Re: IPv6 fc00::/7 — Unique local addresses

Mark Andrews marka at isc.org
Thu Oct 21 00:37:33 UTC 2010


In message <AANLkTikxiibdH-3pggKAGxpU9KY0OyX-GczsQ8AjFomS at mail.gmail.com>, Jame
s Hess writes:
> On Wed, Oct 20, 2010 at 4:48 PM, Jeroen van Aart <jeroen at mompl.net> wrote:
> > <IPv6 newbie>
> 
> > these addresses, their address scope is global, i.e. they are expected to b
> e
> > globally unique."
> 
> The ULA /48s are hoped to only be globally unique,  but this only has
> a good chance of happening
> if   all users  pick good random numbers as required,   which will
> often be 'hard to read'.
> should any two networks pick non-random numbers,  they could easily
> conflict,  breaking expectations.
> 
> My suspicion is that in the future it is going to happen routinely,
> esp.   if  ULA  becomes to  IPv6  what
> RFC1918 space is to IPv4,   with  most end user networks implementing
>  NAT66  to translate  "private"
> /48 ULAs   to their site's  "public"    /48    assignment from their ISP.

Way to much "IPv4 think" here.  Just use multiple prefixes.  It
just works.  You talk to the external world using the prefix your
ISP provides and you talk to your internal machines using the ULA
prefix you choose.  No need for NAT66.

You move to a new ISP the machines just add a AAAA record to the
DNS for themselves and remove the old AAAA record.

> I can imagine generic $50  IPv6 broadband routers   getting
> distributed en-masse that hardcode  all bits 0
> ULA NAT66 by default, and expect the user to change the LAN IP subnet
> / NAT config  from the defaults,
> sometime while they're setting it up,  probably at the same time they
> change the admin password.

Or just have the CPE generate a ULA prefix correctly and write it
to NVRAM so you don't need to re-generate it.  The internal prefix
/ addresses *WILL* leak.  We know this from our experiences with
RFC 1918 addresses.  Any CPE vendor that fails to generate random
ULA prefixes should be shot.

> You know... the type of router a residential user plugs in, and they
> "just work",
> and if the user forgets to follow any setup or config directions,
> just pulls an IP via DHCP and
> sticks with some insecure defaults.
> 
> But it would still be a big improvement from what is available with V4.
> --
> -Jh
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org




More information about the NANOG mailing list