" In IPv6's default operation, if Joe has two connections then each of his computers has two IPv6 addresses and two default routes. If one connection goes down, one of the routes and sets of IP addresses goes away." This sounds like a disaster. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "William Herrin" <bill@herrin.us> To: "Mike Hammett" <nanog@ics-il.net> Cc: nanog@nanog.org Sent: Monday, February 19, 2024 9:16:52 AM Subject: Re: IPv6 uptake On Mon, Feb 19, 2024 at 6:52 AM Mike Hammett <nanog@ics-il.net> wrote:
"We can seriously lose NAT for v6 and not lose anything of worth."
I'm not going to participate in the security conversation, but we do absolutely need something to fill the role of NAT in v6. If it's already there or not, I don't know. Use case: Joe's Taco Shop. Joe doesn't want a down Internet connection to prevent transactions from completing, so he purchases two diverse broadband connections, say a cable connection and a DSL connection.
Hi Mike, In IPv6's default operation, if Joe has two connections then each of his computers has two IPv6 addresses and two default routes. If one connection goes down, one of the routes and sets of IP addresses goes away. Network security for that scenario is, of course, challenging. There's a longer list of security-impacting things that can go wrong than with the IPv4 NAT + dual ISP scenario. There's also the double-ISP loss scenario that causes Joe to lose all global-scope IP addresses. He can overcome that by deploying ULA addresses (a third set of IPv6 addresses) on the internal hosts, but convincing the internal network protocols to stay on the ULA addresses is wonky too. There's also 1:1 NAT where Joe can just use ULA addresses internally and have the firewall translate into the address block of the active ISP. However, because this provides a full map between every internal address, protocol and port to external addresses and ports (the entire internal network is addressible from outside), it has no positive impact on security the way IPv4's address-overloaded NAT does. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/