Feelings about NAT64/DNS64?
gbonser at seven.com
Wed Dec 8 18:17:55 CET 2010
> I wouldn't think that this is such a great idea. NAT64 (like its
> predecessor NAT44) is only really feasibly on the eyeballs/sink side
> the network. On the content/source side of the network you will most
> likely need to be running dual stack for quite a while.
> NAT64 in a data center is about the same as IPv6-only in a data center
> from the client application's perspective.
Actually, from the client's perspective, they are talking to a load
balancer which can have either v4 or v6 virtual IP addresses that are
balanced to either v4 or v6 backend servers and the protocol on the
server does not need to match the protocol on the virtual IP. So v4 or
v6 services can be served from either all v4 or all v6 servers. The
client connections is the easy part. That hard part is when the server
needs to engage in a transaction with a third party on behalf of the
client. Currently most of those third parties are v4. If only three of
those parties move to v6, >50% of my traffic bandwidth is v6.
> NAT64 is not that different from NAT44. You shouldn't be putting
> behind a NAT64 unless you are intending to make them unreachable on
> IPv4 Internet.
I know. The servers are already behind NAT44 for making outbound
connections. They are behind a load balancer for inbound connections.
So in this case it is really no different than it is now. The
difference is that the more traffic that migrates to native v6, the less
NAT needs to be done until it becomes a very small portion of the
traffic. I will not be taking any unbound connections over the NAT64
path, they are outbound only.
> The end goal is obviously IPv6-only but you probably don't want to
> the IPv4 side of your infrastructure until you have less than 1% of
> traffic going via that protocol.
Well, again, the load balancer can convert IPv4 inbound traffic to IPv6
server fairly transparently (and it can go the other way, too ... IPv6
inbound traffic to IPv4 server) so this is actually less of an issue
than it seems.
Thanks for taking the time to respond.
More information about the ipv6-ops