Re: best practices for management nets in IPv6

[James Harr <james.harr () gmail com>]

I couldn't agree more. If you set up private address space, it's going
to come back and make more work for you later. Set up public IPv6
addresses. If you need stateful connection filtering, put in a
stateful firewall.

If you really really need address obfuscation, you can still do NAT,
but NAT from public addresses to public a public address or pool of
public addresses. If you ever need to turn off NAT, it's a lot easier
than renumbering hundreds of machines and you always have the option
of disabling it per-host instead of doing an all-or-nothing
transition.

On Tue, Jul 12, 2011 at 7:32 PM, Joel Maslak <jmaslak () antelope net> wrote:
> Public IPs.
>
> At some point you will have to manage something outside your current world or your organization will need to 
> merge/partner/outsource/contract/etc with someone else's network and they might not be keen to route to your ULA 
> space (and might not be more trustworthy than the internet at large anyhow).  Think about things like VPN endpoints, 
> video devices, telephones, etc, that may end up on a public network, maybe behind a device you manage.  You may just 
> manage routers today, but who knows about tomorrow.  Put behind a firewall and use good ingress filtering throughout 
> your network, separating trust zones with distinct subnets.
>
> If you are worried about forgetting to enable a firewall, put in a network management system to verify connectivity 
> stays blocked combined with a monitored IDS.



-- 
^[:wq^M