NAT66 was Re: using "reserved" IPv6 space
Grant Ridder
shortdudey123 at gmail.com
Tue Jul 17 02:56:29 UTC 2012
If you are running an HA pair, why would you care which box it went back
through?
-Grant
On Monday, July 16, 2012, Mark Andrews wrote:
>
> In message <CAD8GWsswFwnPKTfxt=
> squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ at mail.gmail.com <javascript:;>>, Lee
> writes:
> > On 7/16/12, Owen DeLong <owen at delong.com <javascript:;>> wrote:
> > >
> > > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is
> being
> > > able to eliminate NAT. NAT was a necessary evil for IPv4 address
> > > conservation. It has no good use in IPv6.
> >
> > NAT is good for getting the return traffic to the right firewall. How
> > else do you deal with multiple firewalls & asymmetric routing?
>
> Traffic goes where the routing protocols direct it. NAT doesn't
> help this and may actually hinder as the source address cannot be
> used internally to direct traffic to the correct egress point.
>
> Instead you need internal routers that have to try to track traffic
> flows rather than making simple decisions based on source and
> destination addresess.
>
> Applications that use multiple connections may not always end up
> with consistent external source addresses.
>
> > Yes, it's possible to get traffic back to the right place without NAT.
> > But is it as easy as just NATing the outbound traffic at the
> > firewall?
>
> It can be and it can be easier to debug without NAT mangling
> addresses.
>
> The only thing helpful NAT66 does is delay the externally visible
> source address selection until the packet passes the NAT66 box.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org<javascript:;>
>
>
More information about the NANOG
mailing list