Le 27 oct. 2010 à 14:34, S.P.Zeidler a écrit : > Hi, > > Thus wrote Rémi Després ([email protected]): > >> As I tried to explain in a previous mail on this list: >> - If a private-site network has two CPEs giving access to two ISPs with PA >> prefixes, the CPE via which a packet goes to the Internet depends on the >> intra-site routing. >> - If intra-site routing DOESN'T make sure that all packets from a given host >> always go to the same CPE, then TCP connections will be broken because: > > That is actually not correct. You need to ensure that a source-destination > pair always goes the same way. That is trivially done by setting static > routes and making sure that you have the 'right' source address for the > chosen path.
You are right, the sentence should have said "all packets from a given host to a given destination". Note that I didn't say it wasn't feasible, just that it needs to be done. How "trivial" this configuration is a matter of appreciation, but it does work. A drawback however is that, without further precautions, it breaks the ability to use another CPE when one fails. >> This being said, I do agree that there is a small window of opportunity for >> NAT66 in multihoming sites with multiple PAs, namely IF: >> - No incoming connection to any host is intended to be desirable in IPv6 > > In my opinion, hosts that can be talked to from the outside belong in > the DMZ and are few enough that they can be manually configured, and thus > have hand-crafted policies. These may actually run multi-homed with > N>>2 prefixes, and if they have to be renumbered it'll not be the > "internal" address that changes, but just one of the outside prefixes, > which is work and annoying but not a near-catastrophic event with weeks > of fall-out. DMZ hosts IMO should not be subject to NAT anyway. YMMV. The sentence would have been more precise with "No incoming connection to any host *behind the NAT66* is intended to be desirable in IPv6. I agree. Thanks, RD _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
