Forgot your password?
typodupeerror
The Internet Networking Stats Windows IT Technology

Sale of IPv4 Addresses Hindering IPv6 Adoption 214

Posted by Soulskill
from the can-we-blame-al-gore-for-this dept.
hal9000(jr) writes "While IPv6 day was a successful marketing campaign, is anyone really moving to IPv6? On World Launch Day, Arbor Networks noted a peak of only .2% of IPv6 network traffic. It appears that IPv4 addresses are still valuable and are driving hosting acquisitions. Windows 8 will actually prefer IPv6 over IPv4. If you want IPv6, here's what to do about it."
This discussion has been archived. No new comments can be posted.

Sale of IPv4 Addresses Hindering IPv6 Adoption

Comments Filter:
  • No need (Score:4, Interesting)

    by _Sharp'r_ (649297) <sharper AT booksunderreview DOT com> on Wednesday July 18, 2012 @04:03PM (#40689743) Homepage Journal

    From the article:
    "Transitioning to IPv6 will take much, much longer than anyone expects, mostly because there is no clear reason to move to IPv6 anytime soon."

    Not everything works with IPv6 yet. Most stuff does, but most organizations still have some stuff that doesn't quite yet. It'd be great if it was all just transparent, but it's now.

    • I'm mostly wondering what to do about my iptables in linux. I have this vague feeling that some day I will be assigned an IPv6 address by my ISP and suddenly I won't be allowed into half my servers. I'm also wondering how to reconfigure my firewall to use IPv6 internally.
      • by lindi (634828)

        You probably already have a link-level ipv6 address. If your ADSL modem is in bridged mode you have probably already exposed some services to your ISP :)

        • I'm not pretending to be any expert here, but I'm not using DSL and thus don't have an ADSL modem. I do see that my ubuntu workstation's eth0 interface has an IPV6 address assigned and I suspect that you are suggesting my services are exposed to requests via IPV6 because I have not explicitly blocked/managed them using iptables. This is rather alarming! Got any useful links?
      • Re:No need (Score:5, Informative)

        by LilBlackKittie (179799) on Wednesday July 18, 2012 @04:21PM (#40689975) Homepage

        ip6tables is a doddle to use, and assuming you have a new enough kernel pretty much all you'll need will be a variation upon:

        ip6tables -A FORWARD -i lo -j ACCEPT
        ip6tables -A FORWARD -i $lan_if -o $upstream_if -j ACCEPT
        ip6tables -A FORWRRD -i $upstream_if -o $lan_if -m state --state ESTABLISHED,RELATED -j ACCEPT
        ip6tables -P FORWARD DROP
        sysctl net.ipv6.conf.all.forwarding=1

        (NB: you probably want more than that, but assuming your $lan_if and $upstream_if have appropriate IPv6 subnets on, and everything is routing correctly, then you get "the same behaviour you used to" when you had your IPv4 NAT... only now you have "real" end-to-end connectivity)

        • I appreciate this. Given my relatively modest iptables skills, i'm don't entirely understand everything you've said but it does make some sense. I'd greatly appreciate a slightly more basic introduction if anybody knows one.
          • Re:No need (Score:4, Informative)

            by darkonc (47285) <stephen_samuelNO@SPAMbcgreen.com> on Wednesday July 18, 2012 @06:15PM (#40691371) Homepage Journal
            It's pretty easy to explain to anybody with even a minial understanding of iptables:

            -i X means 'if the packet is inbound on interface X'
            -o Y means 'if the packet will be forwarded (outbound) on interface Y
            $lan_if and $upstrea_if are variables to which you've assigned the proper names for the interfaces conected to the LAN side and the Internet side (respectively)

            # accept anything originating at localhost (this machine/router)
            ip6tables -A FORWARD -i lo -j ACCEPT
            # Allow outbound connections to be initiated by machines on the inside net.
            ip6tables -A FORWARD -i $lan_if -o $upstream_if -j ACCEPT
            # allow packets associated with aformentioned connections to come back in.
            ip6tables -A FORWRRD -i $upstream_if -o $lan_if -m state --state ESTABLISHED,RELATED -j ACCEPT
            # Drop anything else.
            ip6tables -P FORWARD DROP
            # Turn on packet forwarding of IP6 packets between interfaces. (off by default)
            sysctl net.ipv6.conf.all.forwarding=1

            This effectively gives you the same protections as an IP4 NAT setup -- but with none of the disadvantages. -- Like the fact that each machine on the inside gets it's own (external) IP address. This means that if you want you can give machines on the inside the ability to be servers (acccept inbound conections to the machine and port) without the NAT thing of also having to assign each machine an inbound (non-standard) port number.

