mapping public to private IPv6 networks when firewalling
dougb at dougbarton.us
Mon Nov 28 07:22:47 CET 2011
On 11/27/2011 10:10 PM, Erik Kline wrote:
>> I suspect that the model of "ULA on the inside network and 6296 at the
>> border" is going to be a very common scenario for people who want to
>> avoid "the pain of renumbering," or who still mistakenly believe that
>> NAT is a security tool. In any case, that method will work essentially
>> the same way that your 1:1 NAT for IPv4 is working for you now.
> Much more interesting I think is ULA + global prefix on the same link.
> When all "internal-only" services have ULAs in DNS then internal
> communication remains via stable ULA addressing. External
> communication can be via the global prefix addresses, and as long as
> these aren't in internal DNS then renumbering is less of a problem
> than it otherwise would be.
I think people who think renumbering is hard are not likely to put
themselves in this situation. I'm not sure I understand why they'd
bother in any case. If you're going to have ULA anyway, why add the
"We could put the whole Internet into a book."
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the ipv6-ops