mapping public to private IPv6 networks when firewalling

Doug Barton dougb at
Mon Nov 28 07:22:47 CET 2011

On 11/27/2011 10:10 PM, Erik Kline wrote:
>> I suspect that the model of "ULA on the inside network and 6296 at the
>> border" is going to be a very common scenario for people who want to
>> avoid "the pain of renumbering," or who still mistakenly believe that
>> NAT is a security tool. In any case, that method will work essentially
>> the same way that your 1:1 NAT for IPv4 is working for you now.
> Much more interesting I think is ULA + global prefix on the same link.
>  When all "internal-only" services have ULAs in DNS then internal
> communication remains via stable ULA addressing.  External
> communication can be via the global prefix addresses, and as long as
> these aren't in internal DNS then renumbering is less of a problem
> than it otherwise would be.

I think people who think renumbering is hard are not likely to put
themselves in this situation. I'm not sure I understand why they'd
bother in any case. If you're going to have ULA anyway, why add the
extra drama?



		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)

More information about the ipv6-ops mailing list