mapping public to private IPv6 networks when firewalling
tore.anderson at redpill-linpro.com
Mon Nov 28 16:26:02 CET 2011
* Phil Mayers
> On 11/28/2011 06:10 AM, Erik Kline wrote:
>> Much more interesting I think is ULA + global prefix on the same link.
>> When all "internal-only" services have ULAs in DNS then internal
>> communication remains via stable ULA addressing. External
>> communication can be via the global prefix addresses, and as long as
>> these aren't in internal DNS then renumbering is less of a problem
>> than it otherwise would be.
> AIUI, that won't work well (yet). Current RFC 3484 tables don't "know"
> ULA, so will assume it's a normal prefix and try to use it for global
Actually global addresses + ULAs on the same link is likely to work
well, due to the longest matching prefix rule in RFC 3484 (fc00::/7 and
2000::/3) has a common prefix length of 0). The ULA dualstack brokenness
problem occurs when there's only ULAs on the link plus a default IPv6
route, as most operating systems will then unsuccessfully attempt to use
the ULAs, timeout, before eventually falling back on IPv4.
Redpill Linpro AS - http://www.redpill-linpro.com
More information about the ipv6-ops