[141951] in North American Network Operators' Group
Re: Question about migrating to IPv6 with multiple upstreams.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jun 14 17:50:25 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <BANLkTikxi8vq4RaH6MGCvoKRkqFEarQOSRtxgTyMR_WVGB6XtA@mail.gmail.com>
Date: Tue, 14 Jun 2011 14:46:04 -0700
To: Ray Soucy <rps@maine.edu>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 14, 2011, at 10:52 AM, Ray Soucy wrote:
> It's a security and operational issue.
>=20
> The perception is that it's easier to monitor, manage, and filter one
> address per host instead of 3. For most in the enterprise world it's
> a non-starter to have that setup; even if that perception is a false
> one.
>=20
Yes... The key word there is perception. The question is whether it =
makes
more sense to put effort into correcting mis-perceptions or to put the =
effort
into providing workarounds which provide a sub-par networking experience
to the end user.
IMNSHO, it is better to put effort into education. I'm surprised to find =
someone
from a .EDU on the opposite side of that thought. One would normally =
expect
them to favor the idea of education over hackery.
> Not sure I have the energy to re-hash the tired old NAT debate though. =
;-)
>=20
That sound you hear is me breathing a sigh of relief. I will continue to =
do
it as long as it remains necessary, but, I'm tired of it too.
Owen
> On Tue, Jun 14, 2011 at 1:38 PM, <Valdis.Kletnieks@vt.edu> wrote:
>> On Tue, 14 Jun 2011 13:04:11 EDT, Ray Soucy said:
>>=20
>>> A better solution; and the one I think that will be adopted in the
>>> long term as soon as vendors come into the fold, is to swap out
>>> RFC1918 with ULA addressing, and swap out PAT with NPT; then use
>>> policy routing to handle load balancing and failover the way most
>>> "dual WAN" multifunction firewalls do today.
>>>=20
>>> Example:
>>>=20
>>> Each provider provides a 48-bit prefix;
>>>=20
>>> Internally you use a ULA prefix; and setup prefix translation so =
that
>>> the prefix gets swapped appropriately for each uplink interface. =
This
>>> provides the benefits of "NAT" used today; without the drawback of
>>> having to do funky port rewriting and restricting incoming traffic =
to
>>> mapped assignments or UPnP.
>>=20
>> Why do people insist on creating solutions where each host has =
exactly one IPv6
>> address, instead of letting each host have *three* (in this case) - a =
ULA and
>> two provider-prefixed addresses?
>>=20
>=20
>=20
>=20
> --=20
> Ray Soucy
>=20
> Epic Communications Specialist
>=20
> Phone: +1 (207) 561-3526
>=20
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
