NAT66 was Re: using "reserved" IPv6 space

• Previous message (by thread): NAT66 was Re: using "reserved" IPv6 space
• Next message (by thread): NAT66 was Re: using "reserved" IPv6 space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Think HA pairs in Pittsburgh, Dallas, and San Jose.

Now imagine each has different upstream connectivity and the backbone
network connecting all the corporate sites lives inside those firewalls.

The real solution to this is to move the backbone outside of the firewalls
and connect the internal networks via VPNS that ride the external backbone
and can be routed over the internet safely when a backbone link fails.

However, this still requires some interesting effort in terms of source address
selection, routing, etc. in order to avoid triangle routing out of the firewall
in Pittsburgh resulting in a return trying to come in via Dallas or San Jose.

I think in IPv6, as firewall vendors begin ot mature their products, we'll
either see a departure from stateful inspection, or, more likely an ability
to set up HA clusters across diverse geography where state tables are
kept in sync across the WAN.

Owen

On Jul 16, 2012, at 7:56 PM, Grant Ridder wrote:

> If you are running an HA pair, why would you care which box it went back
> through?
> 
> -Grant
> 
> On Monday, July 16, 2012, Mark Andrews wrote:
> 
>> 
>> In message <CAD8GWsswFwnPKTfxt=
>> squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ at mail.gmail.com <javascript:;>>, Lee
>> writes:
>>> On 7/16/12, Owen DeLong <owen at delong.com <javascript:;>> wrote:
>>>> 
>>>> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is
>> being
>>>> able to eliminate NAT. NAT was a necessary evil for IPv4 address
>>>> conservation. It has no good use in IPv6.
>>> 
>>> NAT is good for getting the return traffic to the right firewall.  How
>>> else do you deal with multiple firewalls & asymmetric routing?
>> 
>> Traffic goes where the routing protocols direct it.  NAT doesn't
>> help this and may actually hinder as the source address cannot be
>> used internally to direct traffic to the correct egress point.
>> 
>> Instead you need internal routers that have to try to track traffic
>> flows rather than making simple decisions based on source and
>> destination addresess.
>> 
>> Applications that use multiple connections may not always end up
>> with consistent external source addresses.
>> 
>>> Yes, it's possible to get traffic back to the right place without NAT.
>>> But is it as easy as just NATing the outbound traffic at the
>>> firewall?
>> 
>> It can be and it can be easier to debug without NAT mangling
>> addresses.
>> 
>> The only thing helpful NAT66 does is delay the externally visible
>> source address selection until the packet passes the NAT66 box.
>> 
>> Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org<javascript:;>
>> 
>> 

• Previous message (by thread): NAT66 was Re: using "reserved" IPv6 space
• Next message (by thread): NAT66 was Re: using "reserved" IPv6 space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]