[177699] in North American Network Operators' Group
Re: IPv6 allocation plan, security, and 6-to-4 conversion
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jan 30 20:34:53 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CADzy1LaF89Oh9=wJ64dThGcAQBGcdg+nwNjuvxiuaLwakfscoA@mail.gmail.com>
Date: Fri, 30 Jan 2015 17:32:27 -0800
To: Karsten Elfenbein <karsten.elfenbein@gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Jan 30, 2015, at 07:12 , Karsten Elfenbein =
<karsten.elfenbein@gmail.com> wrote:
>=20
> Hi,
>=20
> 2015-01-30 0:28 GMT+01:00 Eric Louie <elouie@techintegrity.com>:
>> I'm putting together my first IPv6 allocation plan. The general =
layout:
>> /48 for customers universally and uniformly
>> /38 for larger regions on an even (/37) boundary
>> /39 for smaller regions on an even (/38) boundary
>> A few /48's for "internal use" to allow us to monitor and maintain =
systems.
>=20
> Depending on how many regions you have I would just go for /40 as it
> is the byte boundary or request a bigger block and use the /32.
Given that ARIN policy allows you two levels of nibble-round-up, I=E2=80=99=
d suggest
putting your regions all at /36, actually, assuming you have enough =
customers
in your largest region to justify more than 75% of a /40 (which I assume =
to be the
case given the limited information provided).
Don=E2=80=99t make your network fit inside a /32 if it doesn=E2=80=99t =
fit conveniently. Get a /28 instead.
>=20
>> For security sake, do I need (am I better off) to "reserve" a =
"management
>> block" (/39, /40, /41 or something of that nature) that does NOT get
>> advertised into BGP to my upstreams, and use that for my device =
management
>> and monitoring address space? In other words, make a small "private"
>> address space for management? What are folks doing around that?
>=20
> Do not spam the BGP table for that. Use firewalls or ACLs to prevent
> unwanted access.
Exactly!
> You could use Unique Local addresses (ULA) for this if you have some
> VPN infrastructure in your network.
But only if you are truly a masochist. It=E2=80=99s so much easier to do =
this with GUA and
filters.
> Not announcing these blocks does not prevent people on your network to
> access these areas.
Among other various issues with using announcement control in lieu of =
actual
security policy.
>> If I have to do 6-to-4 conversion, is there any way to do that with
>> multiple diverse ISP connections, or am I "restricted" to using one
>> entry/exit point? (If that's true, do I need to allocate a separate =
block
>> of addresses that would be designated "6 to 4" so they'd always be =
routed
>> out that one entry/exit point?)
>=20
> I would not use 6to4 as it tunnels the IPv6 traffic over IPv4 which is
> a pain to control.
6to4 is in the process of being moved to historic status in the IETF for =
good reason.
If you=E2=80=99re deploying real IPv6, there=E2=80=99s no need to add =
any 6to4 headaches into your environment.
At its best, 6to4 was for people who couldn=E2=80=99t get real IPv6 =
transport. Today, it=E2=80=99s mostly an anachronism.
Owen
