multiple prefixes
Brian E Carpenter
brian.e.carpenter at gmail.com
Sun Feb 10 14:10:00 CET 2013
On 10/02/2013 11:29, Phil Mayers wrote:
> On 02/10/2013 08:26 AM, Brian E Carpenter wrote:
>> On 10/02/2013 01:34, Erik Kline wrote:
>>>> I certainly know that it's doable, I'm more curious to know how much
>>>> the two can differ (ULA, PD, PI, privacy, etc.). I'm looking into
>>>> using two prefixes because of the privacy options ($WORK is health
>>>> care, so some data is highly sensitive), but there may be other
>>>> reasons to use two prefixes.
>>>
>>> I believe I would just use privacy/temporary addresses by default, and
>>> pull MAC<->L3 mappings off the switches/routers for the purposes of
>>> auditing. That way you're more likely to notice when someone changes
>>> IP addresses (IPv6 or otherwise).
>>>
>>
>> That would be a possibility. Personally I'm a fan of using a ULA prefix
>> for traffic that you must keep internal. It isn't magic: you have to
>> ensure
>> that the border routers have ACLs to block them, and you may want to
>> use internal-only DNS names for ULAs.
>
> Can you give an example of this use-case, and maybe highlight how it's
> different than just ACLing / firewalling the "server" subnet off? I'm
> having a hard time understanding the added value of ULA in this
> scenario, or how getting "internal only" traffic onto ULA addresses
> helps prevent it "going external" - isn't that what a routing table
> does? I'm sure I must be missing something...
You're not, really. But for corporate IT people who want security by
obscurity (like they get from Net 10), a ULA provides the same reasssurance.
Again, this is motivated in RFC 4864.
It also means that your ULA-to-ULA traffic is not affected by renumbering.
Brian
More information about the ipv6-ops
mailing list