            • by Anrego (830717) *

              This means that if you want you can give machines on the inside the ability to be servers (acccept inbound conections to the machine and port) without the NAT thing of also having to assign each machine an inbound (non-standard) port number.

              It also means if you screw up.. your box is open to the net.

              NAT acted as a pseudo-firewall because you had to explicitly forward to your box .. rather than the IPv6 approach of having to explicitly block.

              • Re: (Score:3, Informative)

                by amorsen (7485)

                NAT acted as a pseudo-firewall because you had to explicitly forward to your box .. rather than the IPv6 approach of having to explicitly block.

                This only works if the attacker cannot send packets to the internal addresses, which is a dangerous assumption. I have seen several firewalls where only NAT was keeping them from being fully open. Standard security scans won't show anything wrong, but any attacker who can get onto the outside network has complete access to the inside. Suddenly your outside modem and/or router become your security perimeter, and they often fail miserably at that task.

                • by Anrego (830717) *

                  I guess, but the same people who don't firewall at the box level are the same who arn't going to set up their gateway/firewall properly with IPv6.

                  I don't trust my cheap d-link router, but I like that if I screw up my shorewall config (I'm not cool enough for iptables direct) .. traffic probably isn't getting out of my network segment.

        • by Zaelath (2588189)

          Yeah, ok. Now show me allowing a particular trusted subnet.

          And why do I want "end to end connectivity"?

          I still think the problem w/ IPv6 is it has moved addresses from "recognisable with repetition" length to "incomprehensible" length.

          It's like that change to the 999 number in the IT Crowd:

          TV Advert Narrator: [Voicing an Emergency Services advert] Has this ever happened to you? :[The old woman on the advert twists her ankle and falls down stairs, gets up and falls down second flight of stairs before picking

          • by jroysdon (201893) on Thursday July 19, 2012 @12:35AM (#40694133) Homepage

            IP addresses were never meant to be used by the masses - and guess what, the masses don't use them.

            Memorizing IPv6 addresses is a snap. First you learn you prefix (mine is something like 2600:103:b00[0-f]::), and then you have network blocks inside that. Yes, it's longer, but it's also globally unique.

            Here's a "wasteful" but useful trick - imbed your VLAN IDs and IPv4 addresses inside your IPv6 addresses and then there is really nothing new to learn beyond your prefix.

            Example: 2600:103:b001:53:10:250:250:1
            2600:103:b001 is a prefix we use for DMZs. 53 is the VLAN number of our nameserver DMZ. You can probably guess what 10:250:53:1 is and what the corresponding IPv4 internal address is.

            Another example: 2600:103:b000:207:10:2:7:156
            2620:103:b000 is the prefix for one of our main sites. 207 is the VLAN (second floor, 7th VLAN on that floor, VLAN'd by department/use).

            So long as you use IPv6 logically, it's really not hard to remember and recognize.

            SLAAC/DHCP addresses should be registering in DNS (well, all of it should be). Use DNS for those semi-random hard to remember addresses. We have 100K+ electric meters with IPv6 addresses (small electric utility). I can look at the prefix and tell you if it is from our AMI NAN, WAN, LAN, or server networks, and what substation the meter is routing through. Natually I'll never memorize the SLAAC-based NIC portion of the meter address. DNS using the service point name is all I need.

            [jason@its5156 ~]$ traceroute6 -n ami-jjr.mid.org
            traceroute to ami-jjr.mid.org (fd7f:a4b6:4ee6:4:213:5001:0:6ac9), 30 hops max, 80 byte packets
              1 2600:103:b000:207::1 0.651 ms 0.618 ms 0.882 ms
              2 2600:103:b00f::1 2.085 ms 2.073 ms 2.487 ms
              3 fd69:f556:4dba:4:213:50ff:fe02:23cd 76.485 ms 115.080 ms 165.136 ms
              4 fd7f:a4b6:4ee6:4:213:5001:0:6ac9 2014.907 ms 2055.036 ms 2084.870 ms

            fd69:f556:4dba:4:: is a LAN address going to substation 4
            fd7f:a4b6:4ee6:4:: is a WAN address routed through substation 4's AP to my meter at my house.

