Use of unique local IPv6 addressing rfc4193

Hi,

We're looking at rolling out IPv6 to our internal DC infrastructure. Those
systems support only our internal network and in the IPv4 world they all
live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses the
fc00::/7 space for these sort of things or do ppl use a bit of their public
IPv6 allocation and manage the security for those ranges?
I realise I'd have to use a proxy or NAT66 for the regular outbound
connectivity (but we do it already for IPv4 anyway). The truth is that even
if we do use something out of our public allocation we're likely to do the
same thing (just to be sure that nothing spills out accidentally).

So what do you do in this space?

kind regards
Pshem

If you have a NAT you can't prevent things spilling out. The ONLY
way to prevent things spilling out is to not connect the network
in any shape or form.

All NAT does is make it harder to run your network and increases
the cost of software development.

Mark

With NAT I have a single entry/exit point to those infrastructure subnets
which can be easily policed.
If I give them public IPs then they're routable and potentially can reach
the internet via devices that don't police the traffic.

My real question is does anyone bother with the fc00::/7 addressing or do
you use your public space (and police that)?

kind regards
Pshem

You can also easily police a subnet.

They can potentially reach the Internet even without public IPs.

All it takes is one idiot with a laptop with a Wifi and Internet
Connection Sharing.

Or one miscreant.

With NAT I have a single entry/exit point to those infrastructure subnets
which can be easily policed.
If I give them public IPs then they're routable and potentially can reach
the internet via devices that don't police the traffic.

If you wish to believe that, believe that, but it is only wishful
thinking.

My real question is does anyone bother with the fc00::/7 addressing

or do > you use your public space (and police that)?

ULA is normally used in parallel with public addressing if it is
used. IPv6 was designed to be deployed with multiple address and
prefixes per interface. When ULA is deployed you have ULA <-> ULA,
non-ULA <-> non-ULA. Non-privacy addresses for server functionality,
privacy addresses for client functionality.

Mark

Hi,

That's why I asked the question - if anyone actually puts its as an
additional IP on their interfaces to keep it simple (and in-line with IPv4
policies, address allocation schemes, etc) or not. I can see the argument
both ways - if we decide to use it we'll have to either overlay it with
public IPv6 space (and provide the NAT/proxy for where we don't have any
public IPv6 assigned) or simply not use the fc00::/7 and skip the
NAT/proxy aspects of it.
So one way it's aligned with what we do already (at the cost of the
overhead) the other it's not aligned (but with potentially less overhead).

kind regards
Pshem

With NAT I have a single entry/exit point to those infrastructure subnets
which can be easily policed.
If I give them public IPs then they're routable and potentially can reach
the internet via devices that don't police the traffic.

My real question is does anyone bother with the fc00::/7 addressing or do

Yes.

That space is used for non-internet scenarios.

NAT is bad

CB

There is no necessary link between ULA addresses and NAT. You don't
have to NAT ULA, *ever*. If you need public addresses, go get them.
There are enough.

IMHO one should use ULA in only three situations:

- a completely isolated network
- for internal communications e.g. fabric management)
- for testing

Regards, K.

I agree with Karl.

We use the ULA space for our internal test labs. The /48's we have in use get routed around internally but have no chance of leaking to the internet.

Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net>
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com<http://www.arbornetworks.com/>

https://www.youtube.com/watch?v=v26BAlfWBm8

With NAT I have a single entry/exit point to those infrastructure subnets
which can be easily policed.

I have used NAT in IPv4 scenarios as an alternative for lack of routing
control in the return direction.

However, this does not mean that this is the correct, best or orthodox
way, even for IPv4, much less in IPv6.

So, even though you can hack your way using NAT, this is really a
routing problem, not an addressing problem. And you will just create
problems for your users, your developers, yourself and third parties.

If I give them public IPs then they're routable and potentially can reach
the internet via devices that don't police the traffic.

First: this can happen with NAT too. If other devices have access to the
Internet, they can just NAT themselves even if the third-party exit has
a private address.

Second: private addresses can reach the Internet too. Many devices and
ISPs don't block RFC5375-sourced packets from the Internet. So they can
go out, although they can't come back. This is enough to create
unsourceable attacks.

In both cases NAT isn't really solving any of your problems fully. It's
just a misconception.

My real question is does anyone bother with the fc00::/7 addressing or do
you use your public space (and police that)?

I use public address space and I have made sure I have a single point of
exit and return for my traffic.

If I understood your concerns correctly, then I'd add that if the user
forces traffic through third-party exit points, service is not
guaranteed, as the third party may BCP38-filter it. If you want to
absolutely prevent that, NAT will not help. You'll need other techniques.

Best regards and good luck!