[olug] Ipv6 help/pointers

Lou Duchez lou at paprikash.com
Thu Jul 25 00:27:15 UTC 2013

On 7/24/2013 5:50 PM, Obi-Wan wrote:
> On 07/24/2013 04:27 PM, Lou Duchez wrote:
>> IPv6:
>> your ISP won't be providing an IP address so much as a 64-bit network 
>> space
>> router will not perform NAT -- 128-bit addresses contain enough 
>> information to be routable on both the private and public sides
>> router will still perform most of its usual functions -- gateway, 
>> firewall, etc -- it just won't need NAT to perform them
> So does this mean that IPv6 CAN'T do NAT, even if you wanted to for 
> security obfuscation?  I'd really rather the rest of the world not 
> know anything about the internals of my home network.
As far as I know, IPv6 simply does not allow for NAT.  I can even 
"prove" it with Linux documentation:


There are "filter" and "mangle" tables like in iptables, but not "nat"; 
and the "masquerade" target no longer exists.

I know what you mean about security concerns; I was pretty comfortable 
with the idea that it is physically impossible for traffic to get routed 
to some of the machines on my LAN.  Now it's not physically impossible, 
I just have to create a rule to prevent it ... that is a little less 

I also get the feeling, but I can't prove it, that ISPs are going to be 
dishing out static IPs (or rather static /64s) to all customers, rather 
than have a DHCP pool.  Since NAT will no longer be happening, just 
imagine the chaos if restarting your router meant getting a new /64: 
every device on your LAN would need to pick up that new /64, and you 
wouldn't be able to give your network printer a static IP any longer.  
(Actually you could -- there are classes of unroutable IPs -- but I'm 
guessing they're not going to be the typical solution.)

And you know what else you won't be able to do?  Set up a network with 
two disparate gateways.

All of which makes me think that some form of NAT will eventually get 
built into IPv6.

More information about the OLUG mailing list