best practices for management nets in IPv6

Mon Jul 18 01:58:22 UTC 2011

We our designing a new hosted exchange environment as well as Multi-Tenant Desktop as a Service environment and we are going to use IPv6 public address.

Cheers
Ryan

-----Original Message-----
From: James Harr [mailto:james.harr at gmail.com] 
Sent: Wednesday, July 13, 2011 11:22 AM
To: Joel Maslak
Cc: nanog at nanog.org
Subject: Re: best practices for management nets in IPv6

I couldn't agree more. If you set up private address space, it's going to come back and make more work for you later. Set up public IPv6 addresses. If you need stateful connection filtering, put in a stateful firewall.

If you really really need address obfuscation, you can still do NAT, but NAT from public addresses to public a public address or pool of public addresses. If you ever need to turn off NAT, it's a lot easier than renumbering hundreds of machines and you always have the option of disabling it per-host instead of doing an all-or-nothing transition.

On Tue, Jul 12, 2011 at 7:32 PM, Joel Maslak <jmaslak at antelope.net> wrote:
> Public IPs.
>
> At some point you will have to manage something outside your current world or your organization will need to merge/partner/outsource/contract/etc with someone else's network and they might not be keen to route to your ULA space (and might not be more trustworthy than the internet at large anyhow).  Think about things like VPN endpoints, video devices, telephones, etc, that may end up on a public network, maybe behind a device you manage.  You may just manage routers today, but who knows about tomorrow.  Put behind a firewall and use good ingress filtering throughout your network, separating trust zones with distinct subnets.
>
> If you are worried about forgetting to enable a firewall, put in a network management system to verify connectivity stays blocked combined with a monitored IDS.
>

--
^[:wq^M