          • by Compaqt (1758360)

            Help me out: Is this a joke, or real?

            http://www.01189998819991197253.co.uk/ [0118999881...7253.co.uk]

      • Re:No need (Score:5, Informative)

        by vlm (69642) on Wednesday July 18, 2012 @04:34PM (#40690105)

        I'm mostly wondering what to do about my iptables in linux.

        The good news is that ipv6 has been available on linux for I donno a decade or so, and ipv6 tunnels have been available, etc. The ipv6 land rush is very much like people in 1997 talking about that "brand new" internet thing, and just like the great ipv4 rollout its a good thing there's a decade or so of sound traffic engineering experience out there already for ipv6.

        1) I guess it depends a lot on your distro.
        2) Some terms to google for beyond the obvious are "ip6tables".
        3) nobody needs NAT on ipv6 which inherently provided stateful firewalling on ipv4. TCP is pretty easy, SYN packets only allowed in one interface...
        4) Personally I find it easiest to make two firewall scripts a ipv4 and a ipv6. If for no other reason than totally screwing up ipv6 will not mess up your ipv4 access and vice versa making it simpler to recover from mistakes.
        5) Good luck wrapping your head around the concept of "every host is a multihomed host" aka "link-local addresses". Please don't attempt to route LL out on the greater internet, mkay, they're for mdns / bonjour type stuff.
        6) Good luck with dynamic addresses and revdns. If you never used BIND's ORIGIN lines well you best learn how, and quickly.
        7) Please block all RH0 aka rt-type 0 packets they're the ipv6 evil bit
        8) Go to Hurricane Electric (they rock in general, BTW) and become a sage ipv6 dude. I found this quite easy when they initially rolled this out several years ago, maybe its harder now. You need to do this "course" to learn the ropes and glossary before you can learn to firewall or you'll turn all sorcerers apprentice.

        http://ipv6.he.net/certification/ [he.net]

        9) Once you know ipv6 you could do worse than to start at

        http://www.sixxs.net/wiki/IPv6_Firewalling [sixxs.net]

        SIXXS is kind of like a major cell phone company, in that everyone's opinion of them seems exclusively driven by their local sixxs pop or their local cellphone tower quality. So you'll get meaningless comments all over the map about how they rock or suck based on the little neighborhood the commenter lives in. That said if you live in range of the Chicago pop, it rocks, although it had some exciting momentary outages a couple years ago. I use them on a dynamic endpoint and HE's tunnelbroker on a static endpoint and I'm very happy with both... your mileage may vary...

        • Bless you, kind sir. I want so badly to be a good internet citizen and will do my best to spread the IPv6 gospel once I know a little more. Speaking of ipv6 land rush. How do I get me some ipv6 addresses?
          • by egamma (572162)
            IP6 addresses [he.net] I think they are free.
          • by vlm (69642)

            How do I get me some ipv6 addresses?

            That's kind of toward the end of my epic long post... to restate... what worked for me when I last set this up years ago. Both services are free.

            Your ipv4 addrs is static -> Go to hurricane electric aka tunnelbroker.net no hassle just works very quick mostly painless.

            Your ipv4 addrs changes every Fing time the cablemodem reboots, or so it seems -> Go to sixxs and they put you thru quite an amazing hassle to sign up but eventually you have perfect automatically re-connecting dynamic service.

            You can ju

    • by vlm (69642)

      Not everything works with IPv6 yet. Most stuff does, but most organizations still have some stuff that doesn't quite yet.

      That list is ridiculously short. Even my half decade old brother laser printer supports ipv6. The only barrier at this time in "my organization" is my openafs fileserver cluster doesn't support ipv6. Other than that...

      • Not everything works with IPv6 yet. Most stuff does, but most organizations still have some stuff that doesn't quite yet.

        That list is ridiculously short. Even my half decade old brother laser printer supports ipv6. The only barrier at this time in "my organization" is my openafs fileserver cluster doesn't support ipv6. Other than that...

        Unless you work in VoIP. Then then that list is "most of your non-commodity equipment and none of your carriers."

