[154912] in North American Network Operators' Group
Re: NAT66 was Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Jul 16 22:41:38 2012
To: Lee <ler762@gmail.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 16 Jul 2012 21:55:40 -0400."
<CAD8GWsswFwnPKTfxt=squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ@mail.gmail.com>
Date: Tue, 17 Jul 2012 12:40:40 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <CAD8GWsswFwnPKTfxt=squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ@mail.gmail.com>, Lee writes:
> On 7/16/12, Owen DeLong <owen@delong.com> wrote:
> >
> > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being
> > able to eliminate NAT. NAT was a necessary evil for IPv4 address
> > conservation. It has no good use in IPv6.
>
> NAT is good for getting the return traffic to the right firewall. How
> else do you deal with multiple firewalls & asymmetric routing?
Traffic goes where the routing protocols direct it. NAT doesn't
help this and may actually hinder as the source address cannot be
used internally to direct traffic to the correct egress point.
Instead you need internal routers that have to try to track traffic
flows rather than making simple decisions based on source and
destination addresess.
Applications that use multiple connections may not always end up
with consistent external source addresses.
> Yes, it's possible to get traffic back to the right place without NAT.
> But is it as easy as just NATing the outbound traffic at the
> firewall?
It can be and it can be easier to debug without NAT mangling
addresses.
The only thing helpful NAT66 does is delay the externally visible
source address selection until the packet passes the NAT66 box.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
