Question about migrating to IPv6 with multiple upstreams.

Ray Soucy rps at maine.edu
Tue Jun 14 17:34:26 UTC 2011


I try to avoid the Obfuscation argument when I can.

I've seen people try to be smart by telling Law Enforcement that they
don't keep logs and can't point to which host was a problem behind a
NAT box, only to see Law Enforcement take all the PCs instead of the
one in question.  So it's always made me nervous.  As for the security
value; I think it's more a privacy value than anything.  But you can
accomplish almost the same thing by having those hosts use a web
proxy; which you likely want to be doing anyway so you can scan
content for threats.

I personally have no desire for it; but if someone wants to implement
it I won't stop them.

On Tue, Jun 14, 2011 at 1:28 PM, William Herrin <bill at herrin.us> wrote:
> On Tue, Jun 14, 2011 at 1:04 PM, Ray Soucy <rps at maine.edu> wrote:
>> I think in the long term telling everyone to jump into the BGP table
>> is not sustainable; and not operationally consistent with the majority
>> of SMB networks.
>>
>> A better solution; and the one I think that will be adopted in the
>> long term as soon as vendors come into the fold, is to swap out
>> RFC1918 with ULA addressing, and swap out PAT with NPT; then use
>> policy routing to handle load balancing and failover the way most
>> "dual WAN" multifunction firewalls do today.
>>
>> Example:
>>
>> Each provider provides a 48-bit prefix;
>>
>> Internally you use a ULA prefix; and setup prefix translation so that
>> the prefix gets swapped appropriately for each uplink interface.  This
>> provides the benefits of "NAT" used today; without the drawback of
>> having to do funky port rewriting and restricting incoming traffic to
>> mapped assignments or UPnP.
>
> Hi Ray,
>
> There's a nuance here you've missed.
>
> There are two main reasons for ULA inside the network:
>
> 1. Address stability (simplifies network management)
> 2. Source obfuscation (improves the depth of the security plan)
>
> Option 1: Obfuscation desired.
>
> ULA inside. NAT/PAT at both borders. You don't use prefix translation
> here because prefix translation does little obfuscation: it has a 1:1
> relationship with each individual host and still reveals the internal
> routing structure.
>
> Option 2: Stability, no obfuscation desired.
>
> ULA inside, prefix translation at both borders.
>
> Option 3: Neither stability nor obfuscation required.
>
> GUA from one of the providers inside. Prefix translation to the other
> provider for the connections desired out that border. Giving the hosts
> real GUA addresses maximizes application compatibility.
>
> Regards,
> Bill Herrin
>
>
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/




More information about the NANOG mailing list