The way to express the design in a pure-IPv6 world would be that you use ULA addresses to reach the AWS services that you use and globally-routable addresses to reach the outside world.
Given that the cost that we're avoiding paying with the mechanism I described in my previous post is the ongoing cost for globally-routable IPv4 addresses, I'm not sure what cost you're talking about paying.
And given that the benefits are not having to pay for globally-routable IPs, I'm not sure what benefits you're talking about that we don't get?
Are you perhaps one of those "Hosts must be IPv6-only, no dual-stack allowed!" people? If so, I regard that as a silly stance today, and expect it will remain a silly stance for the next several decades (maybe even the next century, who knows?).
Running single stack hosts is absolutely a reasonable goal. If i have choice between running ipv6 and nat6to4, and ipv4, ipv6, and nat4, surely the former is both a simpler setup, and a further step towards a real full v6 internet?
I agree, but more and more customers are strictly limiting egress for security reasons which reduces the argument somewhat. I think it’s more likely that not overpaying for NAT Gateways will be a more effective source of pressure for AWS customers.
> Running single stack hosts is absolutely a reasonable goal.
Sure. I expect that it's not one that we will see most Internet-facing machines achieve in our lifetimes.
> If i have choice between running ipv6 and nat6to4, and ipv4, ipv6, and nat4, surely the former is both a simpler setup...
No. You already have an IPv4 stack in your OS, and I guaran-damn-tee you that your NAT64 setup is far more complicated than a NAT44 setup. [0]
> ...and a further step towards a real full v6 internet?
Sure. But there's no inherent value in dropping IPv4. The only thing wrong with IPv4 that's not also wrong with IPv6 is that it doesn't have enough address space. Moving more and more globally-reachable servers and hosts to IPv6 reduces the number of IPv4 addresses required, which solves the "not enough addresses" problem of IPv4.
[0] AFAIK, if you use NAT64, you either let both direct-IP connections [1] and inbound IPv4 port forwarding not work, OR you must use additional (substantially complex) software to make that work. So, either you break some software that happens to use IPv4, or you massively increase your system software complexity. Seems bad either way.
[1] That is, connections to IPv4 hosts without a pre-connection DNS lookup.
I meant the network admin costs, if you're having to run dual stack, and especially if you're getting a network setup where you can't fearlessly combine/add routes between any two subnets that you have. To my mind the key benefit of using IPv6, the thing that makes it worth doing at all, is to stop having to worry about address assignment and address collisions and local addresses; obviously you do still probably want to talk to v4-only outside resources, but if you can't get away from having to give all your hosts individual v4 addresses and keep track of them then frankly you might as well just stay v4-only (except at the load balancer or what have you - which might be what you meant, but it sounded like you were talking about using a mix of v4 and v6 within the VPC).
Yeah, the network admin costs don't double, they're marginally larger.
> ...you can't fearlessly combine/add routes between any two subnets that you have.
You can't do this with ULA subnets, either. The standard way to do ULA subnet calculation is collision-resistant, not collision-proof. There's NO central coordinating body to prevent collisions. While the odds of collision are VERY, very low, they're not zero.
The benefit is that you pretty much never have to renumber after network merges... it's NOT that you never have to check for collisions.
> To my mind the key benefit of using IPv6 ... is to stop having to worry about address assignment and address collisions and local addresses...
See above.
> ...if you can't get away from having to give all your hosts individual v4 addresses and keep track of them then frankly you might as well just stay v4-only...
This is nutty. If you don't get why Internet-connected systems configured with "NATted IPv4 + globally-reachable IPv6" is strictly better than "NATted IPv4 and no IPv6", I question how deeply you've thought about this.
> ...it sounded like you were talking about using a mix of v4 and v6 within the VPC...
The way to express the design in a pure-IPv6 world would be that you use ULA addresses to reach the AWS services that you use and globally-routable addresses to reach the outside world.
Given that the cost that we're avoiding paying with the mechanism I described in my previous post is the ongoing cost for globally-routable IPv4 addresses, I'm not sure what cost you're talking about paying.
And given that the benefits are not having to pay for globally-routable IPs, I'm not sure what benefits you're talking about that we don't get?
Are you perhaps one of those "Hosts must be IPv6-only, no dual-stack allowed!" people? If so, I regard that as a silly stance today, and expect it will remain a silly stance for the next several decades (maybe even the next century, who knows?).