Yup, that's the summary of it -- the "one MAC presented to the UBR" thing happens as a result of routing, regardless of whether or not NAT is involved. My previous tcpdump output shows this happening.

---

@Dagger wrote:

Yup, that's the summary of it -- the "one MAC presented to the UBR" thing happens as a result of routing, regardless of whether or not NAT is involved. My previous tcpdump output shows this happening.

---

Dagger don't think your going to get away that easy as it was you with your fingers to your keyboard that you said this:

---

@Dagger wrote:

......NAT never touches MAC addresses at all.)

---

 http://community.virginmedia.com/t5/Fibre-optic-broadband-cable/IPv6-support-on-Virgin-media/m-p/108...

Indeed I did. I don't see how "it happens as a result of routing" and "it doesn't happen as a result of NAT" conflict in any way. NAT is an additional step on top of routing, not a replacement for it.

NAT is a packaged deal for changing local IP's from LAN to WAN and changing the MAC for the WAN out. It happens because of NAT therefore NAT changes MAC regardless.

having all your ipv6 addresses public with no router is a really bad idea.

you would be forced to put all your devices online if you wanted them to have a ip address.

No router means no ipv6 address unless its passed from the isp.

Think of all the devices you might have on your network that can't or dont have good security.

Every games console. phone, ip cam, smart tv and every ipod/iphone thats jailbroken with the same root password for ssh. thats gonna be fun

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

---

@legacy1 wrote:

NAT is a packaged deal for changing local IP's from LAN to WAN and changing the MAC for the WAN out. It happens because of NAT therefore NAT changes MAC regardless.

---

You keep saying that, but you've yet to back it up with any evidence -- and it doesn't match the reality of what happens.

---

@apcyberax wrote:

having all your ipv6 addresses public with no router is a really bad idea.

you would be forced to put all your devices online if you wanted them to have a ip address.

No router means no ipv6 address unless its passed from the isp.

 

Think of all the devices you might have on your network that can't or dont have good security.

 

Every games console. phone, ip cam, smart tv and every ipod/iphone thats jailbroken with the same root password for ssh. thats gonna be fun

---

The most logical IPv6 configuration would be to assign a single address to your router, and then a /64 block routed behind it...

It would be very messy and difficult to manage connecting multiple devices directly to a cable modem each with their own IPv6 address and this would also require an IPv4 address for each device unless you wanted to go pure V6.

In the case of a router, it would hand out addresses within the /64 to all the devices you have behind it... You would assume that the default configuration of such a router, especially one provided by default by a mainstream ISP would be to block inbound connections to any of the devices while allowing unrestricted outbound connections. Having spoken to someone who has native IPv6 on an AT&T DSL in the US this is indeed the default configuration of the device he has.

Although saying that, hiding a device behind a filter is a very poor kludge... What happens if someone gets behind your filtering device and finds a bunch of easy targets? What happens if you take your misconfigured iphone out with you and connect it to a public wifi network?

There really is no excuse for not configuring your devices properly, especially if you took the trouble to jailbreak your iphone *and* install SSH on it!

Perhaps we should just drop the argument ;P...

It is a function of routing in that (IIRC) each layer should replace the mac and recalculate checksums when passing information to the next point.  So yes, it could be that the data is simply hitting that layer in the switch and the old MAC is removed and (due to routing) the new MAC is put in (so the next hop will know the return unit).  The IETF does not dictate changing the MAC throught the NAT layer, so It does appear that it's done because of routing. At the end of the day, it doesnt matter much because regardless of it being done due to the layer of routing or because of NAT (that is on top of that layer) it happens. But some RFC documents also state things like

"

Responding to ARP requests for the NAT mapped global addresses

with its own MAC address is a must ..... with Basic NAT setup.

"

Again tho....

It doesnt really matter...

The innards of some packets are altered "due to nat"

The IP packet is modified each hop with the MAC and Checksum changed "due to routing"

The packets I was thinking of earlier was encapsulated packets that must retain source MAC.

And as the IETF or RFC database is so huge, many of us go by what we know and have discovered (I applaud anyone who has read all of the documents that would relate to common use).

---

@bert64 wrote:

Although saying that, hiding a device behind a filter is a very poor kludge... What happens if someone gets behind your filtering device and finds a bunch of easy targets? What happens if you take your misconfigured iphone out with you and connect it to a public wifi network?

 

There really is no excuse for not configuring your devices properly, especially if you took the trouble to jailbreak your iphone *and* install SSH on it!

---

My SolarInverter doesnt allow me to change the password!!...  It has both Telnet and HTTP menu's, and, sadly, You can change critical data through those menus.

If you manage to get a secure connection inside someones LAN then they are done for.  I am sure that you dont have your computer set to block all lan traffic?  I am sure with a bit of work you could flash custom firmware on the SuperHubs too.  So if someone breaks into your LAN then they could flash the SH with firmware and chances are that all traffic coming from there does have permission to talk to your pc...

As we said ealrier tho, the "firewall" features of home routers is what gives the huge protection, we will still need a device like that when we move to ipv6 (I will not trust VM's hardware to do it).

All NetGear routers (with original firmware) can easily be tampered with from the LAN side.  I know the SH firmware will not deviate much but until I find a cheap SH to tamper with I'll not try anything.... A lot of other equipment can (from LAN) be exposed with little or no way to protect them without physically disconnecting the unit.  Devices on my network that have limited settings are a Roku box, Solar Inverter, Two TV's, One freeview box.  I could even include my two netgear routers in there.  The key is in the gateway (Router) and it will be even after the move to ipv6.

I think a /120 or /116 block would be more than enough to hand out to users.