The Chinese government has strong political reasons for wanting every web page access to be easily traced back to its origin. NAT makes this very difficult. ipv6 makes it very easy. No contest.

Well, here we go, headfirst into IPv6.

For years, the IT world has had to endure the flag-waving, "the sky is falling" IPv6 proponent crowd, extolling the endless technical virtues of IPv6 whilst they denounce the demonic evil that it Network Access Translation.

It would have been better if they spent some of their zealous energies on forcing network naming technologies to improve. DNS has been revealed as surprisingly fragile, while local network naming schemes (SMB, NetBIOS, Bonjour) fail to work consistently or harmoniously. I frequently have to tell clients to connect to local file sharing services via an IP address when a local hostname should have worked just fine. What's going to happen when I have to find and quote a 32-character hexadecimal address every time naming fails?

I shudder.

Agreed. Not looking forward to 128 bit addresses.

'Just add NAT!' is a very blasé, web-centric view of the IPv4 address shortage. NAT is far from ideal.
The biggest NAT address range, 10.0.0.0-10.255.255.255 (or 10/8), has only 16.7 million IP addresses. Not a lot to go round for a country the size of China. Having multiple levels of NAT to compensate would be very unwieldy.

IPv6 is the better long-term option.

DNS is fragile? You're comparing it to NetBIOS/NetBEUI/SMB/CIFS whatever label Redmond has pasted on that steaming pile this week?

Thy geek credentials are REVOKED!

Seriously, the major problem with NAT and DNS is that a Certain Major Computer Vendor Who Shall Not Be Named (lest we summon a Ballmer) refuses to build code to standard, and does stupid local caching shenanigans, and writes execrable gaming APIs that cannot cleanly transit a single NAT gateway or deal with trivially divergent DNS views.

DirectX = method for turning a great multiplayer game into a bogged down bandwidth sucking pile of crap that can't cross NAT without totally sacrificing any sane network security paradigm.

uPNP = standard interface for malware to reconfigure your security on the fly without notifying you.

Apple deciding to reinvent SLP every 14 months or so doesn't help either.

"[...] if no proper measures are taken by then, new Chinese netizens will not be able to gain normal access to the Internet."

Do the current chinese netizens have normal access to the internet?

#4: You wll never need more than one level of NAT. using 10.0.0.0/24 adds 24 bits to the addresses, essentially turning 32 bit addresses into 56 bit addresses. You don't get 16.7 million more addresses with one level of NAT. You get 16.7 million times as many addresses.

You still have the other problems associated with NAT, but most internet end-users already deal with those problems sufficiently.

As long as we can live with the other downsides of NAT, "not enough addresses" will never be the reason to move to IPv6.

*sigh*

Firstly, the rest of the world will run out of blocks to allocate earlier than China will run out of blocks to allocate to their national users. See eg. http://penrose.uk6x.com/ . (Yes, this is a credible number.) This is because the RIRs (ARIN, RIPE, AFNIC et al) are allocating their remaining blocks more quickly than China's national RIR is allocating blocks to end-users such as ISPs and corporations.

Secondly, NAT is not the answer, for many reasons. Breaking Skype is a symptom of one of the (many, many) undesirable side-effects of what is fundamentally a bletcherous excrescence. See for instance:
http://www.circleid.com/posts/nat_just_say_no/

(Readers who would like to know far more than they ever wanted to about this old, old debate can find it all in the NANOG archives where this has been thrashed out over and over again over the last decade.)

At any rate, luckily for the Internet, engineers generally have clue, and are finally getting through to the cheque-signers. See for instance:
http://www.ams-ix.net/technical/stats/sflow/?type=ipv6

(IPv6 traffic at the Amsterdam IX - scroll down for the annual chart at the bottom of the page.)

The real hysteria will kick off in the last year, when every IT Director who reads an in-flight magazine will be heading down to the IT dungeon when they land and demanding to know "When are we going to get one of these IPv6 things?"

