[154932] in North American Network Operators' Group
Re: NAT66 was Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jul 17 02:47:04 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <97150.1342502435@turing-police.cc.vt.edu>
Date: Mon, 16 Jul 2012 23:40:11 -0700
To: valdis.kletnieks@vt.edu
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 16, 2012, at 10:20 PM, valdis.kletnieks@vt.edu wrote:
> On Mon, 16 Jul 2012 21:31:42 -0700, Owen DeLong said:
>> Think HA pairs in Pittsburgh, Dallas, and San Jose.
>>=20
>> Now imagine each has different upstream connectivity and the backbone
>> network connecting all the corporate sites lives inside those =
firewalls.
>>=20
>> The real solution to this is to move the backbone outside of the =
firewalls
>> and connect the internal networks via VPNS that ride the external =
backbone
>> and can be routed over the internet safely when a backbone link =
fails.
>=20
> Wouldn't this be even easier if you gave each machine involved =
multiple
> addresses, one ULA and one external? This isn't IPv4 anymore, you can
> stick multiple addresses on an interface. :)
Not really... Doesn't help with the situation where you go from
host->Firewall A-> web server on the external internet
and the response goes
web server->Firewall B-> X (Firewall B has no state table entry =
for the session).
Owen
