User: Password:
|
|
Subscribe / Log in / New account

IPv6 NAT

IPv6 NAT

Posted Jul 23, 2011 19:07 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
In reply to: IPv6 NAT by baldur
Parent article: IPv6 NAT

I know that there is always a link-local address. It doesn't matter.

For example, on HP networked printers allow to manually assign only one address. And Windows does not allow to select address precedence using GUI, so it's extremely easy to get one congested link and one lightly loaded - and no way to fix it. Even setting an interface metric (which still doesn't solve problems in reality) requires to use DHCPv6 and SLAAC.

Even something as simple as ULA does not work well.

>What address would you put in DNS if you were using NAT with multiple uplinks?
The local address. It works fine for intra-organization purposes. In fact, it works GREAT when it's coupled with Microsoft AD.

>If we are talking about servers the best option is PI.
Which is expensive and doesn't scale.

>As would it be in a solution that includes NAT. But there is actually an alternative: You can use mobile IPv6.
No I cannot. Mobile IPv6 is not even supported in Linux properly, never mind all those embedded networked devices. Oh, Windows Vista/7 also don't support it.


(Log in to post comments)

IPv6 NAT

Posted Jul 23, 2011 19:39 UTC (Sat) by baldur (guest, #77305) [Link]

Your HP printer only needs one manually configured address: The ULA. This is the same with or without NAT.

Address preference is set by the router (RA option).

ULA address in the DNS works the same with or without NAT.

Mobile IPv6 would require extra software on the clients yes. But not on these embedded devices, printers, etc, that are not supposed to be public available anyway. There is Linux support btw: http://www.umip.org/

You are overlooking the more powerful alternatives:

NEMO: http://www1.cse.wustl.edu/~jain/cse574-06/ftp/network_mob...

LISP: http://en.wikipedia.org/wiki/Locator/Identifier_Separatio...

LISP was used by Facebook during IPv6 day.

IPv6 NAT

Posted Jul 24, 2011 17:35 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

I'm not overlooking anything. I need something right _now_.

And right now I have only two solutions: NAT or PIR. And the second one is expensive and complex.

Forget IPv6 NAT; use LISP instead

Posted Jul 24, 2011 20:58 UTC (Sun) by baldur (guest, #77305) [Link]

If you need something now go download yourself a copy here: http://www.openlisp.org/

Or if you are using Cisco go here: http://lisp4.cisco.com/index.html

The Linux implementation (which seems less mature): https://github.com/aless/

The available NAT66 solutions do not seem to be any more mature than LISP. Since LISP is so far superior I can not imagine the world taking on NAT66 at a greater scale. I would therefore expect little or no application support for NAT66 and a world of hurt for those that follow that ill path. There for sure are zero applications today that handles NAT on IPv6 (using STUN to figure out the real IP address and all that jazz).

Forget IPv6 NAT; use LISP instead

Posted Jul 25, 2011 8:35 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Ok.

I have IPv6 address assignment from my ISP. I want to use LISP. What should I do?

..crickets..

Forget IPv6 NAT; use LISP instead

Posted Jul 25, 2011 9:39 UTC (Mon) by baldur (guest, #77305) [Link]

Install one of the 6 different implementations. Decide if you want to be part of the beta network or just setup your own proxies. If you want the beta network follow the guidelines here: http://www.lisp4.net/beta-network/get-involved/

Otherwise you can ignore the network and install your own PxTR(s) on collocated servers.

Forget IPv6 NAT; use LISP instead

Posted Jul 25, 2011 13:10 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

So, right now LISP is useless as-is. And the only way to use it is to have a proxy somewhere with a stable IP address.

Well, I can do this with IPSec tunnels or PPtP/GRE. And more easily, in fact.

Forget IPv6 NAT; use LISP instead

Posted Jul 25, 2011 19:34 UTC (Mon) by baldur (guest, #77305) [Link]

LISP is very useful and was used by some very large sites (Facebook) during IPv6 day. If they can so can you.

But you are right - a tunnel is yet another way to solve the multihome issue. So now we got:

1) IPv6 with multiple prefixes
2) IPv6 with multiple prefixes and ULA
3) LISP: http://www.lisp4.net/
4) BGP multihome
5) NEMO and MIPv6: http://software.nautilus6.org/implementations.php
6) Custom tunnel
7) NAT66 (pre alpha version published on 15 Jul 2011: http://sourceforge.net/projects/nfnat66/).

We are currently doing 1) on a significantly larger network than the one you administer and it "just works". But I definitely think the future is 3). It might currently take some involvement to setup but that will change quickly.

The use cases and complaints that you have put forward are all solved by LISP and in a much better way than NAT66.

Forget IPv6 NAT; use LISP instead

Posted Jul 26, 2011 16:26 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

LISP has the same problem as IPv6 - to be useful it needs to be widely deployed. And it doesn't look like it'll happen soon.

MIPv6 and NEMO are effectively dead. They require cooperation of both parties to avoid triangular routing, and that's not going to happen because Windows has dropped MIPv6 support and has never had NEMO support.

I honestly think that NAT66 will be used quite widely. And it's actually not that bad, because it's possible to use it just in prefix-translation mode with 1-to-1 mapping.

Forget IPv6 NAT; use LISP instead

Posted Jul 26, 2011 16:53 UTC (Tue) by baldur (guest, #77305) [Link]

You can be the first person in the world to implement LISP and it will be useful. It is not just a tunnel equallent.

Say you have ISP A and ISP B as uplinks. In addition pay for, rent or collocate a server at both ISPs where you install the LISP proxy software. Granted this extra expense but you got:

1) The ISPs are taking care of BGP.
2) Automatic load balancing both up and downstream.
3) Automatic failover.
4) If you got PI address space you can easily switch ISPs.
5) If one server goes down your are still good although this depends on the ISP stopping advertising your PI space.

LISP currently as an enormous amount of steam so I feel quite confident that the beta network will eventually convert to production state. At that point it will be just as easy to setup as NAT66 but without any of the drawbacks. All you would need is to login to the web interface of your standard router and check the LISP option. Then tell it four pieces of information: Your allocated EID, the address of the map service, your username and password.

Of course NAT66 will happen but I don't see multihoming or renumbering-protection as good use cases. These will be better handled by LISP. I don't see most applications getting good NAT66 handling the same way they have NAT44 handling today.

We are probably not going to get any more learnings or consensus out of this thread. I just wanted to point there are in fact more options than BGP and NAT66.

Forget IPv6 NAT; use LISP instead

Posted Jul 26, 2011 17:53 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, it's much easier just to register in ARIN/RIPE and get PI assignment. It'll cost about $3000, which is far cheaper than two colocated servers/routers with BGP and LISP support. And I'll get all those benefits and without need to setup LISP.

We've actually considered a similar variant (colocate a server and use it to terminate GRE tunnels).

So while there may be other ways (I'll concede that multiple IPv6 addresses might work for somebody), your choice is still is very much between spending $$$$ and having in many ways inferior solution.

As for LISP, it merits its own article on LWN. And right now it's FAR from being really complete (which is OK, people are still working on it).


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds