[181834] in North American Network Operators' Group
Re: Dual stack IPv6 for IPv4 depletion
daemon@ATHENA.MIT.EDU (Josh Moore)
Sun Jul 5 16:17:27 2015
X-Original-To: nanog@nanog.org
From: Josh Moore <jmoore@atcnetworks.net>
To: Mel Beckman <mel@beckman.org>
Date: Sun, 5 Jul 2015 20:17:22 +0000
In-Reply-To: <96DBE341-4C88-4139-AA4E-01117340EE45@beckman.org>
Cc: "johnl@iecc.com" <johnl@iecc.com>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Theoretically it should be possible with this on MPLS enabled devices. The =
"HA link" could then ride on top of the MPLS core redundancy alongside publ=
ic outside NAT traffic and inside private traffic.
The good thing is that most of my customer access (DSL, cable, T1) is desig=
ned with established distribution points. Implementing sectional CGN at tho=
se points would be a good first step. We need to just get the policy side o=
f things worked out on how we are going to automate the provisioning intern=
ally.
Thanks for all the input.
Thanks,
Joshua Moore
Network Engineer
ATC Broadband
912.632.3161
> On Jul 5, 2015, at 3:55 PM, Mel Beckman <mel@beckman.org> wrote:
>=20
> Many firewalls will do state sync across an HA link. This works fine as l=
ong as you use BGP to ensure internet routing of your IPv4 to all gateways.=
But then the HA link is the single point of failure. I think the best you =
can hope for is that the importance of IPv4 NAT will diminish over time. On=
e day it will be just a memory, like SNA :)
>=20
> -mel beckman
>=20
>> On Jul 5, 2015, at 12:37 PM, Josh Moore <jmoore@atcnetworks.net> wrote:
>>=20
>> I was hoping to find a solution that maybe utilized some kind of session=
sync or something of that matter allowing for multiple entry and exit poin=
ts (asymmetric routing).
>>=20
>>=20
>>=20
>>=20
>> Thanks,
>>=20
>> Joshua Moore
>> Network Engineer
>> ATC Broadband
>> 912.632.3161
>>=20
>>> On Jul 5, 2015, at 3:10 PM, Owen DeLong <owen@delong.com> wrote:
>>>=20
>>> A NAT box is a central point of failure for which the only cure is to n=
ot do NAT.
>>>=20
>>> You can get clustered NAT boxes (Juniper, for example), but that just m=
akes a bigger central point of failure.
>>>=20
>>> Owen
>>>=20
>>>> On Jul 5, 2015, at 11:49 , Josh Moore <jmoore@atcnetworks.net> wrote:
>>>>=20
>>>> The point I am concerned about is a central point of failure.
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Thanks,
>>>>=20
>>>> Joshua Moore
>>>> Network Engineer
>>>> ATC Broadband
>>>> 912.632.3161
>>>>=20
>>>>> On Jul 5, 2015, at 2:46 PM, Owen DeLong <owen@delong.com> wrote:
>>>>>=20
>>>>> Not necessarily. But what I am telling you is that whatever goes out =
NAT gateway A has to come back in through NAT gateway A.
>>>>>=20
>>>>> You can build whatever topology you want on either side of that and n=
othing says B has to be any where near A.
>>>>>=20
>>>>> Owen
>>>>>=20
>>>>>> On Jul 5, 2015, at 11:25 , Josh Moore <jmoore@atcnetworks.net> wrote=
:
>>>>>>=20
>>>>>> So basically what you are telling me is that the NAT gateway needs t=
o be centrally aggregated.
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> Thanks,
>>>>>>=20
>>>>>> Joshua Moore
>>>>>> Network Engineer
>>>>>> ATC Broadband
>>>>>> 912.632.3161
>>>>>>=20
>>>>>>> On Jul 5, 2015, at 1:29 PM, Owen DeLong <owen@delong.com> wrote:
>>>>>>>=20
>>>>>>> If you want to keep that, then you=92ll need a public backbone netw=
ork that joins all of your NATs and you=92ll need to have your NATs use uni=
que exterior address pools.
>>>>>>>=20
>>>>>>> Load balancing a single session across multiple NATs isn=92t really=
possible.
>>>>>>>=20
>>>>>>> Owne
>>>>>>>=20
>>>>>>>> On Jul 5, 2015, at 08:11 , Josh Moore <jmoore@atcnetworks.net> wro=
te:
>>>>>>>>=20
>>>>>>>> Performing the NAT on the border routers is not a problem. The pro=
blem comes into play where the connectivity is not symmetric. Multiple entr=
y/exit points to the Internet and some are load balanced. We'd like to keep=
that architecture too as it allows for very good protection in an internet=
link failure scenario and provides BGP best path connectivity.
>>>>>>>>=20
>>>>>>>> So traffic cones in ISP A might leave ISP B or traffic coming in I=
SP A may come in ISP B simultaneously.
