Re: NAT66 was Re: using "reserved" IPv6 space

[Owen DeLong <owen () delong com>]

On Jul 16, 2012, at 6:55 PM, Lee wrote:

> On 7/16/12, Owen DeLong <owen () delong com> wrote:
> > Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being
> > able to eliminate NAT. NAT was a necessary evil for IPv4 address
> > conservation. It has no good use in IPv6.
>
> NAT is good for getting the return traffic to the right firewall.  How
> else do you deal with multiple firewalls & asymmetric routing?

1.      Share state across the firewalls or go with stateless firewalls.
2.      Move the firewalls close enough to the end hosts to avoid this problem,
        Keep the asymmetric routing outside the perimeter.
3.      Very creative source address selection mechanisms.
4.      LISP (if you must).

> Yes, it's possible to get traffic back to the right place without NAT.
> But is it as easy as just NATing the outbound traffic at the
> firewall?

That depends on whose life you are trying to make easy. If you asked the
application developers or the people that have to build all the problematic
ALGs that creates a need for, I'd bet they would have a different opinion
than the guy configuring the firewall.

In terms of overall problems created, cost to the community, increased insecurity,
and the other costs associated with a NAT-based solution, I'd say that it is
a net loss to use NAT and a net gain to avoid it.

From the perspective of the firewall administrator alone without a broader
view of the total consequences, toxic pollution of the internet seems like
a good idea.

Owen