multiple prefixes

David Magda dmagda at ee.ryerson.ca
Mon Feb 11 20:14:17 CET 2013 

On Mon, February 11, 2013 09:09, Tim Chown wrote:
> On 10 Feb 2013, at 16:29, David Magda <dmagda at ee.ryerson.ca> wrote:
>
>> ULA becomes a form of provider independent prefixing mechanism for
>> folks/organization that may not be able other get it.
>
> Except that's really bad as it goes hand in hand with NPTv6, which maps
> between external global and internal ULA prefixes.  The IPv6 model
> supports use of both ULAs and globals. Hosts acquire both. Use ULAs for
> internal communications, and globals for external communications.  ULA is
> not by design intended to be used with any for of NAT.  Any organisation
> that cares enough about renumbering implications of changing provider
> should be able to obtain/afford PI.

No where do I mention NPT.

ULA is used by clients (desktops, laptops, handhelds) to talk to internal
servers. A PD prefix is used by clients to talk to the public Internet
(ideally with privacy options).

Servers are assigned a ULA-prefix IPv6 address staticly (and put in DNS).
If they want to talk to the outside world (e.g., for software updates)
they have to go through a bastion / proxy host of some kind.

If the ISPs is changed, the new one is set up a head of time, and all the
clients start using its prefix over the course of a week/month. Once it's
confirmed that no traffic is going through the old ISP, service is
terminated. Servers (and DNS) have not had to be altered, and the dynamic
nature of most clients allows them to be self-updated. IMHO servers should
always be staticly configured (i.e., not using RAs or some such), and so
it would necessary to manually touch them otherwise (modulo things like
Puppet, Chef, etc.).

The above scenario allows stability for static devices, better tracking on
the ULA prefix for internal communication, and privacy for external
communication. No NAT or NPT needed.

Even for small businesses (<50 people) this would be useful to an IT
consultant (not withstanding wanting to put more hours in): all the static
stuff (servers, PBXes) can be left untouched, and a new ISP could be
connected. Or if the company is bought out (a scenario that I've dealt
with), all the "important" bits are self-contained in a nice routable
entry which can he connected to the mega-crop's WAN: no address conflicts
since ULA should be fairly unique.

More information about the ipv6-ops mailing list