Ideas on IPV6 WAN Interconnects..

millworxmillworx Member Posts: 290
So I've been undertaking the IPV6 migration here at my office. I've run into an interesting situation and can't seem to think of an adequate solution that would appease our security group.

Currently we have IPV4 interconnects with many partner companies. Since we do not allow our partners to inject their internal routes into ours we NAT everything that comes over the interconnect.

Now that we are upgrading to IPV6 everywhere this presents a problem for me. Since IPV6 does not have NAT I am unsure how design an interconnect solution that would prevent the partner from injecting IPV6 routes into our routing domain. So... are there any solutions that anyone can think of to combat this roadblock?
Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide

Comments

  • vinbuckvinbuck Member Posts: 785
    Depends on the routing protocol and if you're talking public or private peering? if it's BGPv6, you should be able to filter exactly what ranges you will accept from any given peer.

    A few more details about the design would help....
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • millworxmillworx Member Posts: 290
    Okay let me give an example of one setup we have currently in IPV4.

    We have a gateway sitting at a partner site which the partner connects into. The partner gives us the subnets that they connect from and we nat those subnets into our internal addressing scheme and inject it into our eigrp routing domain.

    Now current policy says even with IPV6 partners cannot inject their own internal routes into our EIGRP routing domain. But I'm stuck as to how I can do this since I cannot NAT their IPV6 addresses into an IPV6 address space that we control.

    The only thing which I can even think of would be translating their IPV6 to IPV4 and then convert IPV4 back to IPV6. This should solve the problem of them injecting their routes into our domain, but its looks like a very messy solution. So I was hoping there was alternatives.
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
  • vinbuckvinbuck Member Posts: 785
    Things are still a little unclear...are we talking public or private IP space? Are they coming in from the Internet or on a private segment?

    Kinda sounds like you might benefit from MPLS, VRFS and Layer3 VPNS, but still need a little more info than that to help you....
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Sounds like a very silly requirement to me. Proper route filtering should be used instead of a NAT solution IMO. I understand the need for security, but NAT isn't the only way (the worst way IMO) to go about this.

    Also wanted to add that it sounds like you are using the wrong tool to accomplish this job. I'd go with BGP here rather than EIGRP if the goal is to protect your IGP.
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.