[142899] in North American Network Operators' Group
RE: best practices for management nets in IPv6
daemon@ATHENA.MIT.EDU (Ryan Finnesey)
Sun Jul 17 21:58:35 2011
Date: Sun, 17 Jul 2011 18:58:22 -0700
In-Reply-To: <CAEAFGYiWk=rC4rAVpHOnHvVaEBCp4w=BiBuS060bhKYJXPVGUQ@mail.gmail.com>
From: "Ryan Finnesey" <ryan.finnesey@HarrierInvestments.com>
To: "James Harr" <james.harr@gmail.com>, "Joel Maslak" <jmaslak@antelope.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We our designing a new hosted exchange environment as well as Multi-Tenant =
Desktop as a Service environment and we are going to use IPv6 public addres=
s.
Cheers
Ryan
-----Original Message-----
From: James Harr [mailto:james.harr@gmail.com] =
Sent: Wednesday, July 13, 2011 11:22 AM
To: Joel Maslak
Cc: nanog@nanog.org
Subject: Re: best practices for management nets in IPv6
I couldn't agree more. If you set up private address space, it's going to c=
ome back and make more work for you later. Set up public IPv6 addresses. If=
you need stateful connection filtering, put in a stateful firewall.
If you really really need address obfuscation, you can still do NAT, but NA=
T from public addresses to public a public address or pool of public addres=
ses. If you ever need to turn off NAT, it's a lot easier than renumbering h=
undreds of machines and you always have the option of disabling it per-host=
instead of doing an all-or-nothing transition.
On Tue, Jul 12, 2011 at 7:32 PM, Joel Maslak <jmaslak@antelope.net> wrote:
> Public IPs.
>
> At some point you will have to manage something outside your current worl=
d or your organization will need to merge/partner/outsource/contract/etc wi=
th someone else's network and they might not be keen to route to your ULA s=
pace (and might not be more trustworthy than the internet at large anyhow).=
=A0Think about things like VPN endpoints, video devices, telephones, etc, =
that may end up on a public network, maybe behind a device you manage. =A0Y=
ou may just manage routers today, but who knows about tomorrow. =A0Put behi=
nd a firewall and use good ingress filtering throughout your network, separ=
ating trust zones with distinct subnets.
>
> If you are worried about forgetting to enable a firewall, put in a networ=
k management system to verify connectivity stays blocked combined with a mo=
nitored IDS.
>
--
^[:wq^M
_____
NANOG mailing list
NANOG@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog
