Re: Use of NPTv6 in a mobile service provider network

[Joshua Miller <contemno () gmail com>]

Hi Amos,

Assuming the network segments adjacent to these stateful devices use
longest prefix match routing, NPTv6 is your best option.You'd assign a
unique IPv6 prefix as the NPTv6 prefix to each firewall, ensuring the
traffic returns to the correct firewall.

Keep in mind each stateful firewall is a single point of failure for the
flows it handles. When it inevitably goes down ( maintenance or failure),
all those flows will have to be re-established through other firewalls.
Also, depending on how the clients are configured with connection timeouts,
the users could experience a noticeable amount of service disruption.

It's possible to have firewalls in a cluster sharing state, but I consider
them to be a single logical device with its own failure profile. In that
scenario I would be inclined to deploy multiple redundant clusters; without
knowing your budget I don't know how feasible this is. —"Shared state,
shared fate."

I wouldn't use NAPT66 unless you need to do something really bespoke.
Introducing port translation complicates end-to-end connectivity, and adds
more latency and issues for applications like VoIP.

To dive a little deeper, I'd reevaluate the requirement for the firewalls
to be stateful. Are there any specific threats or attack vectors you want
to address with stateful flow tracking?


Best,
Josh

>