nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about migrating to IPv6 with multiple upstreams.

From: Ray Soucy <rps () maine edu>
Date: Tue, 14 Jun 2011 13:34:26 -0400
I try to avoid the Obfuscation argument when I can.

I've seen people try to be smart by telling Law Enforcement that they
don't keep logs and can't point to which host was a problem behind a
NAT box, only to see Law Enforcement take all the PCs instead of the
one in question.  So it's always made me nervous.  As for the security
value; I think it's more a privacy value than anything.  But you can
accomplish almost the same thing by having those hosts use a web
proxy; which you likely want to be doing anyway so you can scan
content for threats.

I personally have no desire for it; but if someone wants to implement
it I won't stop them.

On Tue, Jun 14, 2011 at 1:28 PM, William Herrin <bill () herrin us> wrote:

On Tue, Jun 14, 2011 at 1:04 PM, Ray Soucy <rps () maine edu> wrote:

I think in the long term telling everyone to jump into the BGP table
is not sustainable; and not operationally consistent with the majority
of SMB networks.

A better solution; and the one I think that will be adopted in the
long term as soon as vendors come into the fold, is to swap out
RFC1918 with ULA addressing, and swap out PAT with NPT; then use
policy routing to handle load balancing and failover the way most
"dual WAN" multifunction firewalls do today.

Example:

Each provider provides a 48-bit prefix;

Internally you use a ULA prefix; and setup prefix translation so that
the prefix gets swapped appropriately for each uplink interface.  This
provides the benefits of "NAT" used today; without the drawback of
having to do funky port rewriting and restricting incoming traffic to
mapped assignments or UPnP.


Hi Ray,

There's a nuance here you've missed.

There are two main reasons for ULA inside the network:

1. Address stability (simplifies network management)
2. Source obfuscation (improves the depth of the security plan)

Option 1: Obfuscation desired.

ULA inside. NAT/PAT at both borders. You don't use prefix translation
here because prefix translation does little obfuscation: it has a 1:1
relationship with each individual host and still reveals the internal
routing structure.

Option 2: Stability, no obfuscation desired.

ULA inside, prefix translation at both borders.

Option 3: Neither stability nor obfuscation required.

GUA from one of the providers inside. Prefix translation to the other
provider for the connections desired out that border. Giving the hosts
real GUA addresses maximizes application compatibility.

Regards,
Bill Herrin


--
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004





-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/
Previous By Date Next
Previous By Thread Next

Current thread: