mapping public to private IPv6 networks when firewalling

Brian E Carpenter brian.e.carpenter at gmail.com
Mon Nov 28 22:41:39 CET 2011


Johan,

On 2011-11-29 06:01, Johan REMY wrote:
> *Tore Anderson
> 
>> * Phil Mayers
> 
>>> On 11/28/2011 06:10 AM, Erik Kline wrote:
>>>> Much more interesting I think is ULA + global prefix on the same link.
>>>>   When all "internal-only" services have ULAs in DNS then internal
>>>> communication remains via stable ULA addressing.  External
>>>> communication can be via the global prefix addresses, and as long as
>>>> these aren't in internal DNS then renumbering is less of a problem
>>>> than it otherwise would be.
>>> AIUI, that won't work well (yet). Current RFC 3484 tables don't "know"
>>> ULA, so will assume it's a normal prefix and try to use it for global
>>> traffic.
>> Actually global addresses + ULAs on the same link is likely to work
>> well, due to the longest matching prefix rule in RFC 3484 (fc00::/7 and
>> 2000::/3) has a common prefix length of 0). The ULA dualstack brokenness
>> problem occurs when there's only ULAs on the link plus a default IPv6
>> route, as most operating systems will then unsuccessfully attempt to use
>> the ULAs, timeout, before eventually falling back on IPv4.
> 
> I have already try this but it is really broken.
> ULA IPv6 + Global IPv6 , both via RA on win7. Default route learned via RA too, no static config (the point is to be automatic). It tries to use ULA addresses to surf the internet and makes that configuration impossible for production environment. DHCPv6 currently doesn't help.
> ULA + global is for me the real good solution (way better than NAT) but a lot a thing needs to be fixed before it can be used.

draft-ietf-6man-rfc3484-revise is supposed to fix this. Not sure when
Windows will get it though.

    Brian


More information about the ipv6-ops mailing list