On 7/16/12, Mark Andrews <marka@isc.org> wrote:
In message <CAD8GWsswFwnPKTfxt=squUmZofs3_-yriHY8o4Gt3W9+x6fVUQ@mail.gmail.com>, Lee writes:
On 7/16/12, Owen DeLong <owen@delong.com> wrote:
Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6.
NAT is good for getting the return traffic to the right firewall. How else do you deal with multiple firewalls & asymmetric routing?
Traffic goes where the routing protocols direct it. NAT doesn't help this and may actually hinder as the source address cannot be used internally to direct traffic to the correct egress point.
_source_ address + 'used internally'?? I like policy based routing about as much as the more opinionated members of this list like NAT :)
Instead you need internal routers that have to try to track traffic flows rather than making simple decisions based on source and destination addresess.
Applications that use multiple connections may not always end up with consistent external source addresses.
In the general case, sure. At work, the only time your external source address changes is when something quits working and you're automatically failed over to the working firewall (ha pair).
Yes, it's possible to get traffic back to the right place without NAT. But is it as easy as just NATing the outbound traffic at the firewall?
It can be and it can be easier to debug without NAT mangling addresses.
Yes, there are times when NAT isn't the appropriate solution. I'm not religious about it.. just saying there's times when NAT is the simplest/easiest solution. Regards, Lee