In addition to all of the usual NAT problems, NAT-PT doesn't work at ISP scale due to the impossibility of getting the DNS46 TTL values right. The IETF demoted RFC-2766 NAT-PT for v4-to-v6 translation to historic status, meaning it's not recommended for use on the general internet, in RFC-4966. The opposite problem of a v4-only client trying to reach v6-only server is usually moot usually you dual-stack the client instead, and there aren't many v6-only services yet, though that will change. The client gets two v6 /64 prefixes, v6-only transport, and a private v4 address which is tunneled over the secondary prefix to a carrier grade DNS64/NAT64 middlebox. This requires 6->4 translation for which this week the preferred mechanism seems to be "464xlat". The usual problem is a v6-only client (say, an LTE4 cellphone) is trying to reach a v4-only service (say, a typical corporate web site). possible to NAT the private address range to a carrier provided V6 public address Recycled IPv4 addresses which are actually working for you aren't particularly higher risk than archaic original issue addresses from a security point of view that's controlled by the quality of the endpoint software primarily, not by mere reputation. This could take time and effort to clean up. It might also have previously housed attractive nuisance services such as banking or betting which are still being frequently DDOSd due to miscreant inertia. The transferred subnet was probably previously in use, and thus may be on blacklists for e-mail spamming or have blackhole routes at backbone ISP's. Meanwhile, you can't get new IPv4 subnets from the regional internet registrys, so your only effective source of additional IP space is to pay for a transfer from someone else. This may incur collateral damage to protocols used by perfectly well-behaved clients that also share the CGN gateway. The internet reputation of such a middlebox is going to trend downward to the most infected / badly behaved client behind it, which is invariably going to be a botnet zombie. Since IPv4 address space is generally exhausted worldwide, most ISP's are moving to "carrier grade NAT" where clients are sharing global scope IP's at an upstream NAT. any V4 address assigned to us may have been used elsewhere and is, thus, a potential security risk We're in the dual-internet interregnum, where not all clients can talk to all servers, until the v6 transition is completed about 15 years from now. v6 is over 50% of LTE4 cell data traffic in the US, over 40% of Belgium's backbone traffic, tends to perform better than v4 for mobile devices, etc. IPV4 and 6 addresses are available for use.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |