[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple security

Using a ULA *instead* of a GUA makes sense for all the systems that you only want to access or to have access within the domain. In my house, I think that is two of them, both printers, and one of those is USB-attached rather than being IP-attached. The blue-ray player needs to be able to download from Netflix, the set-top box needs to talk with Cox for content and control, and then there are those pesky computer things.

On Mar 30, 2010, at 1:38 AM, Mohacsi Janos wrote:

> 
> 
> 
> On Mon, 29 Mar 2010, Fred Baker wrote:
> 
>> The default table, as you point out, doesn't specifically reference FC00::/7; it prefers localhost to any IPv6 address, any IPv6 address to a 6to4 address, and 6to4 to any IPv4/IPv6 translation mechanism using a well known prefix. As such, the next rule will apply. The next rule, as I understand it, will be to order the available addresses by the length of their matching prefixes from longest to shortest.
>> 
>> I would expect, given that scenario, that if we are within the same edge network (the most common use of ULAs), we will have at least one and perhaps several prefixes that are longer than /48, and the exact choice will be specific to the address pair being compared but may choose the ULA. If we are not in the same network but share PA prefixes from an ISP, we are likely to use that ISP's prefix. if we do not share prefixes allocated by an ISP, your guess is as good as mine.
>> 
>> I would actually not suggest adding FC00::/7 to the default table; if some system on the other side of the world is advertising a ULA in DNS and you have one, you'll try ULA-to-ULA in preference and you won't be happy with the result. However, you might add your own ULA within your domain in preference to ::/0.
> 
> Agreed. I just wanted to mention in one of my previous e-mail regarding CPE simple security - CPE without firewall: Usage of ULA behind the CPE instead GUA not very trivial. Needs some tweaking to prefer own ULA or RFC3484 policy distribution.
> 
> Best Regards,
> 	Janos Mohacsi
> 
> 
>> 
>> On Mar 29, 2010, at 9:37 AM, Mohacsi Janos wrote:
>> 
>>> 
>>> 
>>> 
>>> On Mon, 29 Mar 2010, Hemant Singh (shemant) wrote:
>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
>>>> Behalf Of Mohacsi Janos
>>>> Sent: Monday, March 29, 2010 12:19 AM
>>>> To: Konrad Rosenbaum
>>>> Cc: v6ops@ops.ietf.org
>>>> Subject: Re: simple security
>>>> 
>>>>> The current RFC 3484 does not cope properly with ULA addresses,
>>>> 
>>>> What do you mean by not cope?  ULA and the GUA have global scope and the
>>>> longest prefix match works fine for packet forwarding if both a ULA and
>>>> a GUA are configured on a network interface.  I don't see any gotcha
>>>> with RFC 3484 with use of ULA or with use of ULA and a GUA on a network
>>>> interface.
>>> 
>>> Yes. You are right, but in the context, that I wrote I don't see it is enough. If you have two nodes with both GUA and ULA, but different subnets inside a site:
>>> 
>>> 
>>> [node1]----------[router]---------[node2]
>>> 
>>> 
>>> Both GUA and ULA addresses are configured in the DNS...
>>> 
>>> What to configure no node1 and node2 to prefer ULA communication between node1 and node2?
>>> 
>>> And contrary, if I want prefer GUA usage between nodes?
>>> 
>>> Can I do it with the current default RFC 3484?
>>> 
>>> In the default policy table
>>>     Prefix        Precedence Label
>>>     ::1/128               50     0
>>>     ::/0                  40     1
>>>     2002::/16             30     2
>>>     ::/96                 20     3
>>>     ::ffff:0:0/96         10     4
>>> 
>>> Best Regards,
>>> 		Janos Mohacsi
>>> 
>> 
>> http://www.ipinc.net/IPv4.GIF
>> 
>> 

http://www.ipinc.net/IPv4.GIF