[go: up one dir, main page]
|
|
Log in / Subscribe / Register

IPv6 NAT

IPv6 NAT

Posted Jul 21, 2011 17:36 UTC (Thu) by Lennie (subscriber, #49641)
In reply to: IPv6 NAT by copsewood
Parent article: IPv6 NAT

Why not use http://en.wikipedia.org/wiki/Unique_local_address ?

You have 3 addresses on your hosts:
- link-local
- global address
- ULA

You can have several ULA-ranges in your organisations and you setup any firewalls and internal DNS and so on to only use the ULA.

I know some people think ULA is a bad idea, but I think using NAT is a lot worse.

to post comments

IPv6 NAT

Posted Jul 21, 2011 19:58 UTC (Thu) by mstefani (guest, #31644) [Link] (2 responses)

Because it is an operational mess in practice.
ULAs are not a special IPv6 address type like the site local addresses once where. They are global addresses by the standard. So you have 2 global addresses on the hosts and the applications/hosts will "randomly" pick one as source address. There doesn't seem to be any consistency between OSes or even OS versions on which address is chosen and applications can mess with that too. Stateful firewalls tend to not like that and protocols that are NAT unfriendly will have a tendency to break too.

What we hear from network vendors is that their customer that tried your proposal have reverted to use only global addresses pretty quickly and not bother with ULA. Even if they don't route their global address to the internet and provide only NATed or proxied Internet access over IPv6.

No, ULA is a nice idea but doesn't seem to work in practice.
NAT sounds like a bad idea but it tends to work in practice and can simplify some network designs tremendously (multihoming, making sure that the traffic returns through the same stateful firewall, stop gap measure for internet access while you beat your provider and upstream provider for weeks and months to not filter out your prefix, etc). After all NAT is *not* bad, NAT is just a tool. A tool that can be misused but also a tool that can save your ass sometimes.

IPv6 NAT

Posted Jul 21, 2011 22:28 UTC (Thu) by Lennie (subscriber, #49641) [Link]

That is the best argument of why ULA doesn't work I've ever seen.

I do think there are ways to solve that, SLAAC and DHCPv6 have a lot of options, I wouldn't be surprised if most operating systems don't honor half of them though.

The solution could be to have the router(s) send 2 different RA-packets, one with the global routablable address and default route, the other with the ULA and more specific routes for other parts of the network.

That way the host-machine thinks there are 2 routers and thus it knows what source-address to use when talking to the router and hosts on the other parts of the network.

In other news, some people say proxy servers are the solution not NAT.

IPv6 NAT

Posted Aug 30, 2011 23:20 UTC (Tue) by baldur (guest, #77305) [Link]

"So you have 2 global addresses on the hosts and the applications/hosts will "randomly" pick one as source address."

No, the host should follow the rules set out in RFC 3484: http://www.ietf.org/rfc/rfc3484.txt

More specifically the host will use the source address with the longest common prefix of the destination address. This rule guarantees that the ULA address will be used to communicate with other ULAs. And the GUA for other GUAs.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds