Question about migrating to IPv6 with multiple upstreams.

Randy Carpenter rcarpen at network1.net
Tue Jun 14 17:43:32 UTC 2011


> Hi Ray,
> 
> There's a nuance here you've missed.
> 
> There are two main reasons for ULA inside the network:
> 
> 1. Address stability (simplifies network management)
> 2. Source obfuscation (improves the depth of the security plan)
> 
> Option 1: Obfuscation desired.
> 
> ULA inside. NAT/PAT at both borders. You don't use prefix translation
> here because prefix translation does little obfuscation: it has a 1:1
> relationship with each individual host and still reveals the internal
> routing structure.
> 
> Option 2: Stability, no obfuscation desired.
> 
> ULA inside, prefix translation at both borders.
> 
> Option 3: Neither stability nor obfuscation required.
> 
> GUA from one of the providers inside. Prefix translation to the other
> provider for the connections desired out that border. Giving the
> hosts
> real GUA addresses maximizes application compatibility.

Why doesn't GUA give you address stability? I would think that it would provide the best stability.

And in terms of obfuscation, why couldn't we use DHCPv6 to give reasonably random addresses?

Also, I don't see how prefix translation reveals my internal routing structure.

I don't really see the point in ULA. It just seems like "The Return of RFC 1918, Part II, the Sequel"


-Randy




More information about the NANOG mailing list