Using IPv6 with prefixes shorter than a /64 on a LAN

Lamar Owen lowen at pari.edu
Thu Feb 3 12:05:32 CST 2011


On Thursday, February 03, 2011 10:39:28 am TJ wrote:
> Correct me if I am wrong, but won't Classified networks will get their
> addresses IAW the DoD IPv6 Addressing Plan (using globals)?

'Classified' networks are not all governmental.  HIPPA requirements can be met with SCIFs, and those need 'classified' networks.

Here, we have some control networks that one could consider 'classified' in the access control sense of the word, that is, even if a host is allowed access it must have a proven need to access, and such access needs supervision by another host.  

This type of network is used here for our large antenna controls, which need to be network accessible on-campus but such access must have two points of supervision (one of which is an actual person), with accessing hosts not allowed to access other networks while accessing the antenna controller.  This has been an interesting network design problem, and turns traditional 'stateful' firewalling on its ear, as the need is to block access when certain connections are open, and permit access otherwise.  It's made some easier since wireless access is not an option (interferes with the research done with the antennas), and wireless AP's and cell cards are actively hunted down, as well as passively hindered with shielding in the areas which have network access to the antenna controllers.

It's a simple matter of protecting assets that would cost millions to replace if the controllers were given errant commands, or if the access to those controllers were to be hacked.




More information about the NANOG mailing list