PROBLEM: Proxy port exhaustion occurs when having high number of users using multiple devices and using cloud services.
There are some limitations when using office 365...~the number of ports allocated by the average user which is about 4 or 5 depending on device accesses. If the organization has 5000 users, and each take 5 ports, we have a problem.
So, I have been looking at alternative ways to solve this problem, and one such idea that came to mind was the ability to assign multiple addresses on an interface using IPv6.
The idea is to "NAT by vlan and then proxy out the WAN" based on multi-IPv6 assignments limiting the number of nodes NAT'd per-IP gateway, thus freeing up the port exhaustion limitation. Make sense?
QUESTION(s): Has anyone done this? What were your results? How well did it perform? Which platforms did you test this on? Were there any LAN side (Eth-port, trunking) challenges that came up?
NOTE: I'd gladly try to do an IPv4 reverse-VIP style solution if someone has that suggestion to!
Is there an inherent reason why you have to try to NAT and/or proxy your v6 traffic? The other way of evading proxy/port limits is to use native v6 and let the clients go direct.
-- Jim Leinweber, WI State Lab of Hygiene
Thank you for the response!
The reason for NAT was just a security decision, and the choice of ip4-vs-ip6 is really of little difference in reference to the proxy-port problem I suppose.
Understanding that I am trying to get server engineers to think like network engineers and they just are not getting my multiple ways of solving this issue (i.e. multiple IP's on a WIC) and then proxy routing users to internally/externally distributed servers providing 'service-ABC'.
In this case, the service I'm referring to is office-365/Onprem-Exch, which....yes, in a single-IP location, would easily overwhelm ports attaching that many users, but there is no way there should be that many users at a single-ip based site (imho). Even still, just VIP or multi-IP the WIC routes and reverse proxy the users to different servers.
I'm just curious if anyone has hit this port-limit issue even AFTER doing as I suggest?
Note that in both v4 and v6 NAT provides no security whatsoever - consider the security posture of a v4 host with a static NAT44 firewall mapping. Statefull firewalls provide security against attempts to connect to ports running services which you don't want to expose externally, but that is equally true for v4 and for v6. Similarly, application proxies can provide security by limiting protocol transactions to a whitelisted subset of the overall protocol and if you are lucky, by filtering out buffer overflow attempts and similar malicious games. But you can run application proxies for v6 clients just as well as for v4 clients. Address translation per se has nothing to do with security; it's an implementation accident that most NAT44 implementations are via a statefull firewall with application proxy stuff tacked on the side.
NAT66 is evil (from a network engineers point of view), NAT46 is impossible to scale for ISP's, and NAT64 is basically only useful for v6-only clients talking to v4-only services. Dual stack clients may have to run their v4 traffic through NAT44 gateways due to lack of public v4 addresses, but the design of the v6 side of the network should not mindlessly perpetuate that. Your v6 network should be designed for end-to-end addressibility; your security posture will dictate how much end-to-end connectivity is actually permitted.
In particular, office 365 access via direct v6 should mostly work at this point; see
-- Jim Leinweber, WI State Lab of Hygiene, wearing his IPv6 evangelist hat