Operational challenges of no NAT
john at sackheads.org
Sat Oct 30 05:27:31 CEST 2010
On Oct 29, 2010, at 6:45 PM, Ted Mittelstaedt <tedm at ipinc.net> wrote:
> Certainly. You get it exactly the same way you get it WITH nat.
Your experience running an enterprise network seems to be very different from my own and the people you love to tell "you don't need NAT". Perhaps if you gave an overview of your network, it would help those of us struggling with where the least worst place to lose some simplifications that NAT44 provides are.
> If you don't have PI then what people mean by "provider independence"
> is nothing more than "It's easier to renumber when I move to a different
And I can have a coherent "internal" addressing scheme even with different Internet providers at each of my "many" offices.
> It doesn't mean "I have my own IP address block assigned by an RIR and
> I can move it around"
Yes, otherwise I'd have PI space.
> If you are NAT and you move then you still have to change all the DNS
> stuff to point to the "new" outside IP address, and you have to change
> your NAT maps and anyone who is VPNed into you, etc. etc.
In the "remote" offices, I don't care about any of that.. Im just NATing users.
No VPN, maybe one DNS entry, and one interface on the NAT box (it's on a firewall, but I don't think of NAT as privacy or security)
> Under IPv6 that isn't any different.
Sure it is
> You do NOT have to turn your renumbering into a complete cluster-fuck
> like it is under IPv4. Please, read the docs. You can start here:
Yeah, that works great for a single homed, no server network.
What about a multi homed office? Multiple addresses on all end devices simply shifts cost control too far away from the network admins.
It also mentions nothing about internal ACLs and firewall policies that would have to be updated.
>> Multihoming is even worse. On top of all of the provider independence
>> requirements, add the ability to decide *in the network* which
>> upstream any outbound connection goes through, using only protocols
>> available today. I understand there are protocols in the pipeline to
>> make hosts more intelligent about source address selection, but (a)
>> you're still relying on the host to make that decision, something
>> that's really network-level knowledge, and (b) there's no way those
>> protocols can encompass every criterion people could want to make
>> decisions on. With v4 NAT, I can round-robin all port 80 connections
>> out providers A and B, and send all other traffic out provider C.
>> There is no way to do that with no-nat v6.
> That is a true statement ONLY IF you ASSUME THAT IPv6 NAT IS ONE
> TO ONE.
> The problem here is that all of the other IPv6-NAT advocates DO NOT
> WANT one-to-one IPv6 NAT. They understand NAT to be many-to-one.
> In short, they do not want what you need to keep this load-balancing
> hack running.
Wrong. You are just so hot to shoot down anyone even thinking that NAT has uses that you dont appear to be listening to use cases. 1:1 NAT66 is exactly what I want and what I've seen others ask for.
> You simply need a load balancer that takes a subnet of IPv6 from
> each provider, and does one-to-one IPv6 NAT. In even the smallest
> IPv6 subnets there is plenty of IP numbers so every one of your inside
> hosts can have it's own unique IPv6 address with each provider.
Simple question. If multiple PA addresses and renumbering is so simple, why is Cisco running PI on their v6 Internet presence?
More information about the ipv6-ops