Hi,
Thus wrote Rémi Després ([email protected]):
> As I tried to explain in a previous mail on this list:
> - If a private-site network has two CPEs giving access to two ISPs with PA
> prefixes, the CPE via which a packet goes to the Internet depends on the
> intra-site routing.
> - If intra-site routing DOESN'T make sure that all packets from a given host
> always go to the same CPE, then TCP connections will be broken because:
That is actually not correct. You need to ensure that a source-destination
pair always goes the same way. That is trivially done by setting static
routes and making sure that you have the 'right' source address for the
chosen path. Source prefix substitution in this case is just a way to
make sure that the source address for a given route is correct (without
the sourcing host being required to be smart enough to do it by itself).
[...]
> . the available tool to work with several source addresses, SHIM6, can't
> help because, due to NAT66, hosts don't know their global addresses.
It also doesn't help because the hosts I deal with today don't do SHIM6,
nor are expected to do so within the next 4 years. I need a solution that
works by ~ June 2011.
[...]
> This being said, I do agree that there is a small window of opportunity for
> NAT66 in multihoming sites with multiple PAs, namely IF:
> - No incoming connection to any host is intended to be desirable in IPv6
In my opinion, hosts that can be talked to from the outside belong in
the DMZ and are few enough that they can be manually configured, and thus
have hand-crafted policies. These may actually run multi-homed with
N>>2 prefixes, and if they have to be renumbered it'll not be the
"internal" address that changes, but just one of the outside prefixes,
which is work and annoying but not a near-catastrophic event with weeks
of fall-out. DMZ hosts IMO should not be subject to NAT anyway. YMMV.
regards,
spz
--
[email protected] (S.P.Zeidler)
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
