On Mar 15, 2011, at 10:28 , Rémi Després wrote:
> 2.4
> In case of multihoming with PA's, a limitation of NPTv6 that should be noted
> is that some incoming connections can fail:
> - In a site having global prefixes PA1 and PA2, an internal server has two
> global IPv6 addresses S1 and S2.
> - If its default exit route goes to the PA1-CPE, incoming connections
> addressed to S2 will fail due to ingress filtering in the PA1-CPE.
I don't think this hits the mark. From section 5:
[...] Also, an NPTv6 Translator does not aggregate
traffic for several hosts/interfaces behind a lesser number of
external addresses, so there is no inherent expectation for an NPTv6
Translator to block new inbound flows from external hosts, and no
issue with a filter or blacklist associated with one prefix within
the domain affecting another. [...]
I'm not sure that NPTv6 introduces any new site-multihoming problems for
firewalls beyond those they already have, but I suspect it might. Without
NPTv6 involved to unify multiple external prefixes into a single local prefix,
hosts on traditionally site-multihomed networks will discover each external
prefix and their attributes separately. With NPTv6 unifying the external
prefixes into a single local prefix, they discover only one prefix and its
unified attributes. I suspect that NPTv6 might add a burden on firewalls
related to the unification of external prefix attributes so that routers
advertising the local prefix have unified attributes to advertise that prevent
communications failures associated with attribute renewal.
--
james woodyatt <[email protected]>
member of technical staff, core os networking
_______________________________________________
nat66 mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/nat66
