Use of unique local IPv6 addressing rfc4193

Fri Sep 9 08:02:37 UTC 2016

On 09/08/2016 04:09 PM, Pshem Kowalczyk wrote:
> With NAT I have a single entry/exit point to those infrastructure subnets
> which can be easily policed.

I have used NAT in IPv4 scenarios as an alternative for lack of routing
control in the return direction.

However, this does not mean that this is the correct, best or orthodox
way, even for IPv4, much less in IPv6.

So, even though you can hack your way using NAT, this is really a
routing problem, not an addressing problem. And you will just create
problems for your users, your developers, yourself and third parties.

> If I give them public IPs then they're routable and potentially can reach
> the internet via devices that don't police the traffic.

First: this can happen with NAT too. If other devices have access to the
Internet, they can just NAT themselves even if the third-party exit has
a private address.

Second: private addresses can reach the Internet too. Many devices and
ISPs don't block RFC5375-sourced packets from the Internet. So they can
go out, although they can't come back. This is enough to create
unsourceable attacks.

In both cases NAT isn't really solving any of your problems fully. It's
just a misconception.

> My real question is does anyone bother with the fc00::/7 addressing or do
> you use your public space (and police that)?

I use public address space and I have made sure I have a single point of
exit and return for my traffic.

If I understood your concerns correctly, then I'd add that if the user
forces traffic through third-party exit points, service is not
guaranteed, as the third party may BCP38-filter it. If you want to
absolutely prevent that, NAT will not help. You'll need other techniques.

Best regards and good luck!