Re: IPv6 fc00::/7 — Unique local addresses

[Owen DeLong <owen () delong com>]

On Oct 21, 2010, at 9:29 AM, Allen Smith wrote:

> Hi All,
>
> I've inherited a small network with a couple of Internet connections through
> different providers, I'll call them Slow and Fast.
>
> We use RFC 1918 space internally and have a pair of external firewalls that
> handle NAT and such.
>
> Due to internal policy (read money), some users default to the Slow
> connection and some default to Fast. Using probes and policy routing, a
> failure of one of the ISPs is generally transparent, outside of the usual
> session resets for things like ssh or remote control sessions).
>
> Looking forward to the next 12 months, we may have clients that are living
> in IPv6 space. Our ISPs are happy to give us IPv6 allocations and our
> network gear vendors either have GA IPv6 code now or will soon.
>
> We have been somewhat spoiled by our firewall/NAT boxes, the stuff just
> works for our needs and the combination of NAT and policy routing keeps
> people on the circuits they are paying for. Am trying to decide how I would
> implement this kind of policy in the new world of globally
> trackable^H^H^H^H^H^H^H routable IPs for my desktops. Solutions seem to be:
My suggestion:

1.      Get a /48 from your friendly neighborhood RIR.
2.      Get an ASN to go with it.
3.      Accept that your inbound is going to get topologically divided between
        the two links rather than customer-specific.

If that's not an option, then:

1.      Get /48s from both providers.
2.      Provide appropriate RAs to your users so that the users that should prefer
        provider SLOW get RAs with a higher preference to provider SLOW and
        the users that should prefer provider FAST get RAs with a higher preference
        for provider FAST.
3.      Update your probes/policy routing scripts so that they will deprecate the
        broken RA (you can do this by sending a poisoned final RA with a very
        short valid time to the all hosts multicast address of each subnet).

Option 3 is a very bad idea and I hope your vendor would refuse.

Owen

> 1) Purchase some BGP capable routers, grab PI space. Here I can obv choose
> outbound path, but we are typical in that our inbound to outbound is 6 or 7
> to 1.

> 2) Assign PA space from the ISPs to the appropriate devices. What do I do
> when I loose a provider?
>
> 3) Make loud noises to my firewall vendor to include equivalent NAT/ISP
> failover functionality (even 6to6 NAT would be fine).
>
> Anyway, another sample of 1, but I do work for a managed services provider
> and see many small orgs facing similary choices. I personally am happy to
> use globally routable addresses and will work through the privacy and
> perceived security implications of NAT/nonat, I just want the same ease of
> use and flexibility I have today in a SMB environment.
>
> Cheers,
> -Allen