On Jul 16, 2012, at 10:36 PM, Seth Mos wrote: > Hi, > > Op 16 jul 2012, om 18:34 heeft [email protected] het volgende > geschreven: > >> On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said: >>> -------That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be >>> there >>> if there weren't enough customers asking for it. Are all the customers >>> naive? >>> I doubt it. They have their reasons. I agree with your "purist" definition >>> and >>> did not say I was using it. My point is that vendors are still rolling out >>> base >>> line features even today. >> >> Sorry to tell you this, but the customers *are* naive and asking for stupid >> stuff. They think they need NAT under IPv6 because they suffered with it in >> IPv4 due to addressing issues or a (totally percieved) security benefit (said >> benefit being *entirely* based on the fact that once you get NAT working, you >> can build a stateful firewall for essentially free). The address crunch is >> gone, and stateful firewalls exist, so there's no *real* reason to keep >> pounding your head against the wall other than "we've been doing it for 15 >> years". > > To highlight what the current NAT66 is useful for, it's a RFC for Network > Prefix translation. It has nothing do with obfuscation or hiding the network > anymore. It's current application is multihoming for the poor.
And it's a really poor way to do multihoming. You don't have to spend a lot of money to multihome properly. > > Example: > You have a Cable and a DSL, they both provide IPv6 and you want to provide > failover. You then use ULA or one of the Global Addresses on the LAN network, > and set up NAT66 mappings for the secondary WAN, or both if you are using ULA. I have that and I use BGP with an ARIN prefix using the Cable and DSL as layer 2 substrates for dual-stack tunnels. Works pretty well and doesn't cost much more than the NAT66 based solution. > This will not hide *anything* as your machines will now be *visible* on 2 > global prefixes at the same time. And yes, you still use the stateful > firewall rules on each WAN for the incoming traffic. And you can redirect > traffic as needed out each WAN. It's the closest thing to the existing Dual > WAN that current routers support. > > Also note that this also works fine with 2 IPv6 tunnels. Bind each tunnel to > a WAN and you have the same failover for IPv6 as IPv4. Once you go to tunnels, why not go all the way and put BGP across the tunnels? Owen
