[148864] in North American Network Operators' Group
Re: using ULA for 'hidden' v6 devices?
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Wed Jan 25 13:04:38 2012
Date: Wed, 25 Jan 2012 13:03:52 -0500 (EST)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: nanog@nanog.org
In-Reply-To: <3B3D95F0-7E5E-417B-889B-3E5ABC660AD3@wisc.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 25 Jan 2012, Dale W. Carder wrote:
> We have one customer in particular with a substantial non-publicly
> reachable v6 deployment with globally assigned addresses. I believe
> there is no need to replicate the headaches of rfc1918 in the next
> address-family eternity.
The one big issue I could see with doing that is that the vulnerability
exposure, particularly from the outside world, is larger if devices that
don't need public addresses have them. For example, if a network engineer
or NOC person accidentally removes a "hide my public infrastructure from
the outside world" from an interface on a border router...
As others have mentioned, things like management interfaces on access
switches, printers, and IP phones would be good candidates to hide with
ULA.
jms
