On 2/3/25 15:14, Amos Rosenboim via NANOG wrote:
Even with IPv6, many of the operators I know of do not allow internet
initiated traffic towards their subscribers.
Address translation is not required for this function. A stateless ACL
can do a lot to limit it especially combined with assigning IPv6
addresses that are not easily guessed or otherwise probed (i.e. use all
of that entropy in the least significant 64-bits of the address to your
advantage).
If you must fully inhibit all unsolicited inbound traffic including that
which could, upon stateless inspection, be part of a valid flow, a
stateful filter at the appropriate point can accomplish this again
without address translation. I don't know if any major mobile networks
actually do this on IPv6. I can't imagine it's really necessary on IPv6.
Of course, address (and port) translation is a fact of life on consumer
access networks for IPv4, these days. There are ways to make much of
the stateful part live in places where failure will result in limited
damage, and I'm fond of using them where possible.
I really don't see a compelling argument for NPTv6 based on what you've
described, and all the usual arguments against it still apply.
avoiding unnecessary paging in the network.
While a laudable goal, is this really THAT big of a deal these days?
I'd wager the legitimate non-interactive traffic on a typical consumer
mobile device (social media, instant messaging services, etc.) probably
causes plenty of "paging" anyway and likely quite a bit more than you'd
get from unsolicited traffic on a high-entropy IPv6 address with
absolutely zero filtering. I was of the impression that modern
LTE/5G-NR networks had lots of mitigations for the handset-side power
implications of this, too.
--
Brandon Martin