      • by _Sharp'r_ (649297)

        I work in a messaging/transmissions service that interfaces with pretty much the whole world, one way or another. We recently did a survey and ... 80% of the software products out there in actual use with our products didn't quite support IPv6 fully yet. Oh, most were coming "soon", or in the next release, or in the roadmap for X .... but not yet.

        Network level devices, routers, switches, firewalls, LBs, servers, storage, etc... have done a much better job of current revisions supporting IPv6. Now consider a

  • ipv6 is coming to a slashdot near you.. soon!

    • by sxpert (139117)
      seems like this one will take a while... all IPv4 from here, apart from google analytics
    • I guess the easiest way to "support" IPv6 is by name alone...

      ipv6.slashdot.org = 216.34.181.48

      No IPv6 AAAA record for ipv6.slashdot.org

  • by Anonymous Coward on Wednesday July 18, 2012 @04:05PM (#40689779)

    For sale, one barely used 127.0.0.1 ip address. $5000. First come first serve!

  • by sneakyimp (1161443) on Wednesday July 18, 2012 @04:06PM (#40689785)
    That last link doesn't have one spec of advice. It merely describes the problem again. FAIL.
  • by grumpyman (849537) on Wednesday July 18, 2012 @04:13PM (#40689871)
    As an individual user... why? This should be something that I shouldn't have to worry about and the change should be transparent.
    • There's profit in scarcity. Some ISPs may start offering IPv6 only to mobile devices while public IPs (both static and dynamic) will require either a premium or business account. That means that home users get double-NATed. That in of itself breaks all sorts of network functionality including VPN and hosting/sharing files from home. So yes, the scarcity of IPv4 might rear its ugly head that will bite both the consumer and corporate America in the ass.

    • It will be, if you have a reasonable router (AirPort is one, but not the only, example) and your ISP uses something like DHCPv6 with prefix delegation. One day your ISP will say "hey, here's a v6 subnet!" and your router will go "alright, you guys (your devices) go ahead and pick one from this range". And it'll just work. If you don't have a new enough router, this won't happen, but it shouldn't affect v4 connectivity.

      FWIW I've been running v6 at home for 5-6 years (through a tunnel), my university has it f

    • by Hatta (162192)

      The consumer had to worry about the transition from leaded gas to unleaded gas. The consumer had to worry about the transition from analog TV to digital TV. The consumer had to worry about the transition from 7 digit phone numbers to 10 digit phone numbers (where applicable). Why shouldn't the consumer have to worry about IPv6?

  • Until some new technology that everyone wants comes along and requires IPv6, no one will care about it. It makes no sense for businesses to pay thousands on larbor to reconfigure their entire network for IPv6, and see no beneficial gain. Not to mention a lot of legacy hardware still don't support IPv6, like network printers/copiers, camera systems, security systems, etc. It also complicates maters worse when you try to network across long distances.
    • Re:No one cares! (Score:4, Interesting)

      by mlts (1038732) * on Wednesday July 18, 2012 @04:28PM (#40690041)

      Businesses will switch when IPv4 addresses get so expensive that there is no other option, and the ugly hack on ugly hack to maximize the use for them gets to a point where it isn't worth doing.

      Call me crazy, but NAT, ugly as it is, may still be a useful tool. It isolates the internal fabric, so that regardless of what the external routers are talking to, packets get out. Does it improve security? NAT by itself doesn't, but that is what SPF, a good IDS/IPS, and proper segmenting is for.

      IPv6 has been around for a long time now. You can't buy an IPv4 only device pretty much, as almost anything that has Net capabilities has at least a dual stack.

      • by na1led (1030470)
        There are other tools besides NAT, like vlan's and vpn that can extend local networks.
      • by tftp (111690)

        You can't buy an IPv4 only device pretty much, as almost anything that has Net capabilities has at least a dual stack.

        IPv6 in LWIP [wikia.com] is still experimental. Every byte counts - I don't have a 1 GB DDR3 connected to a microcontroller. I may have only 64 kB of on-chip RAM for all the networking, on a good day. I already have to count TCBs and active connections. How do you suggest I add IPv6 support to existing and new devices?

    • Re:No one cares! (Score:4, Informative)

      by WaffleMonster (969671) on Wednesday July 18, 2012 @06:02PM (#40691229)

      Until some new technology that everyone wants comes along and requires IPv6, no one will care about it.