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>> Thanks,
>>>>>>>>=20
>>>>>>>> Joshua Moore
>>>>>>>> Network Engineer
>>>>>>>> ATC Broadband
>>>>>>>> 912.632.3161
>>>>>>>>=20
>>>>>>>>> On Jul 5, 2015, at 10:43 AM, Mel Beckman <mel@beckman.org> wrote:
>>>>>>>>>=20
>>>>>>>>> WISPs have been good at solving this, as they are often deploying=
greenfield networks. They use private IPv4 internally and NAT IPv4 at mult=
iple exit points. IPv6 is seamlessly redundant, since customers all receive=
global /64s; BGP handles failover. If you home multiple upstream providers=
on a single NAT gateway hardware stack, redundancy is also seamless, since=
your NAT tables are synced across redundant stack members. If you have se=
parate stacks, or even sites, IPv4 can fail over to an alternate NAT Border=
gateway but will lose session contexts, unless you go to the trouble of sy=
ncing the gateways. Most WISPs don't. =20
>>>>>>>>>=20
>>>>>>>>> -mel beckman
>>>>>>>>>=20
>>>>>>>>>> On Jul 5, 2015, at 7:25 AM, Josh Moore <jmoore@atcnetworks.net> =
wrote:
>>>>>>>>>>=20
>>>>>>>>>> So the question is: where do you perform the NAT and how can it =
be redundant?
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>> Thanks,
>>>>>>>>>>=20
>>>>>>>>>> Joshua Moore
>>>>>>>>>> Network Engineer
>>>>>>>>>> ATC Broadband
>>>>>>>>>> 912.632.3161
>>>>>>>>>>=20
>>>>>>>>>>> On Jul 5, 2015, at 10:12 AM, Mel Beckman <mel@beckman.org> wrot=
e:
>>>>>>>>>>>=20
>>>>>>>>>>> Josh,
>>>>>>>>>>>=20
>>>>>>>>>>> Your job is simple, then. Deliver dual-stack to your customers =
and if they want IPv6 they need only get an IPv6-enabled firewall. Unless y=
ou're also an IT consultant to your customers, your job is done. If you alr=
eady supply the CPE firewall, then you need only turn on IPv6 for customers=
who request it. With the right kind of CPE, you can run MPLS or EoIP and d=
eliver public IPv4 /32s to customers willing to pay for them. Otherwise it'=
s private IPv4 and NAT as usual for IPv4 traffic.=20
>>>>>>>>>>>=20
>>>>>>>>>>> -mel via cell
>>>>>>>>>>>=20
>>>>>>>>>>>> On Jul 5, 2015, at 6:57 AM, Josh Moore <jmoore@atcnetworks.net=
> wrote:
>>>>>>>>>>>>=20
>>>>>>>>>>>> We are the ISP and I have a /32 :)
>>>>>>>>>>>>=20
>>>>>>>>>>>> I'm simply looking at the best strategy for migrating my subsc=
ribers off v4 from the perspective of solving the address utilization crisi=
s while still providing compatibility for those one-off sites and services =
that are still on v4.
>>>>>>>>>>>>=20
>>>>>>>>>>>>=20
>>>>>>>>>>>>=20
>>>>>>>>>>>>=20
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>=20
>>>>>>>>>>>> Joshua Moore
>>>>>>>>>>>> Network Engineer
>>>>>>>>>>>> ATC Broadband
>>>>>>>>>>>> 912.632.3161
>>>>>>>>>>>>=20
>>>>>>>>>>>> On Jul 5, 2015, at 9:55 AM, Mel Beckman <mel@beckman.org> wrot=
e:
>>>>>>>>>>>>=20
>>>>>>>>>>>>>>=20
>>>>>>>>>>>>>> Josh Moore wrote:
>>>>>>>>>>>>>>=20
>>>>>>>>>>>>>> Tunnels behind a CPE and 4to6 NAT seem like bandaid fixes as=
they do not give the benefit of true end to end IPv6 connectivity in the s=
ense of every device has a one to one global address mapping.
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> No, tunnels do give you one to one global IPv6 address mappin=
g for every device. From a testing perspective, a tunnelbroker works just =
as if you had a second IPv6-only ISP. If you're fortunate enough to have a =
dual-stack ISP already, you can forgo tunneling altogether and just use an =
IPv6-capable border firewall.=20
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> William Waites wrote:
>>>>>>>>>>>>>> I was helping my
>>>>>>>>>>>>>> friend who likes Apple things connect to the local community
>>>>>>>>>>>>>> network. He wanted to use an Airport as his home gateway rat=
her than
>>>>>>>>>>>>>> the router that we normally use. Turns out these things can =
*only* do
>>>>>>>>>>>>>> IPv6 with tunnels and cannot do IPv6 on PPPoE. Go figure. So=
there is
>>>>>>>>>>>>>> not exactly a clear path to native IPv6 for your lab this wa=
y.
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> Nobody is recommending the Apple router as a border firewall.=
It's terrible for that. But it's a ready-to-go tunnelbroker gateway. If yo=
ur ISP can't deliver IPv6, tunneling is the clear path to building a lab. I=
f you have a dual-stack ISP already, the clear path is to use an IPv6-capab=
le border firewall.=20
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> So you are in a maze of non-twisty paths, all alike :)
>>>=20
