Re: Use of NPTv6 in a mobile service provider network

["Dobbins, Roland via NANOG" <nanog () nanog org>]

On Feb 3, 2025, at 17:03, Amos Rosenboim via NANOG <nanog () nanog org> wrote:

The requirement for state full traffic flow is given by the customer.

Organizations sometimes state that they’ve requirements in specializesd contexts which are in fact counterproductive; 
in such cases, they can often benefit from education in order to make contextually optimal decisions.

The logic behind it is to avoid unnecessary paging procedures for idle mobile devices.

‘Paging procedures’?

It protects both signaling resources of the network and also battery life of devices.

There are other ways to accomplish this.

This was very relevant in the early 2000s, not sure if it’s relevant for today.

It was a huge mistake in the late 1990s and early 2000s, as the early GPRS and EDGE wireless broadband networks which 
were implemented in the same fashion as poorly-designed, state-ridden enterprise networks constantly experienced severe 
operational problems until they were remediated, one way or another.

However it remains a customer requirement.

See above.

As for clients recovery from flow interruption - from incidents we had in the last few years and observing how fast 
connection ramp up on the alternate devices it seems that clients are recovering very quickly.

Introducing stateful firewalls in front of a population of Internet broadband clients is a Very Bad Idea.  DDoS attacks 
are attacks agains capacity and/or state; and outbound/crossbound attacks can be just as disruptive as inbound attacks.

This precise scenario has played out many times, over the years.  Networks which were suboptimally designed in this 
fashion were either completely re-designed in order to be scalable and resilient, removing unnecessary and harmful 
state; were acquired and their brittle, fragile, non-scalable state-ridden infrastructure was decommissioned; or went 
out of business.

The few holdouts in the present day inevitably experience the problems described above, and then proceed through the 
same evolution as other network operators with similar architectures.

My main concern is that this customer has pretty traditional mind set and never like being the first deployment of any 
technology.

NAT64/DNS64 with 464XLAT  or something along these lines isn’t new technology; on the contrary, it’s quite mature, and 
deployed around the world.   It isn’t stateless, but it’s much more scalable than sticking stateful firewalls 
everywhere, heh.

Designing and implementing a broadband access network with this sort of architecture isn’t going to end well.  It isn’t 
beyond the realm of possibility that these ‘requirements’ are largely driven by a supplier of stateful firewalls, or an 
internal advocate for same.