Use of unique local IPv6 addressing rfc4193

Pshem Kowalczyk pshem.k at gmail.com
Thu Sep 8 23:09:28 UTC 2016


With NAT I have a single entry/exit point to those infrastructure subnets
which can be easily policed.
If I give them public IPs then they're routable and potentially can reach
the internet via devices that don't police the traffic.

My real question is does anyone bother with the fc00::/7 addressing or do
you use your public space (and police that)?

kind regards
Pshem


On Fri, 9 Sep 2016 at 10:27 Mark Andrews <marka at isc.org> wrote:

>
> In message <CAEaZiRU+wgQ0GDzxcmtqKO=_
> SASAVsNX31Q_70Q+uDM1oeoHrQ at mail.gmail.com>, Pshem Kowalczyk writes:
> > Hi,
> >
> > We're looking at rolling out IPv6 to our internal DC infrastructure.
> Those
> > systems support only our internal network and in the IPv4 world they all
> > live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses
> the
> > fc00::/7 space for these sort of things or do ppl use a bit of their
> public
> > IPv6 allocation and manage the security for those ranges?
> > I realise I'd have to use a proxy or NAT66 for the regular outbound
> > connectivity (but we do it already for IPv4 anyway). The truth is that
> even
> > if we do use something out of our public allocation we're likely to do
> the
> > same thing (just to be sure that nothing spills out accidentally).
> >
> > So what do you do in this space?
> >
> > kind regards
> > Pshem
>
> If you have a NAT you can't prevent things spilling out.  The ONLY
> way to prevent things spilling out is to not connect the network
> in any shape or form.
>
> All NAT does is make it harder to run your network and increases
> the cost of software development.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>



More information about the NANOG mailing list