Re: Use of NPTv6 in a mobile service provider network

[Amos Rosenboim via NANOG <nanog () nanog org>]

Thank you Joshua for the quick and detailed response.

I agree with everything you mentioned below, and this is why  we are considering it.

To your questions and comments below:

The requirement for state full traffic flow is given by the customer.
The logic behind it is to avoid unnecessary paging procedures for idle mobile devices.
It protects both signaling resources of the network and also battery life of devices.
This was very relevant in the early 2000s, not sure if it’s relevant for today.
However it remains a customer requirement.

As for clients recovery from flow interruption - from incidents we had in the last few years and observing how fast 
connection ramp up on the alternate devices it seems that clients are recovering very quickly.

My main concern is that this customer has pretty traditional mind set and never like being the first deployment of any 
technology.

This is why I am looking for inputs on other deployments that use this technology.

Regards,

Amos

Sent from my iPhone

On 3 Feb 2025, at 5:46, Joshua Miller <contemno () gmail com> wrote:

External sender - pay attention
Hi Amos,

Assuming the network segments adjacent to these stateful devices use longest prefix match routing, NPTv6 is your best 
option.You'd assign a unique IPv6 prefix as the NPTv6 prefix to each firewall, ensuring the traffic returns to the 
correct firewall.

Keep in mind each stateful firewall is a single point of failure for the flows it handles. When it inevitably goes down 
( maintenance or failure), all those flows will have to be re-established through other firewalls. Also, depending on 
how the clients are configured with connection timeouts, the users could experience a noticeable amount of service 
disruption.

It's possible to have firewalls in a cluster sharing state, but I consider them to be a single logical device with its 
own failure profile. In that scenario I would be inclined to deploy multiple redundant clusters; without knowing your 
budget I don't know how feasible this is. —"Shared state, shared fate."

I wouldn't use NAPT66 unless you need to do something really bespoke. Introducing port translation complicates 
end-to-end connectivity, and adds more latency and issues for applications like VoIP.

To dive a little deeper, I'd reevaluate the requirement for the firewalls to be stateful. Are there any specific 
threats or attack vectors you want to address with stateful flow tracking?


Best,
Josh
If you have received this e-mail in error, please notify the system manager. This message contains confidential 
information and is intended only for the individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that 
disclosing, copying, distributing or taking any action in reliance on the content of this information is strictly 
prohibited.