misunderstanding scale

Michael Thomas mike at mtcc.com
Tue Mar 25 01:38:44 UTC 2014


On 03/24/2014 06:05 PM, Owen DeLong wrote:
>
> So ULA the printers (if you must).
>
> That doesn’t create a need for ULA on anything that talks to the internet, nor does it create a requirement to do NPT or NAT66.
>

 From a security perspective, I wouldn't trust my printer to not number 
itself with a GUA.
Unlike v4 with DHCP, any kind of glitch causing leakage of 
RA's-bearing-Global-prefixes (i'm
sure there is a Greek Tragedy written about this) will cause it to 
number the interface with that
prefix. You can argue that's misconfiguration and I wouldn't disagree, 
but it's just way to
easy for the (printer) host to do, and it wouldn't be very apparent to 
anything but the
host (printer).

I'm not entirely sure what the whole answer is to this. We're still 
talking about raw ip addresses
here, so somebody would have to know the GUA the printer numbered itself 
to. Naming autodiscovery
doesn't currently traverse subnets, though homenet and others are trying 
to relax that. Some sort
of logic like "if I can't add my address to dns then don't listen to 
incoming requests on my gua" might
be helpful, but as I said... people interested in this really should pay 
attention to the homenet working
group which is charged, for better or worse, to sort a lot of this out.

Mike



More information about the NANOG mailing list