[191332] in North American Network Operators' Group
Re: Use of unique local IPv6 addressing rfc4193
daemon@ATHENA.MIT.EDU (Pshem Kowalczyk)
Thu Sep 8 19:09:42 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20160908222656.62E5E53946A8@rock.dv.isc.org>
From: Pshem Kowalczyk <pshem.k@gmail.com>
Date: Thu, 08 Sep 2016 23:09:28 +0000
To: Mark Andrews <marka@isc.org>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
With NAT I have a single entry/exit point to those infrastructure subnets
which can be easily policed.
If I give them public IPs then they're routable and potentially can reach
the internet via devices that don't police the traffic.
My real question is does anyone bother with the fc00::/7 addressing or do
you use your public space (and police that)?
kind regards
Pshem
On Fri, 9 Sep 2016 at 10:27 Mark Andrews <marka@isc.org> wrote:
>
> In message <CAEaZiRU+wgQ0GDzxcmtqKO=_
> SASAVsNX31Q_70Q+uDM1oeoHrQ@mail.gmail.com>, Pshem Kowalczyk writes:
> > Hi,
> >
> > We're looking at rolling out IPv6 to our internal DC infrastructure.
> Those
> > systems support only our internal network and in the IPv4 world they all
> > live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses
> the
> > fc00::/7 space for these sort of things or do ppl use a bit of their
> public
> > IPv6 allocation and manage the security for those ranges?
> > I realise I'd have to use a proxy or NAT66 for the regular outbound
> > connectivity (but we do it already for IPv4 anyway). The truth is that
> even
> > if we do use something out of our public allocation we're likely to do
> the
> > same thing (just to be sure that nothing spills out accidentally).
> >
> > So what do you do in this space?
> >
> > kind regards
> > Pshem
>
> If you have a NAT you can't prevent things spilling out. The ONLY
> way to prevent things spilling out is to not connect the network
> in any shape or form.
>
> All NAT does is make it harder to run your network and increases
> the cost of software development.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
>
