Those above who have questions about IPv6 and IPv4 and NATing.
Right now there is heated debate by those who designed IPv6 on creating some sort of IPv4 to IPv6 (and back again) bridging technology / 1:N NATing. The original design theory for IPv6 was a quick all at once cut over with almost zero backwards compatibility forseen. An older IPv4 system can not directly address a IPv6 system, and an IPv6 system can not directly address an IPv4 system. That is why everyone's running dual stack with both IPv6 and IPv4 at the same time. Windows vista + installs the IPv6 stack by default just for this reason. No matter how great IPv6 seems, the fact that a system must run IPv4 in order to talk to 95% of the current world means it'll never go away. 64-bit computing has been around for decades, MS started building 64-bit Windows back in 2003 with XP and Server 2003, yet applications are still being compiled as 32 bit x86. Thankfully 64-bit CPU's and 64-bit OS's can execute 32 bit programs just fine, so there is no barrier to a gradual adoption.
IPv6 in its current state will never be adopted globally, its just too rigid on its requirements. It assumes a perfect world scenario and thus becomes an ideological standard instead of a real one.
Current IPv6 has no method to hide internal IP's from external devices. The designers deliberately designed it such that it would be impossible to do that. They envisioned the entire internet as a huge cloud of interconnected nodes all being capable of talking directly to each other. The node in London England wanting to send a packet to the node in San Francisco can do so directly. The gaming console in France can send packets directly to the mobile phone in Mexico. Protocols wouldn't have to worry about masquerading or other packet magic going on because IPv6 states routers won't alter packets to hide identities. But at the same time, that guy in China can send packets directly to your PC in Dallas, the guy in Iraq can send packets directly to a banks system in New York. IPv6 relies entirely on expensive stateful packet inspection on firewalls for security. There is no "private" non-routable address space in IPv6 like there is in IPv4. Every address is unique and may be routed over the global infrastructure. Its idealic but relies on humans being nice to each other.
With IPv4 NATing you have three address's involved. One is the outside service / system using a global routable address. Another is the WAN interface on a NAT router that is using a global routable address provided by its ISP, the final is the private non-routable LAN address of the PC being used. It is completely impossible for the first system to see the third system. The first system can not send a packet to "192.168.1.1", the packet would get dumped by the global internet backbone if not earlier. Instead the first system is forced to address the WAN interface of the router without any knowledge of where this packet is going. The router then inspects the packet and looks its up on a "safe list" (aka port forwarding or the internal DNAT list) to determine what to do with it. If there is an entry relevant to the packet, the router does masquerading by swapping out the routers WAN address with the private systems LAN address and sends it on. Private LAN systems can send packets out all day long and usually unrestricted (unless the administrator wants to put restrictions), the router will automatically swap out the private LAN's address for the routers WAN address and send it on. This way every packet looks to be coming from the router's WAN interface with no way to distinguish whats inside. This presents a security layer by default because no unauthorized external system can send packets to the internal LAN client. They'll simply hit the WAN interface on the router and get dropped (usually without a reply).
Now this scenario presents some serious problems for some protocols that assume perfect two-way communication. First being that there is no way for them to broadcast to or otherwise "scan" the internal network to determine client type or initiate connections with an internal LAN system. The internal LAN system must initiate the connection to get the entry on the routers DNAT list. The work-around is the router can be configured with a port-forwarding and SNAT. Port forwarding is nothing more then a rule that sates all packets that pass firewall inspection on a specific WAN interface within a specific port range will automatically be allowed to pass to a specific internal LAN system. Such you could say all packets on port 80 should be automatically forwarded to the internal web server and what not. This requires the internal systems be static IP'd (not DHCP) and a hole be specifically opened for them. Easy to do for the administrator, annoying for hill-billy bob and grandma. Also many file-sharing protocols use random ports, so its often impossible to create a port-forwarding rule, this is the price you pay for having NAT available or using such a sloppy protocol.
SNAT is another method you can use, its like port-forwarding on steroids. Its defining a one to one translation instead of a global port allow. You specify the global IP address and port-range on the external interface then specify the internal IP address and port-range. Any packets from the global source IP and port will automatically be NAT'd to the internal IP / port. If both sides do this you have a transparent connection usually without problems. Again with random external clients and ports this is impossible to setup because everything is DHCP and random. This isn't a problem with the network as it is with protocols being designed in a vacuum.
IPv6 makes the above problems go away because anyone can send to anyone else without having to worry about FW's rejecting your packet because it doesn't recognize the connection. It also allows very bad people to do very bad things. I could stand right outside your ISP with IPv6 and do passive scans to create an entire network layout of not just the ISP, but of every single house, every single client, router, phone and gaming console connected. I could then craft my attack strategy to target specific systems, or I could just flood your mail with spam and marketing info because I now know what your using. Or if I'm the ISP I could tally up the devices and charge based on what you have connected. 1x router 9.99, 2x game consoles 5.99 each, three phones 8.99 each, there PC's 29.99 each (discountable to 19.99 for family plan).
Because of these issues IPv6 in its current state will ~never~ become adapted at the business level. If it became forced onto the general populace some coder somewhere will come up with a NAT scheme to overcome this. NAT wasn't designed into IPv4, it was invented later on, same will happen to IPv6 unless they design it into it first. It would be extremely easy to design a IPv6 NAT system by which the router swaps out the unique host ID (usually part of the MAC) with its own external WAN host ID and sends the packet on its merry way. This solution would solve the biggest problem which is getting people to migrate to IPv6 while also assuaging the concerns of corporations and knowledgeable home owners.
You ~could~ attempt to use link-local address's but those are only good between internet systems on the same subnet, and if those systems want to talk to anything external they'll have to use their global unique address, which defeats the entire purpose of link-local address's. Also link-local address's can not be routed across various subnets, at least not in current IPv6 standards. This means a corporations with large internal backbones must use global unique address's on all their systems (they have that anyway because everyone needs to talk to the internet). It really becomes a headache when your trying to protect your internal networks from outside threats.
Facebook
Twitter