Thus spake "Mark Andrews" <[EMAIL PROTECTED]>
The alternative is to renumber the entire network every time a link goes
up
or down.
No. You don't have to renumber. You just have to deprecate
the addresses associated with the downed link. This is the
sort of thing routers should be able to do automatically.
Are the routers going to summon all the affected folks to a change control
meeting, verify the approvals, do the necessary post-change testing, etc?
Are they going to update all the firewall configs, DNS, etc?
Even the above automatic address deprecation part isn't available yet,
despite a decade of folks claiming that renumbering is easy, and that's not
even the hard part.
Most of the operational and innovation costs of NAT are also present with
a
stateful firewall, which any sane organization will be using, because
it's
really the stateful inspection that burns you.
NAT introduces costs above and beyond those of a stateful firewall.
That's like saying having a broken leg is an additional cost above and
beyond the cost of death. Not breaking your leg doesn't make you any less
dead.
And as for stateful firewalls, applications should be able to
talk to them to open up reply traffic if needed.
Yeah, try to sell that to any enterprise security department. It's the
applications and users that security folks are trying to protect their
networks from in the first place, and internal users are a much, much bigger
threat to security than external folks are.
Again, RFC 4192 ignores all of the non-technical aspects of renumbering.
That's probably appropriate, given the IETF's domain, but it's only a
tiny
part of what must be done. Changing the address on an interface takes
a few seconds; the change control processes leading up to it can burn
months of manpower.
Real renumbering events are rare.
That all depends what you call "real". Any event that breaks connectivity
(including established connections) for more than a few seconds is "real" to
me.
You are wanting NAT to provide multi-homing support. This does not
require you to renumber. There is no need to use NAT for this with IPv6.
IPv6 provides the mechanisms to move the source address selection
back to the end host (where it belongs).
For the record, I hate NAT, for all the reasons that most of IETFers do.
What I'm saying is that NAT is considered by the market to be less evil than
the alternatives the IETF has proposed to date. Until folks recognize that,
no progress will be made.
I'd much prefer to see widespread use of PI space, and significant effort
put into an id/loc split scheme so that the DFZ doesn't implode as a result.
OTOH, router vendors are claiming the ability to support two million routes
today and ten million in a few years, so we have time to work on that.
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
