multiple prefixes

[David Magda]

On Feb 10, 2013, at 06:29, Phil Mayers wrote:

> Can you give an example of this use-case, and maybe highlight how it's different than just ACLing / firewalling the "server" subnet off? I'm having a hard time understanding the added value of ULA in this scenario, or how getting "internal only" traffic onto ULA addresses helps prevent it "going external" - isn't that what a routing table does? I'm sure I must be missing something...

If someone does not have an AS (or go through the effort of setting one up for a small-ish business), and/or if you can only get a provider dependent prefix, then you generally don't want to assign a bunch of servers / devices with IPs that may change if you decide to go with another ISP at some point in the future.

ULA becomes a form of provider independent prefixing mechanism for folks/organization that may not be able other get it.

There's also the networking configuration where you have split-horizen DNS, and everything must go through a proxy / bastion host to get to the outside. They you wouldn't need publicly routable IPs at all (except on the external interfaces of the proxies), and using ULA wouldn't strictly be necessary (one could use anything), but probably best practice. In this scenario, it may also be good to set up a black hole that advertises the public Internet, so that anything that does end up reaching it could be captured / sniffed: it'll be either something misconfigured, or malware trying to phone home.

Of course it's not like ULA and ACLing / firewalling is an either-or choice: you could set up both depending on one's level of paranoia and regulatory responsibilities.