Brian E Carpenter
brian.e.carpenter at gmail.com
Sun Feb 10 09:26:28 CET 2013
On 10/02/2013 01:34, Erik Kline wrote:
>> I certainly know that it's doable, I'm more curious to know how much the two can differ (ULA, PD, PI, privacy, etc.). I'm looking into using two prefixes because of the privacy options ($WORK is health care, so some data is highly sensitive), but there may be other reasons to use two prefixes.
> I believe I would just use privacy/temporary addresses by default, and
> pull MAC<->L3 mappings off the switches/routers for the purposes of
> auditing. That way you're more likely to notice when someone changes
> IP addresses (IPv6 or otherwise).
That would be a possibility. Personally I'm a fan of using a ULA prefix
for traffic that you must keep internal. It isn't magic: you have to ensure
that the border routers have ACLs to block them, and you may want to
use internal-only DNS names for ULAs.
As was said, this has always been part of the IPv6 design. RFC 4864
talks about it.
One downside is that not all address management systems are happy to handle
multiple prefixes, as I understand it.
More information about the ipv6-ops