[154931] in North American Network Operators' Group
Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jul 17 02:46:35 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <75C9CAAC-9162-4F1F-9E51-A7801FC3F1C8@dds.nl>
Date: Mon, 16 Jul 2012 23:43:05 -0700
To: Seth Mos <seth.mos@dds.nl>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 16, 2012, at 10:36 PM, Seth Mos wrote:
> Hi,
>=20
> Op 16 jul 2012, om 18:34 heeft valdis.kletnieks@vt.edu het volgende =
geschreven:
>=20
>> On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said:
>>> -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't =
be there
>>> if there weren't enough customers asking for it. Are all the =
customers naive?
>>> I doubt it. They have their reasons. I agree with your "purist" =
definition and
>>> did not say I was using it. My point is that vendors are still =
rolling out base
>>> line features even today.
>>=20
>> Sorry to tell you this, but the customers *are* naive and asking for =
stupid
>> stuff. They think they need NAT under IPv6 because they suffered with =
it in
>> IPv4 due to addressing issues or a (totally percieved) security =
benefit (said
>> benefit being *entirely* based on the fact that once you get NAT =
working, you
>> can build a stateful firewall for essentially free). The address =
crunch is
>> gone, and stateful firewalls exist, so there's no *real* reason to =
keep
>> pounding your head against the wall other than "we've been doing it =
for 15
>> years".
>=20
> To highlight what the current NAT66 is useful for, it's a RFC for =
Network Prefix translation. It has nothing do with obfuscation or hiding =
the network anymore. It's current application is multihoming for the =
poor.
And it's a really poor way to do multihoming.
You don't have to spend a lot of money to multihome properly.
>=20
> Example:
> You have a Cable and a DSL, they both provide IPv6 and you want to =
provide failover. You then use ULA or one of the Global Addresses on the =
LAN network, and set up NAT66 mappings for the secondary WAN, or both if =
you are using ULA.
I have that and I use BGP with an ARIN prefix using the Cable and DSL as =
layer 2 substrates for dual-stack tunnels.
Works pretty well and doesn't cost much more than the NAT66 based =
solution.
> This will not hide *anything* as your machines will now be *visible* =
on 2 global prefixes at the same time. And yes, you still use the =
stateful firewall rules on each WAN for the incoming traffic. And you =
can redirect traffic as needed out each WAN. It's the closest thing to =
the existing Dual WAN that current routers support.
>=20
> Also note that this also works fine with 2 IPv6 tunnels. Bind each =
tunnel to a WAN and you have the same failover for IPv6 as IPv4.
Once you go to tunnels, why not go all the way and put BGP across the =
tunnels?
Owen
