[178249] in North American Network Operators' Group
Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
daemon@ATHENA.MIT.EDU (Eric Germann)
Mon Feb 23 10:02:50 2015
X-Original-To: nanog@nanog.org
From: Eric Germann <ekgermann@cctec.com>
Date: Mon, 23 Feb 2015 10:02:44 -0500
To: nanog@nanog.org
X-Assp-Envelope-From: ekgermann@cctec.com
Errors-To: nanog-bounces@nanog.org
Currently engaged on a project where they=E2=80=99re building out a VPC =
infrastructure for hosted applications.
Users access apps in the VPC, not the other direction.
The issue I'm trying to get around is the customers who need to connect =
have multiple overlapping RFC1918 space (including overlapping what was =
proposed for the VPC networks). Finding a hole that is big enough and =
not in use by someone else is nearly impossible AND the customers could =
go through mergers which make them renumber even more in to overlapping =
1918 space.
Initially, I was looking at doing something like (example IP=E2=80=99s):
Customer A (172.28.0.0/24) <=E2=80=94> NAT to 100.127.0.0/28 <=E2=80=94=E2=
=80=94> VPN to DC <=E2=80=94=E2=80=94> NAT from 100.64.0.0/18 <=E2=80=94=E2=
=80=94> VPC Space (was 172.28.0.0/24)
Classic overlapping subnets on both ends with allocations out of =
100.64.0.0/10 to NAT in both directions. Each sees the other end in =
100.64 space, but the mappings can get tricky and hard to keep track of =
(especially if you=E2=80=99re not a network engineer).
In spitballing, the boat hasn=E2=80=99t sailed too far to say =E2=80=9CWhy=
not use 100.64/10 in the VPC?=E2=80=9D
Then, the customer would be allocated a /28 or larger (depending on =
needs) to NAT on their side and NAT it once. After that, no more NAT =
for the VPC and it boils down to firewall rules. Their device needs to =
NAT outbound before it fires it down the tunnel which pfSense and =
ASA=E2=80=99s appear to be able to do.
I prototyped this up over the weekend with multiple VPC=E2=80=99s in =
multiple regions and it =E2=80=9Cappears=E2=80=9D to work fine.
=46rom the operator community, what are the downsides?
Customers are businesses on dedicated business services vs. consumer =
cable modems (although there are a few on business class cable). Others =
are on MPLS and I=E2=80=99m hashing that out.
The only one I can see is if the customer has a service provider with =
their external interface in 100.64 space. However, this approach would =
have a more specific in that space so it should fire it down the tunnel =
for their allocated customer block (/28) vs. their external side. =20
Thoughts and thanks in advance.
Eric
