[154928] in North American Network Operators' Group
Re: NAT66 was Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Seth Mos)
Tue Jul 17 01:48:14 2012
From: Seth Mos <seth.mos@dds.nl>
In-Reply-To: <CAPiURgV+E-FLg_dkKq97P1OkhBWuZGiRVQd1GvY-Uh=09omREQ@mail.gmail.com>
Date: Tue, 17 Jul 2012 07:47:30 +0200
To: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Op 17 jul 2012, om 04:56 heeft Grant Ridder het volgende geschreven:
> If you are running an HA pair, why would you care which box it went =
back
> through?
Because it could be/is a stateful firewall and the backup will drop the =
traffic. (FreeBSD CARP)
Cheers,
Seth
>=20
> -Grant
>=20
> On Monday, July 16, 2012, Mark Andrews wrote:
>=20
>>=20
>> In message <CAD8GWsswFwnPKTfxt=3D
>> squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ@mail.gmail.com <javascript:;>>, Lee
>> writes:
>>> On 7/16/12, Owen DeLong <owen@delong.com <javascript:;>> wrote:
>>>>=20
>>>> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 =
is
>> being
>>>> able to eliminate NAT. NAT was a necessary evil for IPv4 address
>>>> conservation. It has no good use in IPv6.
>>>=20
>>> NAT is good for getting the return traffic to the right firewall. =
How
>>> else do you deal with multiple firewalls & asymmetric routing?
>>=20
>> Traffic goes where the routing protocols direct it. NAT doesn't
>> help this and may actually hinder as the source address cannot be
>> used internally to direct traffic to the correct egress point.
>>=20
>> Instead you need internal routers that have to try to track traffic
>> flows rather than making simple decisions based on source and
>> destination addresess.
>>=20
>> Applications that use multiple connections may not always end up
>> with consistent external source addresses.
>>=20
>>> Yes, it's possible to get traffic back to the right place without =
NAT.
>>> But is it as easy as just NATing the outbound traffic at the
>>> firewall?
>>=20
>> It can be and it can be easier to debug without NAT mangling
>> addresses.
>>=20
>> The only thing helpful NAT66 does is delay the externally visible
>> source address selection until the packet passes the NAT66 box.
>>=20
>> Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: =
marka@isc.org<javascript:;>
>>=20
>>=20
