Operational challenges of no NAT
gbonser at seven.com
Thu Oct 28 17:54:09 CEST 2010
> Wouldn't crypto, either HMAC or signatures, be a better assurance of
> authorization? Sure, they can whitelist your /64, but that just serves
> to keep the riff-raff out; the signature provides the actual identity
That's a pretty expensive call (on both sides) for a busy application that is generally available over the internet anyway. They aren't using it so much for authorization but for throttling. Say, in general, only a certain number of transactions can come from a single ip in a certain amount of time. If they exceed that, they are throttled. We "register" the IP with them so we are allowed to go beyond that number of transactions as we might be operating on behalf of a lot of users.
Also, those users might be of one group or another group that has negotiated its own SLA with that portal. So they want each group to arrive from a different IP so they can track that. The Jones family and the Smith family get different IPs so Portal can track their traffic for SLA compliance purposes.
Sure there are better ways. I believe I am going to have to resort to different subnets rather than different IPs.
> For callbacks, they should be done with DNS names. That way you're
> v4/v6 agnostic at the application layer, and you can renumber your
> callback receiver at will.
It would be wonderful if they would use DNS.
> I'm aware that in dealing with big providers they can have a pretty
> hard-to-budge idea of how to do things. But if you're asking for the
> "IPv6 way", I think crypto and DNS are the way to go.
More information about the ipv6-ops