nanog mailing list archives

Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment

From: Eric Germann <ekgermann () cctec com>
Date: Mon, 23 Feb 2015 10:02:44 -0500

Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications.

Users access apps in the VPC, not the other direction.

The issue I'm trying to get around is the customers who need to connect have multiple overlapping RFC1918 space
(including overlapping what was proposed for the VPC networks). Finding a hole that is big enough and not in use by
someone else is nearly impossible AND the customers could go through mergers which make them renumber even more in to
overlapping 1918 space.

Initially, I was looking at doing something like (example IP’s):

Customer A (172.28.0.0/24) <—> NAT to 100.127.0.0/28 <——> VPN to DC <——> NAT from 100.64.0.0/18 <——> VPC Space (was
172.28.0.0/24)

Classic overlapping subnets on both ends with allocations out of 100.64.0.0/10 to NAT in both directions. Each sees
the other end in 100.64 space, but the mappings can get tricky and hard to keep track of (especially if you’re not a
network engineer).

In spitballing, the boat hasn’t sailed too far to say “Why not use 100.64/10 in the VPC?”

Then, the customer would be allocated a /28 or larger (depending on needs) to NAT on their side and NAT it once. After
that, no more NAT for the VPC and it boils down to firewall rules. Their device needs to NAT outbound before it fires
it down the tunnel which pfSense and ASA’s appear to be able to do.

I prototyped this up over the weekend with multiple VPC’s in multiple regions and it “appears” to work fine.

From the operator community, what are the downsides?

Customers are businesses on dedicated business services vs. consumer cable modems (although there are a few on business
class cable). Others are on MPLS and I’m hashing that out.

The only one I can see is if the customer has a service provider with their external interface in 100.64 space.
However, this approach would have a more specific in that space so it should fire it down the tunnel for their
allocated customer block (/28) vs. their external side.

Thoughts and thanks in advance.

Eric

Current thread:

Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Eric Germann (Feb 23)
- Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Ca By (Feb 23)
  - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Luan Nguyen (Feb 23)
  - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Owen DeLong (Feb 24)
    - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Blair Trosper (Feb 24)
    - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Blair Trosper (Feb 24)
    - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Luan Nguyen (Feb 24)
    - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Blair Trosper (Feb 24)
    - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Gino O'Donnell (Feb 24)
    - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Ca By (Feb 24)
    - Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Patrick W. Gilmore (Feb 24)

(Thread continues...)