IPv6 fc00::/7 - Unique local addresses

George Bonser gbonser at seven.com
Thu Oct 21 18:27:25 UTC 2010



> -----Original Message-----
> From: Owen DeLong [mailto:owen at delong.com]
> Sent: Thursday, October 21, 2010 5:26 AM
> To: Ray Soucy
> Cc: NANOG list
> 
> If you're using IPv4 with multiple providers giving you different NAT
> pools, then, you're looking at outbound, not inbound resiliency and
> the DNS stuff you described is irrelevant. As long as your outbound
> gateway(s) have some way to detect provider down-ness (all the
> same tactics that work for IPv4 here work for IPv6 with pretty much
> the same flaws), you can do the same thing. The difference is that
> in IPv6, you have to tell the hosts which IPv6 source prefix to use.
> The easy way to do that is to alter the desired/valid lifetimes in
> your internal RAs accordingly. This isn't hard to script.

That doesn't really work because both of your providers may be "up" but
one of them is not reachable by the network at the other end.  You
cannot predict ahead of time which address a remote network will be able
to reach.  Being multihomed with one block of addresses solves that
problem in that as long as the distant end is getting routing
information originated by either of the upstreams, you are good.  Also,
announcing two network blocks for the same service is a bad idea.  If
one becomes unreachable while a transaction is in progress, you can't
fail over until the connection times out and it reconnects on the other
IP.  And of the application at the other end is some "secure" java
application, it might cache that unreachable IP forever until the
application is bounced or until its default cache TTL expires which
might be a different TTL than in the DNS information.


> If you're using IPv4 with BGP and advertising the same prefix(es)
> to multiple providers, the same thing works in IPv6 with nearly
> identical processes.

Yeah, that's the only way that really works.  

> 
> I don't see what NAT gives you for EITHER of those things.

Ok, say you have your machines multinetted with two GUA nets on the same
interface. Which IP does the application choose to source traffic from
when it originates an outbound connection to the world?  You can't
predict which one is "broken" somewhere along the path.  Load balancing
inbound is a much simpler model than load balancing outbound and unless
you want to push your entire BGP table down to the host, well, it just
doesn't work.

What *does* work is having your internal net addressed in some stable
way that doesn't change when your upstream changes and in IPv4 you
simply change your NAT pools to reflect the change. Done, your entire
network is "renumbered" as far as the Internet is concerned.  If your
hosts are numbered in PA space, changing providers means potentially
touching the configurations of all machines.  A network provider will
love that because it discourages customers from changing providers and
makes the customer stickier to them. A customer might not feel so
comfortable about that and want more independence of the provider's
network.


 




More information about the NANOG mailing list