NAT66 was Re: using "reserved" IPv6 space

Lee ler762 at gmail.com
Tue Jul 17 07:25:00 UTC 2012


On 7/16/12, Mark Andrews <marka at isc.org> wrote:
>
> In message
> <CAD8GWsswFwnPKTfxt=squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ at mail.gmail.com>, Lee
> writes:
>> On 7/16/12, Owen DeLong <owen at delong.com> wrote:
>> >
>> > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is
>> > being
>> > able to eliminate NAT. NAT was a necessary evil for IPv4 address
>> > conservation. It has no good use in IPv6.
>>
>> NAT is good for getting the return traffic to the right firewall.  How
>> else do you deal with multiple firewalls & asymmetric routing?
>
> Traffic goes where the routing protocols direct it.  NAT doesn't
> help this and may actually hinder as the source address cannot be
> used internally to direct traffic to the correct egress point.

_source_ address + 'used internally'??  I like policy based routing
about as much as the more opinionated members of this list like NAT :)

> Instead you need internal routers that have to try to track traffic
> flows rather than making simple decisions based on source and
> destination addresess.
>
> Applications that use multiple connections may not always end up
> with consistent external source addresses.

In the general case, sure.  At work, the only time your external
source address changes is when something quits working and you're
automatically failed over to the working firewall (ha pair).

>> Yes, it's possible to get traffic back to the right place without NAT.
>> But is it as easy as just NATing the outbound traffic at the
>> firewall?
>
> It can be and it can be easier to debug without NAT mangling
> addresses.

Yes, there are times when NAT isn't the appropriate solution.  I'm not
religious about it..  just saying there's times when NAT is the
simplest/easiest solution.

Regards,
Lee




More information about the NANOG mailing list