mapping public to private IPv6 networks when firewalling

Erik Kline ek at
Mon Nov 28 07:10:57 CET 2011

> I suspect that the model of "ULA on the inside network and 6296 at the
> border" is going to be a very common scenario for people who want to
> avoid "the pain of renumbering," or who still mistakenly believe that
> NAT is a security tool. In any case, that method will work essentially
> the same way that your 1:1 NAT for IPv4 is working for you now.

Much more interesting I think is ULA + global prefix on the same link.
 When all "internal-only" services have ULAs in DNS then internal
communication remains via stable ULA addressing.  External
communication can be via the global prefix addresses, and as long as
these aren't in internal DNS then renumbering is less of a problem
than it otherwise would be.

More information about the ipv6-ops mailing list