Use of unique local IPv6 addressing rfc4193

Thu Sep 8 23:15:01 UTC 2016

You can also easily police a subnet.

On Sep 8, 2016 6:11 PM, "Pshem Kowalczyk" <pshem.k at gmail.com> wrote:

> With NAT I have a single entry/exit point to those infrastructure subnets
> which can be easily policed.
> If I give them public IPs then they're routable and potentially can reach
> the internet via devices that don't police the traffic.
>
> My real question is does anyone bother with the fc00::/7 addressing or do
> you use your public space (and police that)?
>
> kind regards
> Pshem
>
>
> On Fri, 9 Sep 2016 at 10:27 Mark Andrews <marka at isc.org> wrote:
>
> >
> > In message <CAEaZiRU+wgQ0GDzxcmtqKO=_
> > SASAVsNX31Q_70Q+uDM1oeoHrQ at mail.gmail.com>, Pshem Kowalczyk writes:
> > > Hi,
> > >
> > > We're looking at rolling out IPv6 to our internal DC infrastructure.
> > Those
> > > systems support only our internal network and in the IPv4 world they
> all
> > > live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses
> > the
> > > fc00::/7 space for these sort of things or do ppl use a bit of their
> > public
> > > IPv6 allocation and manage the security for those ranges?
> > > I realise I'd have to use a proxy or NAT66 for the regular outbound
> > > connectivity (but we do it already for IPv4 anyway). The truth is that
> > even
> > > if we do use something out of our public allocation we're likely to do
> > the
> > > same thing (just to be sure that nothing spills out accidentally).
> > >
> > > So what do you do in this space?
> > >
> > > kind regards
> > > Pshem
> >
> > If you have a NAT you can't prevent things spilling out.  The ONLY
> > way to prevent things spilling out is to not connect the network
> > in any shape or form.
> >
> > All NAT does is make it harder to run your network and increases
> > the cost of software development.
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >
>