-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Thursday, October 21, 2010 5:26 AM To: Ray Soucy Cc: NANOG list
If you're using IPv4 with multiple providers giving you different NAT pools, then, you're looking at outbound, not inbound resiliency and the DNS stuff you described is irrelevant. As long as your outbound gateway(s) have some way to detect provider down-ness (all the same tactics that work for IPv4 here work for IPv6 with pretty much the same flaws), you can do the same thing. The difference is that in IPv6, you have to tell the hosts which IPv6 source prefix to use. The easy way to do that is to alter the desired/valid lifetimes in your internal RAs accordingly. This isn't hard to script.
That doesn't really work because both of your providers may be "up" but one of them is not reachable by the network at the other end. You cannot predict ahead of time which address a remote network will be able to reach. Being multihomed with one block of addresses solves that problem in that as long as the distant end is getting routing information originated by either of the upstreams, you are good. Also, announcing two network blocks for the same service is a bad idea. If one becomes unreachable while a transaction is in progress, you can't fail over until the connection times out and it reconnects on the other IP. And of the application at the other end is some "secure" java application, it might cache that unreachable IP forever until the application is bounced or until its default cache TTL expires which might be a different TTL than in the DNS information.
If you're using IPv4 with BGP and advertising the same prefix(es) to multiple providers, the same thing works in IPv6 with nearly identical processes.
Yeah, that's the only way that really works.
I don't see what NAT gives you for EITHER of those things.
Ok, say you have your machines multinetted with two GUA nets on the same interface. Which IP does the application choose to source traffic from when it originates an outbound connection to the world? You can't predict which one is "broken" somewhere along the path. Load balancing inbound is a much simpler model than load balancing outbound and unless you want to push your entire BGP table down to the host, well, it just doesn't work. What *does* work is having your internal net addressed in some stable way that doesn't change when your upstream changes and in IPv4 you simply change your NAT pools to reflect the change. Done, your entire network is "renumbered" as far as the Internet is concerned. If your hosts are numbered in PA space, changing providers means potentially touching the configurations of all machines. A network provider will love that because it discourages customers from changing providers and makes the customer stickier to them. A customer might not feel so comfortable about that and want more independence of the provider's network.