james woodyatt wrote: >> Sigh. It defeats me why people believe this will create less admin >> work and less likelihood of errors than a set of ACLs in the border >> routers. > > It's the multiple prefixes thing, of course. That, and the ongoing > related worries, perhaps not entirely rational, about possible > unexpected side effects of default address selection. They think having > just one set of prefixes to route through the enterprise will be a lot > simpler and much less prone to administrative error. I can't, of > course, argue about that-- I simply don't know.
FWIW, I share their concerns about unexpected side effects of default address selection. OTOH, NATting everything still doesn't force B2B traffic to go through a particular path for any app that does referrals across different realms. The app will use whatever external address it knows about in the referral, which might or might not be the right address to use for any particular peer. I continue to believe that if a host has multiple addresses (for whatever reason) then things work best if the application can learn that it has multiple addresses at which it can be reached, and multiple addresses from which it can source traffic, and it knows what they are. Trying to hide these things from the apps is a big part of what breaks them, and it certainly makes it more difficult to fix the apps to work under those conditions. > There was also some grousing when I mentioned that we don't think > address amplification is a worthy goal for any new 6AI standards > effort. They've grown quite accustomed to using asymmetric translation > to conserve address space in various parts of their network, and they're > worried that its lacking in NAT66 will be a source of additional > headache for them. I suspect it does mean that network operators have to manage addresses subtly differently than they have in the past. E.g. instead of trying to build a deep hierarchy of address allocation/delegation, they might find it works better to make the delegation hierarchy shallow. The good news is that even if you only have a /48, you can still address 2**16 LANs, give each of them a /64, and put as many hosts on each of those LANs as you can stand, without running out of addresses on any of those LANs. (and if you have more than 2**16 LANs you ought to be able to get at least another /48 if not a shorter prefix). > They really like their NAPT gateways, and the thought of planning to go > without them into combat leaves them far, far away from their happy > comfort zone. I wish I knew how to soothe their nerves. I keep telling people that IPv6 is a lot more different than IPv4 than they think. A lot of the conventional wisdom from IPv4 doesn't apply. But it's hard to get people to see that, and I think it will take a few years of actual experience before network operators in general start to get it. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
