Question about migrating to IPv6 with multiple upstreams.
rps at maine.edu
Tue Jun 14 17:34:26 UTC 2011
I try to avoid the Obfuscation argument when I can.
I've seen people try to be smart by telling Law Enforcement that they
don't keep logs and can't point to which host was a problem behind a
NAT box, only to see Law Enforcement take all the PCs instead of the
one in question. So it's always made me nervous. As for the security
value; I think it's more a privacy value than anything. But you can
accomplish almost the same thing by having those hosts use a web
proxy; which you likely want to be doing anyway so you can scan
content for threats.
I personally have no desire for it; but if someone wants to implement
it I won't stop them.
On Tue, Jun 14, 2011 at 1:28 PM, William Herrin <bill at herrin.us> wrote:
> On Tue, Jun 14, 2011 at 1:04 PM, Ray Soucy <rps at maine.edu> wrote:
>> I think in the long term telling everyone to jump into the BGP table
>> is not sustainable; and not operationally consistent with the majority
>> of SMB networks.
>> A better solution; and the one I think that will be adopted in the
>> long term as soon as vendors come into the fold, is to swap out
>> RFC1918 with ULA addressing, and swap out PAT with NPT; then use
>> policy routing to handle load balancing and failover the way most
>> "dual WAN" multifunction firewalls do today.
>> Each provider provides a 48-bit prefix;
>> Internally you use a ULA prefix; and setup prefix translation so that
>> the prefix gets swapped appropriately for each uplink interface. This
>> provides the benefits of "NAT" used today; without the drawback of
>> having to do funky port rewriting and restricting incoming traffic to
>> mapped assignments or UPnP.
> Hi Ray,
> There's a nuance here you've missed.
> There are two main reasons for ULA inside the network:
> 1. Address stability (simplifies network management)
> 2. Source obfuscation (improves the depth of the security plan)
> Option 1: Obfuscation desired.
> ULA inside. NAT/PAT at both borders. You don't use prefix translation
> here because prefix translation does little obfuscation: it has a 1:1
> relationship with each individual host and still reveals the internal
> routing structure.
> Option 2: Stability, no obfuscation desired.
> ULA inside, prefix translation at both borders.
> Option 3: Neither stability nor obfuscation required.
> GUA from one of the providers inside. Prefix translation to the other
> provider for the connections desired out that border. Giving the hosts
> real GUA addresses maximizes application compatibility.
> Bill Herrin
> William D. Herrin ................ herrin at dirtside.com bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System
More information about the NANOG