IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat-03.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 17 November 2011 11:10 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABEC521F9B47 for <v6ops@ietfa.amsl.com>; Thu, 17 Nov 2011 03:10:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.515
X-Spam-Level:
X-Spam-Status: No, score=-103.515 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dun0MoUFUdNd for <v6ops@ietfa.amsl.com>; Thu, 17 Nov 2011 03:10:10 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id D207B21F9B43 for <v6ops@ietf.org>; Thu, 17 Nov 2011 03:10:08 -0800 (PST)
Received: by ggnr5 with SMTP id r5so1035494ggn.31 for <v6ops@ietf.org>; Thu, 17 Nov 2011 03:10:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=/BSJzTXWhi7xphQBQFYaCD/ETDafdfNG2u/wzFW/Yzw=; b=JheorGAlsHR1C0tYju2CzHVUljBnvPaMbutH31JtZjk42smeBn7fYbofqixQ1VetVG PCQUShPZ/X3YHRpie6+ZA/pM1OQtpMx0jNEK2f2rn67tw3pFRqfl8P1U75+i+6u+g5uf aXLLkla/5x6qzYrBvLu8+5Y6S5QSUoKOpojRs=
Received: by 10.101.85.4 with SMTP id n4mr11107868anl.155.1321528208299; Thu, 17 Nov 2011 03:10:08 -0800 (PST)
Received: from [130.129.19.92] (dhcp-135c.meeting.ietf.org. [130.129.19.92]) by mx.google.com with ESMTPS id 32sm13923199anu.10.2011.11.17.03.10.05 (version=SSLv3 cipher=OTHER); Thu, 17 Nov 2011 03:10:07 -0800 (PST)
Message-ID: <4EC4EB86.80308@gmail.com>
Date: Fri, 18 Nov 2011 00:09:58 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>
References: <20111115062859.14026.42405.idtracker@ietfa.amsl.com> <4EC2ABA8.4020303@globis.net> <4EC2FD24.1090303@gmail.com> <4EC37529.4070505@globis.net> <20111117013452.19F35179A55F@drugs.dv.isc.org> <4EC469E7.9010602@gmail.com> <20111117055040.E34FC179DAF9@drugs.dv.isc.org> <4EC4D7D1.8050601@globis.net>
In-Reply-To: <4EC4D7D1.8050601@globis.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-multihoming-without-ipv6nat-03.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 11:10:12 -0000

Ray,

On 2011-11-17 22:45, Ray Hunter wrote:
> Agreed. Most multinationals I know are already LIRs. They can run BGP to
> the major sites with multiple ISPs and their own PI /32. That's the easy
> bit.
> 
> But it isn't just about a few large sites and 2 ISP's. There's also the
> rest of the private corporate network covering 50+ countries + multiple
> (smaller) ISPs to consider.

Exactly. The small number of biiig multinationals is not an issue.

> 
> IMHO I have seen three use cases so far in production today in IPv4 that
> are not really covered in IPv6. To be frank, these current solutions
> seem mainly to be driven by commercial considerations rather than
> technical ones. So if a commercial solution could be found, there
> wouldn't be much resistance to change. Most problems are due to the
> return route, not the outbound one.
> 
> 1. Home workers, remote branch offices, and SME's that need higher
> availability than a single consumer ISP link, but don't have the
> capability/desire/cash/ISP to run a multihomed BGP AS. Today they can
> use a simple outbound-only load-balancing box, or a specialist VPN box
> that provides 2 GRE/IPSec tunnels via 2 ISPs. The GRE/IPSec solution
> will obviously work in the future, but the load balancer won't.

Multipath TCP would handle the load balancing issue (but not of course
for non-TCP traffic). Shim6 would handle failover for all types of flow.
But both of these need both ends to play, which makes deployment sticky.

> 
> 2. Local Internet break out. Remote corporate site is still connected to
> the corporate network for business/production critical apps, but
> Internet traffic is gatewayed directly into the Public Internet at the
> local site for Internet centric apps like foobarnow.com. Today the local
> site Internet firewall/router can use NAT44 outbound: guaranteeing a
> return route direct to the local site. Most, but not all, Internet
> centric apps are web based, but that would mean installing a proxy on
> every site for IPv6. I see no solution so far for apps that are
> "NAT44-able" but "non-proxy-able" with IPv6. Negotiating ISP routing of
> a single /48 in country X from the PI /32 is unlikely to work in all
> cases. I guess these sites could just use PA space addresses, but then
> you have limited service availability, and potential renumbering issues.

Why? If the local PA link goes down, you'd revert to a slower path
using an address under the PI prefix.

In my experience when I was such a corporate user, I got renumbered whenever
I reconnected my ThinkPad. It was never an issue.

> 
> 3. Internet offload. Remote corporate site has a main link and an
> Internet connection. Local site router is connected to both and uses
> Policy Based Routing (PBR) to route down the appropriate link. A GRE
> tunnel carries the bulk traffic over the Internet to the regional
> corporate data centre, where it emerges from the tunnel and passes
> through the usual security controls onto the Public Internet. Return
> route to the GRE tunnel is guaranteed via NAT. Otherwise you'd need to
> run PBR on the DC firewall as the Internet tunnel and private corporate
> network are connected to different security zones on the firewall. PBR
> on firewalls doesn't exist so far AFAIK.

Firewalls aren't routers, but they can have routers glued onto them.

   Brian

> 
> In most cases there's multiple hops (and possibly security devices)
> between the end nodes and the point where the alternative paths split.
> 
> 
> Mark Andrews wrote:
>> <snip>
>>
>> I would expect multi-nationals to be able to work around these sort
>> of restrictions already.  My primary focus is to make it work for
>> the home / small office.  Bigger customers can usually make this
>> work today without automation.  Homes and small offices can't because
>> them man power cost is too high to deal with the volume.
>>
>> That said I would welcome a solution that scales up to handle any
>> business that isn't a ISP.
>>
>> Mark
>>    
> 
>

v2.23.0 | Report a Bug | By Email