Failover IPv6 with multiple PA prefixes (Was: IPv6 fc00::/7 -Unique local addresses)

George Bonser gbonser at seven.com
Fri Oct 22 03:20:25 UTC 2010



> From: Leo Bicknell 
> Sent: Thursday, October 21, 2010 7:53 PM
> To: NANOG list
> Subject: Re: Failover IPv6 with multiple PA prefixes (Was: IPv6
> fc00::/7 -Unique local addresses)
> 
> What makes it all possible is the same prefix length internally and
> from all providers.  It's a reason why /48 could be important.

Right.  /48 is the secret sauce in that.  What you could do is:

Assume a new connection to a destination you have not spoken to yet.
SYN arrives from the inside machine trying to connect out. NAT box sends
a SYN from each of the NATed IPs for the upstream providers.  The one
that returns first "wins" and that is the prefix you use to NAT that
connection, the other one gets RST.  You remember which upstream is
associated with that connection for some period of time and reuse it.
After some period of time elapses you would "forget" and test again on a
new connection attempt.  That at least gives you assurance the remote
site has a path back to that IP and you are going with the higher
performing path.  You might even have an option to "nail" certain inside
IPs to a certain path or certain remote destinations to a certain path.

> Given all effort put into "better" multihoming in IPv6 I'm really
> surprised this simple solution which basically exists in code today
> (porting an IPv4 NAT to IPv6, if there is no PAT, is easy).

It would seem that simply translating the source /48 would be simple
enough but would probably break something.  Might break some Microsoft
secure connection protocols where the IP in the header doesn't match the
reported IP inside the packet, though, but that could probably be fixed,
too.





More information about the NANOG mailing list