On 2011-Jun-06 16:18, Guillaume Leclanche wrote: > 2011/6/6 Jeroen Massar <[email protected]>: >> ULA would still require NAT66 if you want those hosts to be able to >> communicate to the outside, unless of course you want to firewall your >> internal machines based on the global prefix and update those firewall >> rules and all other dependencies all the time when your prefix >> changes... (the prefix change is why I mention NAT66 as renumbering is >> not funny, anywhere). > > So, first of all we talk about sites that would have today a dynamic > IPv4 address. That would be residential, mobile, and SOHO. > > In the worst case, these sites can deal with LAN communication using > ULA addresses, and then any public communication should be handled via > public IPv6, which are at the moment all in 2000::/3, so clearly easy > to identify and to put in a firewall. Readdressing the public > addresses in the LAN is done easily with RAs, or DHCPv6-PD if the LAN > is subdivided (an still in that case we've most likely left the normal > SOHO, and we're in a bigger company that will have static v4 and most > likely IPv6oE or in the home of a geek).
So did you try the above out? Because if you did you would find the following minor problems: - what updates the firewall rules that the internal host has it's global changed IPv6 address? Swapping out the first 64bits could work in theory, but might just break existing connections. - how do you 'address' the internal services, everything goes by address or do you allow people to use hostnames? Who updates those hostnames, and does that hostname mean the internal one or the external address or both? - when you have printer configured, and you take your laptop to the lake, and you want to print, does it use the internal address or the external one? And then the other bunch of issues which effectively come down to a split-horizon view of a network. Folks are worried about IPv4+IPv6 fallback-connect issues as their browsers try both IPv6 and IPv4, be very worried when a host is both ULA and global though, which one to pick and when... One of the biggest things with IPv6 which IPv4 does not allow for everyone on the world (as it works too with IPv4 if you got a large enough chunk of addresses) is that your address is globally unique, and thus you can keep on sending packets to that single address without issues. That concept breaks with ULA. ULA is nice, it solves some problems, but it does not solve the problem when a host is also connected to a public network and does get a globally unique address through there. ULA does solve the problem when the network is not connected to anything else and you don't want to bother with getting a prefix for a private network. > And finally, 6rd is a transition technology, and will be certainly > removed in a few years to go to IPv6oE, once incompatible hardware > will be phased out. Well, that's a wish, don't take it for granted :) Right, because like we have not been doing IPv6 tunneling for about 18 years already... and so much went native. Greets, Jeroen _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
