using "reserved" IPv6 space

Owen DeLong owen at delong.com
Tue Jul 17 06:43:05 UTC 2012


On Jul 16, 2012, at 10:36 PM, Seth Mos wrote:

> Hi,
> 
> Op 16 jul 2012, om 18:34 heeft valdis.kletnieks at vt.edu het volgende geschreven:
> 
>> On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said:
>>> -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there
>>> if there weren't enough customers asking for it. Are all the customers naive?
>>> I doubt it. They have their reasons. I agree with your "purist" definition and
>>> did not say I was using it. My point is that vendors are still rolling out base
>>> line features even today.
>> 
>> Sorry to tell you this, but the customers *are* naive and asking for stupid
>> stuff. They think they need NAT under IPv6 because they suffered with it in
>> IPv4 due to addressing issues or a (totally percieved) security benefit (said
>> benefit being *entirely* based on the fact that once you get NAT working, you
>> can build a stateful firewall for essentially free).  The address crunch is
>> gone, and stateful firewalls exist, so there's no *real* reason to keep
>> pounding your head against the wall other than "we've been doing it for 15
>> years".
> 
> To highlight what the current NAT66 is useful for, it's a RFC for Network Prefix translation. It has nothing do with obfuscation or hiding the network anymore. It's current application is multihoming for the poor.

And it's a really poor way to do multihoming.

You don't have to spend a lot of money to multihome properly.

> 
> Example:
> You have a Cable and a DSL, they both provide IPv6 and you want to provide failover. You then use ULA or one of the Global Addresses on the LAN network, and set up NAT66 mappings for the secondary WAN, or both if you are using ULA.

I have that and I use BGP with an ARIN prefix using the Cable and DSL as layer 2 substrates for dual-stack tunnels.

Works pretty well and doesn't cost much more than the NAT66 based solution.

> This will not hide *anything* as your machines will now be *visible* on 2 global prefixes at the same time. And yes, you still use the stateful firewall rules on each WAN for the incoming traffic. And you can redirect traffic as needed out each WAN. It's the closest thing to the existing Dual WAN that current routers support.
> 
> Also note that this also works fine with 2 IPv6 tunnels. Bind each tunnel to a WAN and you have the same failover for IPv6 as IPv4.

Once you go to tunnels, why not go all the way and put BGP across the tunnels?

Owen





More information about the NANOG mailing list