using ULA for 'hidden' v6 devices?

Thu Jan 26 12:43:07 UTC 2012

Local traffic shouldn't need to touch the CPE regardless of ULA or
GUA.  Also note that we already have the link local scope for traffic
between hosts on the same link (which is all hosts in a typical home
network); ULA only becomes useful if routing is involved which is not
the typical deployment for the home.

ULA is useful, on the other hand, if NPT is used.  NPT is not NAT, and
doesn't have any of the nastiness of NAT.

Using NPT to maintain consistent addressing internally would keep
things more simple for end-users, and would allow for things like CPE
being able to perform flow-based load-balancing between multiple
providers (which would fall more in line with the expectations of the
SMB and power-user audience).

I'm also not sure what the correct answer is to using a randomly
generated prefix vs. a predictable prefix for home networks.  ULA was
an attempt to resolve address overlap for routed private networks in
the event of mergers.  The majority of home users will never have this
concern.  Having a predictable prefix for home environments (ambiguous
local addressing?) might be useful for documentation, troubleshooting,
and support.

I think a lot of the question has to do with what the role of CPE will
be going forward.  As long as we're talking dual-stack, having
operational consistency between IPv4 and IPv6 makes sense.  If it's an
IPv6-only environment, then things become a lot more flexible (do we
even need CPE to include a firewall, or do we say host-based firewalls
are sufficient, for example).

Glad to see thoughtful consideration is being put into these topics,
though.  Thank you, Tim.

On Thu, Jan 26, 2012 at 6:15 AM, Tim Chown <tjc at ecs.soton.ac.uk> wrote:
> On 26 Jan 2012, at 11:10, George Bonser wrote:
>
>>> The potential advantage of ULAs is that you have a stable internal
>>> addressing scheme within the homenet, while your ISP-assigned prefix
>>> may change over time.  You run ULAs alongside your PA prefix.  ULAs are
>>> not used for host-based NAT.  The implication is that all homenet
>>> devices carry a ULA, though whether some do not also have a global PA
>>> address is open for debate.
>>
>> Yeah, there's some advantage to that.  Have a "corp.foo.com" domain that is the native domain for the internal machines while the foo.com domain that is visible to the outside world has outside accessible addressing.
>
> Perhaps host.local or host.home internally and host.foo.com externally, though the latter could/should work internally as well.
>
>>> There's a suggestion that ULAs could be used to assist security to some
>>> extent, allowing ULA to ULA communications as they are known to be
>>> within the homenet.
>>
>> Not sure how that assists security unless you simply want to limit site-site communications to your ULA ranges only, then sure.  In practice, sites often back each other up and you can have external traffic for site A using site B for its internet access, but that's not a big deal, just need to keep your internal and external traffic separated which any good admin will do as a matter of course, anyway.
>
> It was a suggestion a previous homenet session, but the security aspect of homenet is lagging rather behind the current focus of routing and prefix delegation.  The usefulness of the suggestion does depend on ULA filtering at borders, and defining the borders.
>
> I'm interested in views as one of the editors of the homenet architecture text.
>
> Tim
>
>

-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/