[131281] in North American Network Operators' Group
=?windows-1252?Q?Re:_IPv6_fc00::/7_=97_Unique_local_addresses?=
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Oct 21 20:22:35 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTi=yQe8nU74RUQy5O7pf9VLT5x232J=8yRjQAAnJ@mail.gmail.com>
Date: Thu, 21 Oct 2010 17:15:50 -0700
To: Allen Smith <lazlor@lotaris.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 21, 2010, at 9:29 AM, Allen Smith wrote:
> Hi All,
>=20
> I've inherited a small network with a couple of Internet connections =
through
> different providers, I'll call them Slow and Fast.
>=20
> We use RFC 1918 space internally and have a pair of external firewalls =
that
> handle NAT and such.
>=20
> Due to internal policy (read money), some users default to the Slow
> connection and some default to Fast. Using probes and policy routing, =
a
> failure of one of the ISPs is generally transparent, outside of the =
usual
> session resets for things like ssh or remote control sessions).
>=20
> Looking forward to the next 12 months, we may have clients that are =
living
> in IPv6 space. Our ISPs are happy to give us IPv6 allocations and our
> network gear vendors either have GA IPv6 code now or will soon.
>=20
> We have been somewhat spoiled by our firewall/NAT boxes, the stuff =
just
> works for our needs and the combination of NAT and policy routing =
keeps
> people on the circuits they are paying for. Am trying to decide how I =
would
> implement this kind of policy in the new world of globally
> trackable^H^H^H^H^H^H^H routable IPs for my desktops. Solutions seem =
to be:
>=20
My suggestion:
1. Get a /48 from your friendly neighborhood RIR.
2. Get an ASN to go with it.
3. Accept that your inbound is going to get topologically divided =
between
the two links rather than customer-specific.
If that's not an option, then:
1. Get /48s from both providers.
2. Provide appropriate RAs to your users so that the users that =
should prefer
provider SLOW get RAs with a higher preference to provider SLOW =
and
the users that should prefer provider FAST get RAs with a higher =
preference
for provider FAST.
3. Update your probes/policy routing scripts so that they will =
deprecate the
broken RA (you can do this by sending a poisoned final RA with a =
very
short valid time to the all hosts multicast address of each =
subnet).
Option 3 is a very bad idea and I hope your vendor would refuse.
Owen
> 1) Purchase some BGP capable routers, grab PI space. Here I can obv =
choose
> outbound path, but we are typical in that our inbound to outbound is 6 =
or 7
> to 1.
>=20
> 2) Assign PA space from the ISPs to the appropriate devices. What do I =
do
> when I loose a provider?
>=20
> 3) Make loud noises to my firewall vendor to include equivalent =
NAT/ISP
> failover functionality (even 6to6 NAT would be fine).
>=20
> Anyway, another sample of 1, but I do work for a managed services =
provider
> and see many small orgs facing similary choices. I personally am happy =
to
> use globally routable addresses and will work through the privacy and
> perceived security implications of NAT/nonat, I just want the same =
ease of
> use and flexibility I have today in a SMB environment.
>=20
> Cheers,
> -Allen
