IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Fri Mar 2 11:34:05 UTC 2018

> On Mar 2, 2018, at 1:50 AM, Saku Ytti <saku at ytti.fi> wrote:
> 
> Enno et al ULA fans
> 
> I could not agree more.
> 
> Either you provide your enterprise customers transportable address or
> ULA. If you assign and promote them to use your 'PA' address, they
> will take your PA address with them when they change operator 10 years
> from now, and if you reuse it, these two customers cannot reach each
> other. Why? Because anyone who has worked at non-trivial size
> enterprise knows that even just finding out what needs to be done, to
> renumber internal networks is massively long, expensive and error
> prone proposal, there will be tons of documents and scripts in
> non-standard locations containing IP addresses punched in.

This, right here, is inherently the a very good reason NOT to use ULA IMHO.

See, no matter how widely you deploy ULA, those same scripts are still going to use
the provider assigned public addresses that work for all the things they care about and
not just local connectivity.  Instead, you adopted a false sense of security and made
it more confusing when things do get renumbered.

I completely agree that PI is the way to go and that PA was a silly idea whose time
is long past. For home users, perhaps PA is OK for a little while longer (wouldn’t
make me happy in my home, but I’ve got PI, so whatever other folks want to do
isn’t my problem here).

> No matter how well you do your job, you cannot impact how others do,
> and you must expect them to continue working as they have in the past,
> and you must realise when that poses risk to yourself and protect
> yourself from that.

Which won’t happen with ULA.

> ULA at inside and 1:1 to operator address in the edge is what I've
> been recommending to my enterprise customers since we started to offer
> IPv6 commercially. Fits their existing processes and protects me from
> creating tainted unusable addresses.

Oh, please. NAT all over again? That’s another inherently very good reason
NOT to use ULA.

Owen

> 
> 
> On 2 March 2018 at 11:39, Enno Rey <erey at ernw.de> wrote:
>> Hi,
>> 
>> On Thu, Mar 01, 2018 at 09:30:32PM -0500, Harald Koch wrote:
>>> On 1 March 2018 at 18:48, Mark Andrews <marka at isc.org> wrote:
>>> 
>>>> ULA provide stable internal addresses which survive changing ISP
>>>> for the average home user.
>>> 
>>> 
>>> Yeah this is pretty much what I'm doing. ULA for stable, internal addresses
>>> that I can put into the (internal) DNS: ISP prefixes for global routing.
>>> Renumbering is hard.
>> 
>> as is proper (source|destination) address selection in a sufficiently complex environment.
>> for interest: for a system which must be both globally and internally reachable, which address do you put into which DNS?
>> 
>> 
>>> 
>>> All of the objections I've seen to ULA are actually objections to (IPv6)
>>> NAT, which is why I was confused.
>> 
>> the main objection against ULAs is avoidance of complexity in environments where at least some systems need global reach(ability), which applies to pretty much all environments nowadays.
>> 
>> best
>> 
>> Enno
>> 
>> 
>> 
>> 
>> 
>> 
>>> 
>>> (As it turns out my ISP prefix has been static for years, but I'm too lazy
>>> to undo all of the work...)
>>> 
>>> --
>>> Harald
>> 
>> --
>> Enno Rey
>> 
>> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
>> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
>> 
>> Handelsregister Mannheim: HRB 337135
>> Geschaeftsfuehrer: Matthias Luft, Enno Rey
>> 
>> =======================================================
>> Blog: www.insinuator.net || Conference: www.troopers.de
>> Twitter: @Enno_Insinuator
>> =======================================================
> 
> 
> 
> -- 
>  ++ytti