nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPv6 uptake

From: William Herrin <bill () herrin us>
Date: Mon, 19 Feb 2024 07:16:52 -0800
On Mon, Feb 19, 2024 at 6:52 AM Mike Hammett <nanog () ics-il net> wrote:

"We can seriously lose NAT for v6 and not lose
anything of worth."

I'm not going to participate in the security conversation, but we
do absolutely need something to fill the role of NAT in v6. If it's
already there or not, I don't know. Use case: Joe's Taco Shop.
Joe doesn't want a down Internet connection to prevent
transactions from completing, so he purchases two diverse
broadband connections, say a cable connection and a DSL connection.


Hi Mike,

In IPv6's default operation, if Joe has two connections then each of
his computers has two IPv6 addresses and two default routes. If one
connection goes down, one of the routes and sets of IP addresses goes
away.

Network security for that scenario is, of course, challenging. There's
a longer list of security-impacting things that can go wrong than with
the IPv4 NAT + dual ISP scenario.

There's also the double-ISP loss scenario that causes Joe to lose all
global-scope IP addresses. He can overcome that by deploying ULA
addresses (a third set of IPv6 addresses) on the internal hosts, but
convincing the internal network protocols to stay on the ULA addresses
is wonky too.

There's also 1:1 NAT where Joe can just use ULA addresses internally
and have the firewall translate into the address block of the active
ISP. However, because this provides a full map between every internal
address, protocol and port to external addresses and ports (the entire
internal network is addressible from outside), it has no positive
impact on security the way IPv4's address-overloaded NAT does.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
Previous By Date Next
Previous By Thread Next

Current thread: