On Jun 14, 2011, at 10:52 AM, Ray Soucy wrote:
It's a security and operational issue.
The perception is that it's easier to monitor, manage, and filter one address per host instead of 3. For most in the enterprise world it's a non-starter to have that setup; even if that perception is a false one.
Yes... The key word there is perception. The question is whether it makes more sense to put effort into correcting mis-perceptions or to put the effort into providing workarounds which provide a sub-par networking experience to the end user. IMNSHO, it is better to put effort into education. I'm surprised to find someone from a .EDU on the opposite side of that thought. One would normally expect them to favor the idea of education over hackery.
Not sure I have the energy to re-hash the tired old NAT debate though. ;-)
That sound you hear is me breathing a sigh of relief. I will continue to do it as long as it remains necessary, but, I'm tired of it too. Owen
On Tue, Jun 14, 2011 at 1:38 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 14 Jun 2011 13:04:11 EDT, Ray Soucy said:
A better solution; and the one I think that will be adopted in the long term as soon as vendors come into the fold, is to swap out RFC1918 with ULA addressing, and swap out PAT with NPT; then use policy routing to handle load balancing and failover the way most "dual WAN" multifunction firewalls do today.
Example:
Each provider provides a 48-bit prefix;
Internally you use a ULA prefix; and setup prefix translation so that the prefix gets swapped appropriately for each uplink interface. This provides the benefits of "NAT" used today; without the drawback of having to do funky port rewriting and restricting incoming traffic to mapped assignments or UPnP.
Why do people insist on creating solutions where each host has exactly one IPv6 address, instead of letting each host have *three* (in this case) - a ULA and two provider-prefixed addresses?
-- Ray Soucy
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/