      The killer app for IPv6 is maintaining a global network of PEERS. It's what you or others don't have to worry about loosing which makes a transition more appealing than accepting status quo for eternity.

      Content extracts value by reaching everyone directly without having to worry about degregation through additional hops/congested CGNs.

      Service providers extract value by not having to operate expensive CGN.

      Governments and LEA extract value by not having to deal with multiple devices cloaked behind a CGN.

      Even partial deployment provides some value to all stakeholders.

      It makes no sense for businesses to pay thousands on larbor to reconfigure their entire network for IPv6, and see no beneficial gain.

      Nobody is suggesting they do. All they need to do is make their *external* presence accessible via IPv6. They can keep IPv4 internally forever for all anyone cares.

      Not to mention a lot of legacy hardware still don't support IPv6, like network printers/copiers, camera systems, security systems, etc.

      IPv4 is not going away anytime soon. IPv6 is being added. Noone is taking away your toys. You don't have to go out and buy new stuff.

      Even if the global IPv4 network went away IPv4 private networks would still be avaliable. You could still tunnel your IPv4 network over IPv6 with anyone you chose to have access to it.

      It also complicates maters worse when you try to network across long distances

      Having more globally unique addresses complicates matters? I won't pretend I understand how this complicates matters more than attempting to communicate with two peers both stuck behind CGNs.

      • by na1led (1030470)
        You failed to take into account all the software out there still relying on IPv4. When you already have remote access, and Vpn connections setup for clients, reconfiguring to IPv6 can complicate things. Some companies are still using legacy Black Berry phones with BES servers. Switching over to a new system can be a nightmare for IT people.
  • Lol (Score:5, Insightful)

    by Anrego (830717) * on Wednesday July 18, 2012 @04:22PM (#40689979)

    Each and every one of you reading this is a customer of service providers and equipment vendors. It's time to use your voice and demand an IPv6 migration strategy that you can plan on.

    On my walk in to work, there is this beautiful historic stone fence with cobblestone walk way for about a 2 block stretch... and demanding an IPv6 migration strategy I can plan on from it would likely be a better use of my time...

    The article does nail the obvious problem on the head... the fact that IPv6 offers no benefit anyone cares about (we've learned to work with nat and even come to love it) except a solution to a problem that hasn't actually hit yet. Thing is this is the easy part. We all _know_ why IPv6 isn't being adopted. The hard part is how do we change that.. and "call up your ISP" is a really silly answer.

  • Lots of people talk about IPv6 and how they are "ready" etc. But nobody I've seen gives exact instructions on how I would configure IPv6 for my SOHO setup. What equipment do I need? What configuration do I need to set exactly? And, after I do all of this, can I get to IPv4 places or am I in the 1% as they say?
    • by mactard (1223412)
      You need an ISP that is giving their customers IPv6 subnets (Comcast does, I'm not sure who else though), a newer router that supports IPv6 (everything that's current seems to) and Win7/WinVista/OS X post 10.1/Linux. It's zeroconfig from thereon out. I'm on IPv6 and it's been somewhat useful. I have a AAAA header on my domain so I can access my desktop without dyndns. It's really all about your ISP though.
  • Expensive IANA wants multiple thousands to allow us, as an ISP, to provide equivalent IPv6/48 address blocks to our customers match their IPv4 currently allocated blocks. It provides no incentive for us to give back IPv4 allocations after moving our customers to IPv6
    Lacking toolsI have not seen any transition tools to allow a quick and easy remapping from IPv4 to IPv6. The existing blocks and their descriptions (you do put descriptions on your blocks don't you?) should be detected and re-tailored for IPv6.
    • Unless you are an anal meta-administrator attempting to keep yourself employed, or a repressive government trying to keep your people firmly under your jackboot, everything should be done via stateless autoconfiguration.

      Personally, I know I will not miss having to set up tons of hardware that's too stupid to assign its own address correctly.

      • by Compaqt (1758360)

        Wait, is there something I'm missing here?

        Under DHCP, admins don't assign addresses to devices manually, the device asks for an address, and it gets one. Is that jackbooted?

        What is stateless autoconfig? A device asking every other device over the entire address range "do you exist" and can I take this number?

  • Prefer IPv6? (Score:5, Interesting)

    by WaffleMonster (969671) on Wednesday July 18, 2012 @05:21PM (#40690685)

    Vista and Windows 7 "prefer" IPv6 too... Heck even Windows XP with its crappy IPv6 stack turned on prefers IPv6.

