using ULA for 'hidden' v6 devices?

Owen DeLong owen at delong.com
Wed Jan 25 17:46:54 CST 2012


On Jan 25, 2012, at 10:03 AM, Justin M. Streiner wrote:

> On Wed, 25 Jan 2012, Dale W. Carder wrote:
> 
>> We have one customer in particular with a substantial non-publicly
>> reachable v6 deployment with globally assigned addresses.  I believe
>> there is no need to replicate the headaches of rfc1918 in the next
>> address-family eternity.
> 
> The one big issue I could see with doing that is that the vulnerability exposure, particularly from the outside world, is larger if devices that don't need public addresses have them.  For example, if a network engineer or NOC person accidentally removes a "hide my public infrastructure from the outside world" from an interface on a border router...
> 

Use different GUA ranges for internal and external. It's easy enough to get an additional prefix.

> As others have mentioned, things like management interfaces on access switches, printers, and IP phones would be good candidates to hide with ULA.

Or non-advertised, filtered GUA. Works just as well either way.

Owen




More information about the NANOG mailing list