Hello Jonas,

I would say the right way to go is get an ASN and do proper BGP routing. Everything you describe, is imho basically a textbook example of an autonomous system.

Maria


On March 6, 2025 1:47:29 PM GMT+01:00, Jonas Lochmann <ripe-ipv6-wg@jonaslochmann.de> wrote:
My goal is to use multiple uplinks, but not only for redundancy. Most of
the time, all (in my case 2) uplinks are available and then the question
is how to make use of both of them.

With IPv4, NAT is common and thus the solution is quite simple. In my
case, I am using the mwan3 package from OpenWrt. It uses iptables rules
to add firewall marks to connections. If multiple uplinks are available,
then the mark/uplink is chosen randomly and assigned to this (e.g. TCP)
connection. This firewalls marks are used during a policy based routing.
With a masquerade/source NAT, the right source address for the used
route is picked and everything just works.

In case of IPv6, everything is different. NAT is uncommon. One solution
is to enable NAT and then everything works as with IPv4. Alternatively,
RFC 8678 describes that clients can be informed about multiple uplinks.
The limitation: I do not see any option for load balancing.

RFC 8678 references other solutions. Shim6 seems to be not widely
implemented. The Multipath Transports look like a solution for the
future with Mulitpath TCP. The last solution is NPTv6. RFC 8678 does not
like the solution. It is no NAT, but it still rewrites the addresses.

The disadvantage: Stateless address rewriting seems only usable if there
is only one prefix known to the network. If this is the global prefix of
one uplink, then all connections are interrupted if the prefix of this
uplink is changed. If this is the local prefix, then the clients do not
know their public addresses.

I tried to use a stateful source address rewriting instead. With
nftables, this is easy to implement and it works if the prefix length of
the uplink is longer (smaller subnet) than the internal network: Just
keep the prefix and replace the bits after it with the original source
address. With this, I can use local addresses in the local network and
additionally provide the public address/es of one or more uplinks.

I am using this in production at one location since multiple years and
thus know that this works. I am interested in other approaches,
experiences and feedback for this method.
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. 
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
--
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.