On 03/24/2014 06:05 PM, Owen DeLong wrote:
So ULA the printers (if you must).
That doesn’t create a need for ULA on anything that talks to the internet, nor
does it create a requirement to do NPT or NAT66.
From a security perspective, I wouldn't trust my printer to not number
itself with a GUA.
Unlike v4 with DHCP, any kind of glitch causing leakage of
RA's-bearing-Global-prefixes (i'm
sure there is a Greek Tragedy written about this) will cause it to
number the interface with that
prefix. You can argue that's misconfiguration and I wouldn't disagree,
but it's just way to
easy for the (printer) host to do, and it wouldn't be very apparent to
anything but the
host (printer).
I'm not entirely sure what the whole answer is to this. We're still
talking about raw ip addresses
here, so somebody would have to know the GUA the printer numbered itself
to. Naming autodiscovery
doesn't currently traverse subnets, though homenet and others are trying
to relax that. Some sort
of logic like "if I can't add my address to dns then don't listen to
incoming requests on my gua" might
be helpful, but as I said... people interested in this really should pay
attention to the homenet working
group which is charged, for better or worse, to sort a lot of this out.
Mike
