IPv6 allocation plan, security, and 6-to-4 conversion

Karsten Elfenbein karsten.elfenbein at gmail.com
Fri Jan 30 15:12:47 UTC 2015


2015-01-30 0:28 GMT+01:00 Eric Louie <elouie at techintegrity.com>:
> I'm putting together my first IPv6 allocation plan.  The general layout:
> /48 for customers universally and uniformly
> /38 for larger regions on an even (/37) boundary
> /39 for smaller regions on an even (/38) boundary
> A few /48's for "internal use" to allow us to monitor and maintain systems.

Depending on how many regions you have I would just go for /40 as it
is the byte boundary or request a bigger block and use the /32.

> For security sake, do I need (am I better off) to "reserve" a "management
> block" (/39, /40, /41 or something of that nature) that does NOT get
> advertised into BGP to my upstreams, and use that for my device management
> and monitoring address space?  In other words, make a small "private"
> address space for management?  What are folks doing around that?

Do not spam the BGP table for that. Use firewalls or ACLs to prevent
unwanted access.
You could use Unique Local addresses (ULA) for this if you have some
VPN infrastructure in your network.
Not announcing these blocks does not prevent people on your network to
access these areas.

> If I have to do 6-to-4 conversion, is there any way to do that with
> multiple diverse ISP connections, or am I "restricted" to using one
> entry/exit point?  (If that's true, do I need to allocate a separate block
> of addresses that would be designated "6 to 4" so they'd always be routed
> out that one entry/exit point?)

I would not use 6to4 as it tunnels the IPv6 traffic over IPv4 which is
a pain to control.

Best regards

More information about the NANOG mailing list