mapping public to private IPv6 networks when firewalling
Phil Mayers
p.mayers at imperial.ac.uk
Mon Nov 28 09:58:34 CET 2011
On 11/28/2011 06:10 AM, Erik Kline wrote:
>> I suspect that the model of "ULA on the inside network and 6296 at the
>> border" is going to be a very common scenario for people who want to
>> avoid "the pain of renumbering," or who still mistakenly believe that
>> NAT is a security tool. In any case, that method will work essentially
>> the same way that your 1:1 NAT for IPv4 is working for you now.
>
> Much more interesting I think is ULA + global prefix on the same link.
> When all "internal-only" services have ULAs in DNS then internal
> communication remains via stable ULA addressing. External
> communication can be via the global prefix addresses, and as long as
> these aren't in internal DNS then renumbering is less of a problem
> than it otherwise would be.
>
AIUI, that won't work well (yet). Current RFC 3484 tables don't "know"
ULA, so will assume it's a normal prefix and try to use it for global
traffic. See:
http://getipv6.info/index.php/Customer_problems_that_could_occur
...and search for "ULA". Some OSes don't handle the lifetime=0 trick in
RFC 6204 either.
More information about the ipv6-ops
mailing list