[154927] in North American Network Operators' Group
Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Seth Mos)
Tue Jul 17 01:37:10 2012
From: Seth Mos <seth.mos@dds.nl>
In-Reply-To: <161620.1342456488@turing-police.cc.vt.edu>
Date: Tue, 17 Jul 2012 07:36:30 +0200
To: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
Op 16 jul 2012, om 18:34 heeft valdis.kletnieks@vt.edu het volgende =
geschreven:
> On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said:
>> -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't =
be there
>> if there weren't enough customers asking for it. Are all the =
customers naive?
>> I doubt it. They have their reasons. I agree with your "purist" =
definition and
>> did not say I was using it. My point is that vendors are still =
rolling out base
>> line features even today.
>=20
> Sorry to tell you this, but the customers *are* naive and asking for =
stupid
> stuff. They think they need NAT under IPv6 because they suffered with =
it in
> IPv4 due to addressing issues or a (totally percieved) security =
benefit (said
> benefit being *entirely* based on the fact that once you get NAT =
working, you
> can build a stateful firewall for essentially free). The address =
crunch is
> gone, and stateful firewalls exist, so there's no *real* reason to =
keep
> pounding your head against the wall other than "we've been doing it =
for 15
> years".
To highlight what the current NAT66 is useful for, it's a RFC for =
Network Prefix translation. It has nothing do with obfuscation or hiding =
the network anymore. It's current application is multihoming for the =
poor.
Example:
You have a Cable and a DSL, they both provide IPv6 and you want to =
provide failover. You then use ULA or one of the Global Addresses on the =
LAN network, and set up NAT66 mappings for the secondary WAN, or both if =
you are using ULA.
This will not hide *anything* as your machines will now be *visible* on =
2 global prefixes at the same time. And yes, you still use the stateful =
firewall rules on each WAN for the incoming traffic. And you can =
redirect traffic as needed out each WAN. It's the closest thing to the =
existing Dual WAN that current routers support.
Also note that this also works fine with 2 IPv6 tunnels. Bind each =
tunnel to a WAN and you have the same failover for IPv6 as IPv4.
Cheers,
Seth