    If you read the whole cnet article what has changed is network awareness sending an IPv6 only HTTP request periodically to a Microsoft server using this to judge if IPv6 connectivity is actually available.

    In other words the behavior of all windows 8 systems on the planet with regards to IPv6 usage is dictated by the availability by a single Microsoft URL. What could possibly go wrong with that? Is it not also wonderful MS having their system ping out to MS servers by default periodically without anyone knowing or providing a user choice to turn it off not involving registry hacks?

    With regards to IPv6 usage I just checked the interface stats on my gateway with an HE tunnel configured. Very interesting...IPv6 Internet traffic is a full 25% of overall Internet usage over the last 145 day period. This predates the June 6th IPv6 go live day by several months.

    IPv6 = 32GB
    IPv4 = 129GB

    ISPs are still dragging their feet lighting up IPv6.. I fear we will have to wait another two years before most large ISPs get their act together on full production deployment.

    The most interesting thing seems to be the "long tail" effect reflected in my actual usage.

    Given current environment where just a handful of megasites are responsible for the majority of all Internet traffic by volume huge changes in traffic patterns can tip the scales on IPv6 usage rapidly while the countless millions of other sites run by the rest take just as long to switch over as the IPv6 naysayers say it will.

  • The "here's what to do about it" teaser amounts to, "complain to your ISP." Thank you so much. If only we had thought of that.

    The article is useless.

  • We all know IP4 addresses don't identify a person. Will this change with IP6? With the "an IP address for every toaster" idea, will they still be dynamic enough for plausible deniability?

  • Give all the IP4 addresses away to China and other countries where botnets tend to originate most often, and make then NAT to get on the IP6 network the rest of us will live on when we don't own any of the IP4 space any more.

  • For mobile devices, the software is controlled by the carrier and the data path is controlled by the carrier, and the apps are controlled by the carrier or the handset maker. Mobile devices don't act as hosts. And all the growth in devices is in mobile. So why aren't they all on IPv6?

    If the carrier has to do an IPv6 to IPv4 translation, they can do that at their head end.

    • by pipedwho (1174327)

      Mobile devices don't act as hosts.

      A company I've worked with has a deployed fleet of over 50,000 embedded commercial vehicle monitoring units that all allow back connections (ie. act as hosts) to request immediate status updates and send messages to the driver. Unfortunately, the majority of carriers don't have IPv6, so we're forced to play all sorts of games to handle dynamic IP address changes. And even more annoyingly, most of the carriers dynamically assign 10.x.x.x addresses to the units, so we have to jump through even more routing ho

  • An Arbor Networks graph shows less than .2% of the traffic the company measured was IPv6. That's up from a peak of .04%, which occurred on the first Worldwide IPv6 Day in 2011; hardly a blip in a year.

    That's a 5-times increase in a year.

    If we pretend that we're business math students, then next year we'll see 1% -- then 5% in 2 years and 25% in 3 years -- which would be easily enough to trigger further network effects.

    It all breaks down in the 4th year with 125% of traffic, but I'll just take that to mean that the remaining IP4 traffic will be encapsulated in IP6 packets by then.

  • Sorry, my speciality is graphics + optimizations not networking. Question for the /. crowd ...

    If I have a ipv6 address how do I guarantee all my "old" ipv4 games work ?

    Is this a non-issue? I realize ipv6 doesn't have NAT, but are there any special configurations I need to do on the router if I switch my entire home network over to ipv6 ?

    Thanks.

  • My company is already using IPv6 addresses. All of our sites have public addresses... as well as all of our desktops. All of our users now use Facebook and Google over IPv6. So... nothing will help me adopt it. Already done.

    • >All of our sites have public addresses... as well as all of our desktops.

      (Not directed at you, but your adminstrator): How is this a good thing?

      If your company wants to make stuff available (whether to the public or to vendors), it should do so on specifically defined servers. What's the point of making every desktop a peer?

      That's sort of cool in a university environment, where you're there to learn, experiment, and play. But not in a corporate environment.

      • by laptop006 (37721)

        How is it a bad thing?

        You firewall it just the same, so the only change in traffic flow is the lack of NAT, and NAT is not security despite what some people will try and claim.

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Working...