[148889] in North American Network Operators' Group
Re: using ULA for 'hidden' v6 devices?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 25 18:50:13 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <Pine.LNX.4.64.1201251255390.16219@whammy.cluebyfour.org>
Date: Wed, 25 Jan 2012 15:46:54 -0800
To: "Justin M. Streiner" <streiner@cluebyfour.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 25, 2012, at 10:03 AM, Justin M. Streiner wrote:
> On Wed, 25 Jan 2012, Dale W. Carder wrote:
>=20
>> We have one customer in particular with a substantial non-publicly
>> reachable v6 deployment with globally assigned addresses. I believe
>> there is no need to replicate the headaches of rfc1918 in the next
>> address-family eternity.
>=20
> The one big issue I could see with doing that is that the =
vulnerability exposure, particularly from the outside world, is larger =
if devices that don't need public addresses have them. For example, if =
a network engineer or NOC person accidentally removes a "hide my public =
infrastructure from the outside world" from an interface on a border =
router...
>=20
Use different GUA ranges for internal and external. It's easy enough to =
get an additional prefix.
> As others have mentioned, things like management interfaces on access =
switches, printers, and IP phones would be good candidates to hide with =
ULA.
Or non-advertised, filtered GUA. Works just as well either way.
Owen
