Operational challenges of no NAT
Mark Smith
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Sun Oct 31 05:19:25 CET 2010
(Sourced from wrong email address for list)
On Sun, 31 Oct 2010 14:46:19 +1030
Mark Smith <mark at it.just.makes.nosense.org> wrote:
> On Sun, 31 Oct 2010 14:34:03 +1030
> Mark Smith <nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org>
> wrote:
>
> > On Fri, 29 Oct 2010 12:04:13 -0700
> > "George Bonser" <gbonser at seven.com> wrote:
> >
> > > > > This is all about paradigm shifts. If you have never heard that
> > > term
<snip>
> > > The one difficulty that is actually MORE complicated to
address is the
> > > one of using different source IPs for different types of traffic based
> > > on origin of the traffic in my network. For example, I could use
> > > addresses in a single subnet for all of my servers of a particular type.
> >
> > With IPv6, you can have individual addresses per *application* - if you
> > move that application to another host within the subnet you move the
> > address along with it. And if you want even more agility, you could
> > have the application specific IPv6 address injected into your routing
> > domain as a host route - i.e. anycast without the multiple
> > application instances. For your scenario you'd reserve a /64 for all
> > your application specific addresses, and then tell your partners to
> > white list only this /64.
> >
If you're not comfortable running routing protocols on end-hosts you
could alternatively run static GRE or IP/IP tunnels to them from an edge
router(s) for these per-application host addresses, or use Mobile IPv6.
And if you want topology hiding, another option could be ISATAP over
RFC1918 IPv4 address space. Although the IPv4 addresses of the IPv4
"link layer" are exposed in the IPv6 ISATAP addresses, the
global unreachability and absence of global PTRs for private IPv4
addresses may provide the necessary topology obfuscation for both IPv4
and IPv6.
> > "Transient addressing for related processes: Improved firewalling by
> > using IPv6 and multiple addresses per host"
> > http://www.cs.columbia.edu/~smb/papers/tarp.pdf
> >
> > Isn't it magic how "too much" IPv6 address space and large subnets
> > allows you to do things that are impossible to do in IPv4.
> >
> >
<snip>
More information about the ipv6-ops
mailing list