p.mayers at imperial.ac.uk
Sun Feb 10 12:29:46 CET 2013
On 02/10/2013 08:26 AM, Brian E Carpenter wrote:
> On 10/02/2013 01:34, Erik Kline wrote:
>>> I certainly know that it's doable, I'm more curious to know how much the two can differ (ULA, PD, PI, privacy, etc.). I'm looking into using two prefixes because of the privacy options ($WORK is health care, so some data is highly sensitive), but there may be other reasons to use two prefixes.
>> I believe I would just use privacy/temporary addresses by default, and
>> pull MAC<->L3 mappings off the switches/routers for the purposes of
>> auditing. That way you're more likely to notice when someone changes
>> IP addresses (IPv6 or otherwise).
> That would be a possibility. Personally I'm a fan of using a ULA prefix
> for traffic that you must keep internal. It isn't magic: you have to ensure
> that the border routers have ACLs to block them, and you may want to
> use internal-only DNS names for ULAs.
Can you give an example of this use-case, and maybe highlight how it's
different than just ACLing / firewalling the "server" subnet off? I'm
having a hard time understanding the added value of ULA in this
scenario, or how getting "internal only" traffic onto ULA addresses
helps prevent it "going external" - isn't that what a routing table
does? I'm sure I must be missing something...
More information about the ipv6-ops