nanog mailing list archives
Re: IPv6 allocation plan, security, and 6-to-4 conversion
From: Owen DeLong <owen () delong com>
Date: Fri, 30 Jan 2015 17:32:27 -0800
On Jan 30, 2015, at 07:12 , Karsten Elfenbein <karsten.elfenbein () gmail com> wrote: Hi, 2015-01-30 0:28 GMT+01:00 Eric Louie <elouie () techintegrity com>:I'm putting together my first IPv6 allocation plan. The general layout: /48 for customers universally and uniformly /38 for larger regions on an even (/37) boundary /39 for smaller regions on an even (/38) boundary A few /48's for "internal use" to allow us to monitor and maintain systems.Depending on how many regions you have I would just go for /40 as it is the byte boundary or request a bigger block and use the /32.
Given that ARIN policy allows you two levels of nibble-round-up, I’d suggest putting your regions all at /36, actually, assuming you have enough customers in your largest region to justify more than 75% of a /40 (which I assume to be the case given the limited information provided). Don’t make your network fit inside a /32 if it doesn’t fit conveniently. Get a /28 instead.
For security sake, do I need (am I better off) to "reserve" a "management block" (/39, /40, /41 or something of that nature) that does NOT get advertised into BGP to my upstreams, and use that for my device management and monitoring address space? In other words, make a small "private" address space for management? What are folks doing around that?Do not spam the BGP table for that. Use firewalls or ACLs to prevent unwanted access.
Exactly!
You could use Unique Local addresses (ULA) for this if you have some VPN infrastructure in your network.
But only if you are truly a masochist. It’s so much easier to do this with GUA and filters.
Not announcing these blocks does not prevent people on your network to access these areas.
Among other various issues with using announcement control in lieu of actual security policy.
If I have to do 6-to-4 conversion, is there any way to do that with multiple diverse ISP connections, or am I "restricted" to using one entry/exit point? (If that's true, do I need to allocate a separate block of addresses that would be designated "6 to 4" so they'd always be routed out that one entry/exit point?)I would not use 6to4 as it tunnels the IPv6 traffic over IPv4 which is a pain to control.
6to4 is in the process of being moved to historic status in the IETF for good reason. If you’re deploying real IPv6, there’s no need to add any 6to4 headaches into your environment. At its best, 6to4 was for people who couldn’t get real IPv6 transport. Today, it’s mostly an anachronism. Owen
Current thread:
- IPv6 allocation plan, security, and 6-to-4 conversion Eric Louie (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Karsten Elfenbein (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Owen DeLong (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion William Herrin (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Tore Anderson (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Justin M. Streiner (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Mel Beckman (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Tore Anderson (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Baldur Norddahl (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Tore Anderson (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Baldur Norddahl (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Eric Louie (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Tore Anderson (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion Karsten Elfenbein (Jan 30)
- Re: IPv6 allocation plan, security, and 6-to-4 conversion William Herrin (Jan 30)