[142802] in North American Network Operators' Group
Re: best practices for management nets in IPv6
daemon@ATHENA.MIT.EDU (James Harr)
Wed Jul 13 11:23:00 2011
In-Reply-To: <339D6250-1106-4590-8AC9-592A78351216@antelope.net>
From: James Harr <james.harr@gmail.com>
Date: Wed, 13 Jul 2011 10:22:05 -0500
To: Joel Maslak <jmaslak@antelope.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I couldn't agree more. If you set up private address space, it's going
to come back and make more work for you later. Set up public IPv6
addresses. If you need stateful connection filtering, put in a
stateful firewall.
If you really really need address obfuscation, you can still do NAT,
but NAT from public addresses to public a public address or pool of
public addresses. If you ever need to turn off NAT, it's a lot easier
than renumbering hundreds of machines and you always have the option
of disabling it per-host instead of doing an all-or-nothing
transition.
On Tue, Jul 12, 2011 at 7:32 PM, Joel Maslak <jmaslak@antelope.net> wrote:
> Public IPs.
>
> At some point you will have to manage something outside your current worl=
d or your organization will need to merge/partner/outsource/contract/etc wi=
th someone else's network and they might not be keen to route to your ULA s=
pace (and might not be more trustworthy than the internet at large anyhow).=
=A0Think about things like VPN endpoints, video devices, telephones, etc, =
that may end up on a public network, maybe behind a device you manage. =A0Y=
ou may just manage routers today, but who knows about tomorrow. =A0Put behi=
nd a firewall and use good ingress filtering throughout your network, separ=
ating trust zones with distinct subnets.
>
> If you are worried about forgetting to enable a firewall, put in a networ=
k management system to verify connectivity stays blocked combined with a mo=
nitored IDS.
>
--=20
^[:wq^M