@Asuffield, #1: No, NAT does not in any way, shape or form make it difficult to trace either end of the session, provided that one end of the TCP session is under your jurisdiction. Hint: how does the NAT device keep track of which packet's going where on the NAT'd side of the connection?

@Ivan256: you fail to take into account that the pool of public routable numbers is falling. Who is using those address-blocks, if NAT means that they don't really need them? Hint: the Internet consists of more than clients.

Why does china need more IPs? They dont allow most of the sites that people might require anyways! :)

Notice how once again, the focus is on how evil NAT is and not on fixing the security and reliability of naming. Tsk tsk.

The 16.7m IPs behind the NAT will be limited somewhat by the 65535 outgoing port numbers available for mapping in a TCP/IP address. China could extend TCP for more port numbers and break compatibility with the rest of the world, but you might as well do IPv6.

But I think the suggestion was to add one NAT per IP address, each gaining at least 255 sub-IPs to distribute; not to NAT all of China within a single /24 bit subnet.

Still, it is interesting that China could beat the U.S. to adoption of IPv6.

Ivan256: You don't get 16.7 million more addresses with one level of NAT. You get 16.7 million times as many addresses.

I don't think so.
There are only 65536 TCP port numbers.
Once a NAT device has more than 65535 clients, and two of those clients wants to open a connection to the same remote host and port, the NAT device will have no way of determining which client to send the response packets to.

So if you have more than 65535 clients, TCP and UDP (two of the most important IP protocols) connectivity degrades.

It screws up Skype and messes with your ping-times, but sysadmins have been intelligently stretching their IPs for decades.

And of course, no-one would want to use the internet for VoIP or have low ping times.

I realise that this is BoingBoing and that everything China does is Evil, but come on.

If you really want to understand the whole NAT thing, start by understanding the difference between the 'original' NAT and the NAT that most people use, which is more correctly called Port Address Translation or PAT. The differences are significant. The Wikipedia article isn't bad, and has pointers to some of the original documents.

stories about Chinese hunger for commodities leading to spikes in worldwide scrap prices

Now I've heard plenty of those stories, both truthful and speculative.

Working at a place which sold and recycled car batteries I heard all kinds of talk about Chinese-owned smelters offering significantly high prices for junk batteries (some of it decidedly reputable, some of it could be wrong but didn't seem to be). There were also contractors stopping by to make purchases who would stay and talk, speculating about high prices in construction materials, blaming scarcity caused by high demand for it to be exported to China.

I always kind of sat off to the side, listened, and nodded. I didn't take most of it too seriously but at the same time there's honestly something mythical about China as a world power that makes such speculation seem credible.

@Ivan256,

I referred to multiple levels of NAT because that's what Cory suggested in the article summary. ("Just add NAT routers and turn every single IP into 255, and then turn all of those into more.")

It has recently been accepted that NAT will indeed have to be embraced within the IPv6 world so love it or hate it, NAT isn't going away anytime soon, even for those planning to move to IPv6.

http://www.networkworld.com/news/2008/072108-ipv6nat.html

@Geekman, networking professionals are not readily interchangeable, nor can we go "Hey, boss, y'know this guy on BoingBoing said I should work on DNS security, so I'm going to do that for a bit". NAT is a problem for what I do, DNS is not, so I focus on NAT. Secondly, doesn't DNSSec ( http://www.dnssec.net/ ) solve all this?

Secondly; if you don't like SMB/NetBIOS, talk to Microsoft. If you don't like Bonjour, talk to Apple. If you don't like the lack of a DNS server (which is what you actually need) installed in your router, talk to the manufacturer. Don't blame me for your product choices.

In fact, your hostname problem would be trivially solved if we had IPv6, because you would then expect your ISP to provide hostnames for each of your computers, rather than having to manage naming yourself because your IP addresses are hidden from the rest of the Internet.

Beyond that, what does everyone have against IPv6? It's not like they're mutually exclusive, you can (we have) run both trivially on the same network.