[178267] in North American Network Operators' Group
Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Mon Feb 23 22:34:04 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <B6CF52E4-C6B4-4128-ADFD-BA60BECAF94C@cctec.com>
From: Jimmy Hess <mysidia@gmail.com>
Date: Mon, 23 Feb 2015 21:33:41 -0600
To: Eric Germann <ekgermann@cctec.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Mon, Feb 23, 2015 at 9:02 AM, Eric Germann <ekgermann@cctec.com> wrote:
> In spitballing, the boat hasn=E2=80=99t sailed too far to say =E2=80=9CWh=
y not use 100.64/10 in the VPC?=E2=80=9D
Read RFC6598.
If you can assure the conditions are met that are listed in.... 4.
Use of Shared CGN Space..
Then usage of the 100.64/10 shared space may be applicable, under
other conditions it may be risky; the proper usage of IP addresses
is in accordance with the standards or by the registrant under the
right assignment agreements.
If you are just needing space to squat on regardless of the
standardized usage, then you might do anything you want --- you may
as well use 25/8 or 11.0.0.0/8 internally, after taking steps to
ensure you will not be leaking Reverse DNS queries, routes, or
anything like that, this space is larger than a /10 and would provide
more expansion flexibility.
> Then, the customer would be allocated a /28 or larger (depending on needs=
) to NAT on their side and NAT it once. After that, no more NAT for the VP=
C and it boils down to firewall rules. Their device needs to NAT outbound =
before it fires it down the tunnel which pfSense and ASA=E2=80=99s appear t=
o be able to do.
>
--
-JH
