[154919] in North American Network Operators' Group
Re: NAT66 was Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jul 17 00:26:27 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAD8GWsswFwnPKTfxt=squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ@mail.gmail.com>
Date: Mon, 16 Jul 2012 21:23:46 -0700
To: Lee <ler762@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 16, 2012, at 6:55 PM, Lee wrote:
> On 7/16/12, Owen DeLong <owen@delong.com> wrote:
>>=20
>> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is =
being
>> able to eliminate NAT. NAT was a necessary evil for IPv4 address
>> conservation. It has no good use in IPv6.
>=20
> NAT is good for getting the return traffic to the right firewall. How
> else do you deal with multiple firewalls & asymmetric routing?
1. Share state across the firewalls or go with stateless firewalls.
2. Move the firewalls close enough to the end hosts to avoid this =
problem,
Keep the asymmetric routing outside the perimeter.
3. Very creative source address selection mechanisms.
4. LISP (if you must).
>=20
> Yes, it's possible to get traffic back to the right place without NAT.
> But is it as easy as just NATing the outbound traffic at the
> firewall?
That depends on whose life you are trying to make easy. If you asked the
application developers or the people that have to build all the =
problematic
ALGs that creates a need for, I'd bet they would have a different =
opinion
than the guy configuring the firewall.
In terms of overall problems created, cost to the community, increased =
insecurity,
and the other costs associated with a NAT-based solution, I'd say that =
it is
a net loss to use NAT and a net gain to avoid it.
=46rom the perspective of the firewall administrator alone without a =
broader
view of the total consequences, toxic pollution of the internet seems =
like
a good idea.
Owen
