using "reserved" IPv6 space
jeroen at unfix.org
Fri Jul 13 17:01:55 UTC 2012
On 2012-07-13 18:11, Tom Cooper wrote:
> As an IPv6 newbie myself
Play with it and get your ears wet, it is still not entirely too late to
start to learn to swim ;)
>, I wonder how hosts handle link local, ULA and
> global addresses.
> For example, if you have some internal web traffic used for intranet use
> only, do you bind those servers to use only ULA addresses? This way your
> internal users with ULA addressing only have access to those servers? No
> need to give intranet-only servers a global address if they're not needed
> to be accessed globally.
You could do that indeed, thus have clients have only a global (and
link-local address) and only make a certain prefix, be that ULA or a
specific chunk of your global prefix only available to your internal
network that are used for your internal services.
As long as the prefix is stable you likely do not care if it is global
or ULA, this as when a misconfiguration happens in such a way that that
prefix is not properly firewalled away or gets routed it happened. As
can be clearly seen in various routing tables filtering is not happening
everywhere, thus it won't buy you that much; proper policy, automation
and verification will avoid fat fingers much better though.
Also, not that a firewalled prefix only brings one that much security,
the higher chance is that the client host gets infected or compromised.
> Is there a way for hosts to "prefer" or "attempt" to connect to a service
> by first trying a link-local scope, then a ULA and finally a global address
> if its off the AS?
RFC3484, aka /etc/gai.conf and friends on other OSs. It is not easy to
distribute this though.
> I really like the idea of ULA and think it makes much more sense than
> RFC1918 + NAT. I just don't have any deployment experience with it yet so
> I'm curious how the host would handle it.
ULA is meant for non-internet connected devices. As such NAT does not
come into play as one will have a unique ULA prefix that will not clash
when you inter connect them privately with other networks.
RFC1918 + NAT primarily makes sense as it allows one to hookup devices
to the Internet without 'wasting' more public addresses, that problem
does not exist with IPv6 though.
More information about the NANOG