[142760] in North American Network Operators' Group
Re: best practices for management nets in IPv6
daemon@ATHENA.MIT.EDU (Rubens Kuhl)
Tue Jul 12 17:56:14 2011
In-Reply-To: <FBFA8286DF47FD4A962B385021012AD452EA2BEF89@C4V1.xds.umail.utah.edu>
Date: Tue, 12 Jul 2011 18:55:10 -0300
From: Rubens Kuhl <rubensk@gmail.com>
To: Tom Ammon <tom.ammon@utah.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jul 12, 2011 at 6:31 PM, Tom Ammon <tom.ammon@utah.edu> wrote:
> Hi All,
>
> We're pushing to get IPv6 deployed and working everywhere in our operatio=
n, and I had some questions about best practices for a few things.
>
> On your management nets (network device management nets) , what's the bes=
t approach for addressing them? Do you use ULA? Or do you use =A0global add=
resses and just depend on router ACLs to protect things? How close are we t=
o having a central registry for unique local addresses, and will that reall=
y happen?
What if you apply to a /48 block as end-user because the management
network is not part of your ISP-related /32 or larger block ?
What if you happen to get that /48 and never announce it to the DFZ ?
Then your attack surface gets very small (but still exists, you'll
need some ACLs here and there, notably your customers having
default-routes to your core).
Rubens
