using ULA for 'hidden' v6 devices?
owen at delong.com
Wed Jan 25 17:46:54 CST 2012
On Jan 25, 2012, at 10:03 AM, Justin M. Streiner wrote:
> On Wed, 25 Jan 2012, Dale W. Carder wrote:
>> We have one customer in particular with a substantial non-publicly
>> reachable v6 deployment with globally assigned addresses. I believe
>> there is no need to replicate the headaches of rfc1918 in the next
>> address-family eternity.
> The one big issue I could see with doing that is that the vulnerability exposure, particularly from the outside world, is larger if devices that don't need public addresses have them. For example, if a network engineer or NOC person accidentally removes a "hide my public infrastructure from the outside world" from an interface on a border router...
Use different GUA ranges for internal and external. It's easy enough to get an additional prefix.
> As others have mentioned, things like management interfaces on access switches, printers, and IP phones would be good candidates to hide with ULA.
Or non-advertised, filtered GUA. Works just as well either way.
More information about the NANOG