post a comment about an entry, send me an email and I may or may
not post your comment (with or without editing)