Re: using ULA for 'hidden' v6 devices?

[Ray Soucy <rps () maine edu>]

Inline

On Thu, Jan 26, 2012 at 9:05 AM, Tim Chown <tjc () ecs soton ac uk> wrote:
> Thanks for the comments Ray, a couple of comments in-line.
>
> On 26 Jan 2012, at 12:43, Ray Soucy wrote:
>
> > Local traffic shouldn't need to touch the CPE regardless of ULA or
> > GUA.  Also note that we already have the link local scope for traffic
> > between hosts on the same link (which is all hosts in a typical home
> > network); ULA only becomes useful if routing is involved which is not
> > the typical deployment for the home.
>
> The assumption in homenet is that it will become so.

Does this mean we're also looking at residential allocations larger
than a /64 as the norm?

> > ULA is useful, on the other hand, if NPT is used.  NPT is not NAT, and
> > doesn't have any of the nastiness of NAT.
>
> Well, you still have address rewriting, but prefix-based.

I think that the port rewriting, and as a consequence not being able
to map to specific hosts easily, was the bigger problem with NAT.

As for the comments made by others regarding "helpers" for NAT, there
really aren't many that are needed aside from older pre-NAT protocols
like H.323 which decided it would be a good idea to use the IP in the
packet payload for authentication.  Thankfully, over a decade of NAT
has helped end this practice.

> > I think a lot of the question has to do with what the role of CPE will
> > be going forward.  As long as we're talking dual-stack, having
> > operational consistency between IPv4 and IPv6 makes sense.  If it's an
> > IPv6-only environment, then things become a lot more flexible (do we
> > even need CPE to include a firewall, or do we say host-based firewalls
> > are sufficient, for example).
>
> The initial assumption in homenet is a stateful firewall with hosts inside the homenet using PCP or something similar.
>
> Tim

So a CPE device with a stateful firewall that accepts a prefix via
DHCPv6-PD and makes use of SLAAC for internal network(s) is the
foundation, correct?

Then use random a ULA allocation that exists to route internally
(sounds a lot like a site-local scope; which I never understood the
reason we abandoned).

I'm just not seeing the value in adding ULA as a requirement unless
bundled with NPT for a multi-homed environment, especially if a
stateful firewall is already included.  If anything, it might slow
down adoption due to increased complexity.

-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/