Think HA pairs in Pittsburgh, Dallas, and San Jose. Now imagine each has different upstream connectivity and the backbone network connecting all the corporate sites lives inside those firewalls. The real solution to this is to move the backbone outside of the firewalls and connect the internal networks via VPNS that ride the external backbone and can be routed over the internet safely when a backbone link fails. However, this still requires some interesting effort in terms of source address selection, routing, etc. in order to avoid triangle routing out of the firewall in Pittsburgh resulting in a return trying to come in via Dallas or San Jose. I think in IPv6, as firewall vendors begin ot mature their products, we'll either see a departure from stateful inspection, or, more likely an ability to set up HA clusters across diverse geography where state tables are kept in sync across the WAN. Owen On Jul 16, 2012, at 7:56 PM, Grant Ridder wrote:
If you are running an HA pair, why would you care which box it went back through?
-Grant
On Monday, July 16, 2012, Mark Andrews wrote:
In message <CAD8GWsswFwnPKTfxt= squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ@mail.gmail.com <javascript:;>>, Lee writes:
On 7/16/12, Owen DeLong <owen@delong.com <javascript:;>> wrote:
Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is
being
able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6.
NAT is good for getting the return traffic to the right firewall. How else do you deal with multiple firewalls & asymmetric routing?
Traffic goes where the routing protocols direct it. NAT doesn't help this and may actually hinder as the source address cannot be used internally to direct traffic to the correct egress point.
Instead you need internal routers that have to try to track traffic flows rather than making simple decisions based on source and destination addresess.
Applications that use multiple connections may not always end up with consistent external source addresses.
Yes, it's possible to get traffic back to the right place without NAT. But is it as easy as just NATing the outbound traffic at the firewall?
It can be and it can be easier to debug without NAT mangling addresses.
The only thing helpful NAT66 does is delay the externally visible source address selection until the packet passes the NAT66 box.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org<javascript:;>