[142806] in North American Network Operators' Group
Re: best practices for management nets in IPv6
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Jul 13 13:18:55 2011
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <FBFA8286DF47FD4A962B385021012AD452EA2BEF89@C4V1.xds.umail.utah.edu>
Date: Wed, 13 Jul 2011 13:18:04 -0400
To: Tom Ammon <tom.ammon@utah.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 12, 2011, at 5:31 PM, Tom Ammon wrote:
> On your management nets (network device management nets) , what's the =
best approach for addressing them? Do you use ULA? Or do you use global =
addresses and just depend on router ACLs to protect things? How close =
are we to having a central registry for unique local addresses, and will =
that really happen?
We allocate a /64 per subnet as that's what most of the management hosts =
expect.
We also build the CoPP/ACLs in a comparable way for the ipv6 afi as one =
does for the ipv4 afi to protect the device from unauthorized access.
having access to a trusted net will get you a response to your SYN, you =
still need the ability to auth past that point to various =
devices/systems. Getting on that trusted net and protecting it is =
clearly something important.
Certainly one can go crazy with trying to secure ones networks by =
wrapping it in 802.1x with various backing systems. I do recommend =
making sure your security practices are sensible and not forgotten. =
Nothing like having a machine on the 'trusted' lan becoming compromised. =
Never know what's going to happen :)
- Jared=
