Operational challenges of no NAT
gbonser at seven.com
Sun Oct 31 07:18:57 CET 2010
> With IPv6, you can have individual addresses per *application* - if
> move that application to another host within the subnet you move the
> address along with it.
That is actually the plan, but you need to add the IP to the box. If we
were using something like dhcp, it might be easier but these things need
to work even if the dhcp server isn't working correctly. The kernel
modifications in that paper aren't an option for several reasons, the
primary reason being we use a different operating system.
> And if you want even more agility, you could
> have the application specific IPv6 address injected into your routing
> domain as a host route - i.e. anycast without the multiple
> application instances. For your scenario you'd reserve a /64 for all
> your application specific addresses, and then tell your partners to
> white list only this /64.
> "Transient addressing for related processes: Improved firewalling by
> using IPv6 and multiple addresses per host"
> Isn't it magic how "too much" IPv6 address space and large subnets
> allows you to do things that are impossible to do in IPv4.
This really addresses a different problem than the one I meant to
describe. I need an application bolted to one address forever. Then I
need a different instance of that same application on the same machine
bolted to another unique address on the same machine. That is not a
problem. Now I tell foo.com what the two IPs are. One is for Jones,
one is for Smith. Now I roll out another instance for Jones. I need to
tell foo.com to add another IP to their throttling configuration.
It is just easier to put all Jones IPs in one subnet and all Smith IPs
in a different subnet and tell foo.com that anything they see from
subnet 1 is on behalf of Jones and anything they see from subnet 2 is on
behalf of Smith. But they have been reluctant to configure subnets,
they have wanted to do only specific IPs which wasn't a problem with v4
because I could put them all behind a NAT. Note that this isn't for
firewalling, this is a server configuration on their side where they
keep track of statistics of transactions for Smith and Jones and set a
maximum transaction rate limit that might be different for the two.
They will come around to subnets because it is going to be impossible
for them internally to handled individual IPs unless they somehow
automate that configuration where maybe a host could "register" itself.
More information about the ipv6-ops