Re: NAT66 was Re: using "reserved" IPv6 space

[Lee <ler762 () gmail com>]

On 7/16/12, Grant Ridder <shortdudey123 () gmail com> wrote:
> If you are running an HA pair, why would you care which box it went back
> through?

You wouldn't.  But if you've got an HA pair at site A and another HA
pair at site B..

Lee


> -Grant
>
> On Monday, July 16, 2012, Mark Andrews wrote:
>
> > In message <CAD8GWsswFwnPKTfxt=
> > squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ () mail gmail com <javascript:;>>, Lee
> > writes:
> > > On 7/16/12, Owen DeLong <owen () delong com <javascript:;>> wrote:
> > > > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is
> > being
> > > > able to eliminate NAT. NAT was a necessary evil for IPv4 address
> > > > conservation. It has no good use in IPv6.
> > >
> > > NAT is good for getting the return traffic to the right firewall.  How
> > > else do you deal with multiple firewalls & asymmetric routing?
> >
> > Traffic goes where the routing protocols direct it.  NAT doesn't
> > help this and may actually hinder as the source address cannot be
> > used internally to direct traffic to the correct egress point.
> >
> > Instead you need internal routers that have to try to track traffic
> > flows rather than making simple decisions based on source and
> > destination addresess.
> >
> > Applications that use multiple connections may not always end up
> > with consistent external source addresses.
> >
> > > Yes, it's possible to get traffic back to the right place without NAT.
> > > But is it as easy as just NATing the outbound traffic at the
> > > firewall?
> >
> > It can be and it can be easier to debug without NAT mangling
> > addresses.
> >
> > The only thing helpful NAT66 does is delay the externally visible
> > source address selection until the packet passes the NAT66 box.
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET:
> > marka () isc org<javascript:;>