Use of unique local IPv6 addressing rfc4193
pshem.k at gmail.com
Thu Sep 8 23:09:28 UTC 2016
With NAT I have a single entry/exit point to those infrastructure subnets
which can be easily policed.
If I give them public IPs then they're routable and potentially can reach
the internet via devices that don't police the traffic.
My real question is does anyone bother with the fc00::/7 addressing or do
you use your public space (and police that)?
On Fri, 9 Sep 2016 at 10:27 Mark Andrews <marka at isc.org> wrote:
> In message <CAEaZiRU+wgQ0GDzxcmtqKO=_
> SASAVsNX31Q_70Q+uDM1oeoHrQ at mail.gmail.com>, Pshem Kowalczyk writes:
> > Hi,
> > We're looking at rolling out IPv6 to our internal DC infrastructure.
> > systems support only our internal network and in the IPv4 world they all
> > live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses
> > fc00::/7 space for these sort of things or do ppl use a bit of their
> > IPv6 allocation and manage the security for those ranges?
> > I realise I'd have to use a proxy or NAT66 for the regular outbound
> > connectivity (but we do it already for IPv4 anyway). The truth is that
> > if we do use something out of our public allocation we're likely to do
> > same thing (just to be sure that nothing spills out accidentally).
> > So what do you do in this space?
> > kind regards
> > Pshem
> If you have a NAT you can't prevent things spilling out. The ONLY
> way to prevent things spilling out is to not connect the network
> in any shape or form.
> All NAT does is make it harder to run your network and increases
> the cost of software development.
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG