Re: IPv6 fc00::/7 — Unique local addresses

Thu Oct 21 16:29:40 UTC 2010

Hi All,

I've inherited a small network with a couple of Internet connections through
different providers, I'll call them Slow and Fast.

We use RFC 1918 space internally and have a pair of external firewalls that
handle NAT and such.

Due to internal policy (read money), some users default to the Slow
connection and some default to Fast. Using probes and policy routing, a
failure of one of the ISPs is generally transparent, outside of the usual
session resets for things like ssh or remote control sessions).

Looking forward to the next 12 months, we may have clients that are living
in IPv6 space. Our ISPs are happy to give us IPv6 allocations and our
network gear vendors either have GA IPv6 code now or will soon.

We have been somewhat spoiled by our firewall/NAT boxes, the stuff just
works for our needs and the combination of NAT and policy routing keeps
people on the circuits they are paying for. Am trying to decide how I would
implement this kind of policy in the new world of globally
trackable^H^H^H^H^H^H^H routable IPs for my desktops. Solutions seem to be:

1) Purchase some BGP capable routers, grab PI space. Here I can obv choose
outbound path, but we are typical in that our inbound to outbound is 6 or 7
to 1.

2) Assign PA space from the ISPs to the appropriate devices. What do I do
when I loose a provider?

3) Make loud noises to my firewall vendor to include equivalent NAT/ISP
failover functionality (even 6to6 NAT would be fine).

Anyway, another sample of 1, but I do work for a managed services provider
and see many small orgs facing similary choices. I personally am happy to
use globally routable addresses and will work through the privacy and
perceived security implications of NAT/nonat, I just want the same ease of
use and flexibility I have today in a SMB environment.

Cheers,
-Allen