mapping public to private IPv6 networks when firewalling

Tore Anderson tore.anderson at
Mon Nov 28 16:26:02 CET 2011

* Phil Mayers

> On 11/28/2011 06:10 AM, Erik Kline wrote:
>> Much more interesting I think is ULA + global prefix on the same link.
>>   When all "internal-only" services have ULAs in DNS then internal
>> communication remains via stable ULA addressing.  External
>> communication can be via the global prefix addresses, and as long as
>> these aren't in internal DNS then renumbering is less of a problem
>> than it otherwise would be.
> AIUI, that won't work well (yet). Current RFC 3484 tables don't "know"
> ULA, so will assume it's a normal prefix and try to use it for global
> traffic.

Actually global addresses + ULAs on the same link is likely to work
well, due to the longest matching prefix rule in RFC 3484 (fc00::/7 and
2000::/3) has a common prefix length of 0). The ULA dualstack brokenness
problem occurs when there's only ULAs on the link plus a default IPv6
route, as most operating systems will then unsuccessfully attempt to use
the ULAs, timeout, before eventually falling back on IPv4.

Tore Anderson
Redpill Linpro AS -

More information about the ipv6-ops mailing list