nanog mailing list archives
Re: best practices for management nets in IPv6
From: Jared Mauch <jared () puck nether net>
Date: Wed, 13 Jul 2011 13:18:04 -0400
On Jul 12, 2011, at 5:31 PM, Tom Ammon wrote:
On your management nets (network device management nets) , what's the best approach for addressing them? Do you use ULA? Or do you use global addresses and just depend on router ACLs to protect things? How close are we to having a central registry for unique local addresses, and will that really happen?
We allocate a /64 per subnet as that's what most of the management hosts expect. We also build the CoPP/ACLs in a comparable way for the ipv6 afi as one does for the ipv4 afi to protect the device from unauthorized access. having access to a trusted net will get you a response to your SYN, you still need the ability to auth past that point to various devices/systems. Getting on that trusted net and protecting it is clearly something important. Certainly one can go crazy with trying to secure ones networks by wrapping it in 802.1x with various backing systems. I do recommend making sure your security practices are sensible and not forgotten. Nothing like having a machine on the 'trusted' lan becoming compromised. Never know what's going to happen :) - Jared
Current thread:
- RE: best practices for management nets in IPv6, (continued)
- RE: best practices for management nets in IPv6 Ryan Finnesey (Jul 17)
- Re: best practices for management nets in IPv6 FRLinux (Jul 18)
- Re: best practices for management nets in IPv6 Tim Franklin (Jul 18)
- Re: best practices for management nets in IPv6 Dave Hart (Jul 18)
- Re: best practices for management nets in IPv6 Doug Barton (Jul 18)
- RE: best practices for management nets in IPv6 Ryan Finnesey (Jul 18)
- RE: best practices for management nets in IPv6 Frank Bulk (Jul 18)
- RE: best practices for management nets in IPv6 Ryan Finnesey (Jul 18)
- Re: best practices for management nets in IPv6 Paul Ebersman (Jul 23)
- Message not available
- Re: best practices for management nets in IPv6 Jeroen Massar (Jul 23)