IPv6 network policies

David Freedman david.freedman at uk.clara.net
Sat Apr 10 01:44:41 CEST 2010 



On 10/04/2010 00:35, "Steve Bertrand" <steve at ibctech.ca> wrote:

> ...while I'm at it, I might as well ask a couple other questions that
> I've been contemplating recently.
> 
> My network is _just_ under the size that two people can manage. We keep
> extensive documentation on almost absolutely everything (mostly automated).
> 
> There are a couple of areas that are grey and sketchy though. One of
> these areas is ACL management.
> 
> Although I use uRPF for everything, this doesn't fix the areas where
> ACLs are still needed (and in fact, I have ACLs in place on top of uRPF).

I can't have uRPF6 in many places due to lack of hardware support on my
vendor's equipment. This means resorting to ACLs. We have a lot of ACLs :)

> 
> An issue that I notice from time-to-time, is that I have an interface
> that has the appropriate v4 ACLs applied, but the v6 ones have been
> forgotten. What do other operators do to ensure consistency on ACL
> application in regards to both protocols?

Well, for us, we re-use the same framework we have in place for auditing
compliance of components of existing infrastructure, for us it is just
another check (i.e v4 acl present, v6 enabled, v6 acl should be present),
whether you have a large multifaceted system for auditing configs, or just a
set of simple scripts, the logic tests that can be applied remain the same.


> 
> The other 'question' I have is regarding a very sensitive area. I do not
> want to get into a war about this. I figure that this list is exactly
> where I should ask.
> 
> What I'm looking for is from _only_ those that use it, is how you
> document it, example config snips, if/how you reserve around it and from
> a topology standpoint how you alloc/assign it. I'm sorry, but I'm
> talking about /126 or /127 for ptp. I must admit, I am concerned with
> ping-pong and no real easy way to combat it, so I'd like operational
> feedback and education from those that use them without any traditional
> strong opinions from those that oppose it (if possible :)

We use /126, no strong opinions, just trying to be kinder on cross training
the folk who are comfortable with using IPv4 /30s. (we were never a /31
adopter)

Dave.


> 
> Steve
> 


------------------------------------------------
David Freedman 
Group Network Engineering
Claranet Limited
http://www.clara.net

More information about the ipv6-ops mailing list