mapping public to private IPv6 networks when firewalling
Johan REMY
ipv6-ops-cluenet at remy-fr.eu
Tue Nov 29 11:32:23 CET 2011
>Johan,
>
>On 2011-11-29 06:01, Johan REMY wrote:
>> *Tore Anderson
>>
>>> * Phil Mayers
>>
>>>> On 11/28/2011 06:10 AM, Erik Kline wrote:
>>>>> Much more interesting I think is ULA + global prefix on the same link.
>>>>> When all "internal-only" services have ULAs in DNS then internal
>>>>> communication remains via stable ULA addressing. External
>>>>> communication can be via the global prefix addresses, and as long
>>>>> as these aren't in internal DNS then renumbering is less of a
>>>>> problem than it otherwise would be.
>>>> AIUI, that won't work well (yet). Current RFC 3484 tables don't "know"
>>>> ULA, so will assume it's a normal prefix and try to use it for
>>>> global traffic.
>>> Actually global addresses + ULAs on the same link is likely to work
>>> well, due to the longest matching prefix rule in RFC 3484 (fc00::/7
>>> and
>>> 2000::/3) has a common prefix length of 0). The ULA dualstack
>>> brokenness problem occurs when there's only ULAs on the link plus a
>>> default IPv6 route, as most operating systems will then
>>> unsuccessfully attempt to use the ULAs, timeout, before eventually falling back on IPv4.
>>
>> I have already try this but it is really broken.
>> ULA IPv6 + Global IPv6 , both via RA on win7. Default route learned via RA too, no static config (the point is to be automatic). It tries to use ULA addresses to surf the internet and makes that configuration impossible for production environment. DHCPv6 currently doesn't help.
>> ULA + global is for me the real good solution (way better than NAT) but a lot a thing needs to be fixed before it can be used.
>
>draft-ietf-6man-rfc3484-revise is supposed to fix this. Not sure when Windows will get it though.
Thanks, I didn't know about that draft. However, I fear it will reach standard and be integrated in OS too late. IPv6 NAT might be ready before and we'll be forced to use it as it doesn't change IPv4 usages.
Now is the time people starts to feel concern and they design there networks (or at least think about it). Ends customers are asking for advice to their operator and we currently cannot give them a good solution. It is between "you will have to renumber", or "take PI space", or "do some tricky nat/specific routing/..". Considering they don't want to renumber and that PI is too hard/expensive for them, they just don't do IPv6, or in a few months, they'll do some NAT.
More information about the ipv6-ops
mailing list