Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Owen DeLong <owen () delong com>]

On Jan 31, 2011, at 10:26 PM, Michael Dillon wrote:

> > In my opinion, RFC 4193 is just a bad idea and there's no benefit to it vs.
> > GUA. Just put a good stateful firewall in front of your GUA.
> >
> > I mean, really, how many things do you have that don't need access
> > to/from the internet. Maybe your printers and a couple of appliances.
> >
> > The rest... All those TiVOs, Laptops, Desktops, iPads, etc. all need
> > public addresses anyway, so, why bother with the ULA?
>
> Because the ULA addressing is free, not that hard, and provides an
> extra layer of protection to prevent vandals from using up your printer
> ink or turning your fridge on defrost during the night.
Well, 2 out of 3 isn't bad, I suppose, but, do you really get even
that?

ULA addressing is free, except for the costs imposed by using it
instead of GUA in most circumstances.   I'll give you 0.5 for this one.

ULA addressing is not that hard. Neither is GUA. In fact they both
pose exactly the same difficulty. So, though I have to grant that it
isn't that hard, you failed to show how this fact gives it any
advantage over GUA. Additionally, it does create additional
difficulties since you now need to maintain two address
spaces instead of just one. So, since it's harder than GUA,
but, still not that hard, I'll give you 0.5 for that one, too.

The last one is specious at best. The stateful firewall provides all the
protection there. The ULA doesn't really provide any because if the
FW is compromised, you just bounce the print requests off of one
of the hosts that has GUA+ULA. Sorry, 0 points here.

So, let's see... 0.5+0.5+0 = 1.0 -- Nope, not even 2 out of 3.

> And some networks will have a lot more stuff that could use an
> extra layer of protection like that, for instance SCADA networks.
If there were an extra layer of protection, sure, but, since there actually
isn't, no joy there. If you want to isolate your SCADA network so it
doesn't have anything on it that talks to the internet, then, ULA
could be just fine, but, in that case, GUA or Link Local may be
equally fine with all the same protections and less hassle if you
decide to change the policy later.

> > Supplying every end site with a /48 of global address space is neither
> > stupid or wasteful. It's a good design with some nice future-proofing and
> > some very nice features available if people take better advantage of the
> > capabilities offered as we move forward.
> >
> > Just because it's more than you can imagine using today does not mean
> > that it is more than you will ever imagine using. I'm very happy that I have
> > a /48 at home and I look forward to making better use of it as the
> > Consumer Electronics vendors start to catch on that the internet is
> > being restored to full functionality for end users.
>
> Agreed. /48 is good for even the smallest home user living in a one bedroom
> apartment. They may not fully exploit it, but at the same time, they should not
> be treated as second class citizens when there is enough IPv6 address wealth
> to share around.
Well, I'd give /48s even to studios, small lofts, dorm rooms, and any internet-
connected janitorial closets in multi-tenant buildings. I see no reason to draw
the line at one-bedroom apartments.

Owen