[141931] in North American Network Operators' Group
Re: Question about migrating to IPv6 with multiple upstreams.
daemon@ATHENA.MIT.EDU (Randy Carpenter)
Tue Jun 14 13:44:54 2011
Date: Tue, 14 Jun 2011 13:43:32 -0400 (EDT)
From: Randy Carpenter <rcarpen@network1.net>
To: William Herrin <bill@herrin.us>
In-Reply-To: <BANLkTimBXoHzBZLUXVMwUsmtoSgo+z6nXg@mail.gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> Hi Ray,
>
> There's a nuance here you've missed.
>
> There are two main reasons for ULA inside the network:
>
> 1. Address stability (simplifies network management)
> 2. Source obfuscation (improves the depth of the security plan)
>
> Option 1: Obfuscation desired.
>
> ULA inside. NAT/PAT at both borders. You don't use prefix translation
> here because prefix translation does little obfuscation: it has a 1:1
> relationship with each individual host and still reveals the internal
> routing structure.
>
> Option 2: Stability, no obfuscation desired.
>
> ULA inside, prefix translation at both borders.
>
> Option 3: Neither stability nor obfuscation required.
>
> GUA from one of the providers inside. Prefix translation to the other
> provider for the connections desired out that border. Giving the
> hosts
> real GUA addresses maximizes application compatibility.
Why doesn't GUA give you address stability? I would think that it would provide the best stability.
And in terms of obfuscation, why couldn't we use DHCPv6 to give reasonably random addresses?
Also, I don't see how prefix translation reveals my internal routing structure.
I don't really see the point in ULA. It just seems like "The Return of RFC 1918, Part II, the Sequel"
-Randy
