mapping public to private IPv6 networks when firewalling

Phil Mayers p.mayers at imperial.ac.uk
Mon Nov 28 09:58:34 CET 2011


On 11/28/2011 06:10 AM, Erik Kline wrote:
>> I suspect that the model of "ULA on the inside network and 6296 at the
>> border" is going to be a very common scenario for people who want to
>> avoid "the pain of renumbering," or who still mistakenly believe that
>> NAT is a security tool. In any case, that method will work essentially
>> the same way that your 1:1 NAT for IPv4 is working for you now.
>
> Much more interesting I think is ULA + global prefix on the same link.
>   When all "internal-only" services have ULAs in DNS then internal
> communication remains via stable ULA addressing.  External
> communication can be via the global prefix addresses, and as long as
> these aren't in internal DNS then renumbering is less of a problem
> than it otherwise would be.
>

AIUI, that won't work well (yet). Current RFC 3484 tables don't "know" 
ULA, so will assume it's a normal prefix and try to use it for global 
traffic. See:

http://getipv6.info/index.php/Customer_problems_that_could_occur

...and search for "ULA". Some OSes don't handle the lifetime=0 trick in 
RFC 6204 either.


More information about the ipv6-ops mailing list