using ULA for 'hidden' v6 devices?
tjc at ecs.soton.ac.uk
Thu Jan 26 05:15:55 CST 2012
On 26 Jan 2012, at 11:10, George Bonser wrote:
>> The potential advantage of ULAs is that you have a stable internal
>> addressing scheme within the homenet, while your ISP-assigned prefix
>> may change over time. You run ULAs alongside your PA prefix. ULAs are
>> not used for host-based NAT. The implication is that all homenet
>> devices carry a ULA, though whether some do not also have a global PA
>> address is open for debate.
> Yeah, there's some advantage to that. Have a "corp.foo.com" domain that is the native domain for the internal machines while the foo.com domain that is visible to the outside world has outside accessible addressing.
Perhaps host.local or host.home internally and host.foo.com externally, though the latter could/should work internally as well.
>> There's a suggestion that ULAs could be used to assist security to some
>> extent, allowing ULA to ULA communications as they are known to be
>> within the homenet.
> Not sure how that assists security unless you simply want to limit site-site communications to your ULA ranges only, then sure. In practice, sites often back each other up and you can have external traffic for site A using site B for its internet access, but that's not a big deal, just need to keep your internal and external traffic separated which any good admin will do as a matter of course, anyway.
It was a suggestion a previous homenet session, but the security aspect of homenet is lagging rather behind the current focus of routing and prefix delegation. The usefulness of the suggestion does depend on ULA filtering at borders, and defining the borders.
I'm interested in views as one of the editors of the homenet architecture text.
More information about the NANOG