[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)
> On Mar 1, 2018, at 5:30 PM, Mark Andrews <marka at isc.org> wrote:
>> On 2 Mar 2018, at 11:48 am, Matt Erculiani <merculiani at gmail.com> wrote:
>> Not sure if this is the common thought, but if anyone has a network
>> which requires static IP assignments, they can probably justify a
>> request for a /48 from an RIR. After all, ARIN's requirement for an
>> end-user IPv6 block is, at minimum: "Justify why IPv6 addresses from
>> an ISP or other LIR are unsuitable". I would think that ISP
>> portability would satisfy this requirement, but If I'm wrong, I'm
>> absolutely open to being corrected on this. But most home users have
>> no need for static IPs, so the dynamic ISP assignment is perfectly
> ISP assigned addresses are perfectly fine for TALKING TO THE REST OF THE WORLD.
> ISP assigned addresses are not perfectly fine for internal communication.
ISP assigned addresses _CAN_ be used to talk to the rest of the world. PI addresses are also
perfectly fine for this where supported.
> With IPv6 you use ULA along side ISP assigned addresses.
With IPv6 you _CAN_ use ULA along PA.
or you can use PI.
or you can use PI along side PA.
IMHO, either of the latter two are better than the former.
> With IPv4 RFC 1918 address + NAT the home user has STATIC local addresses
> for devices that need them. Go look at your home routerâ??s web pages. You
> will be able to assign static addresses to your internal machines via DHCP.
My home router doesnâ??t have web pages since I turned off J-web.
It also doesnâ??t run DHCP as a server. (It does run a DHCP client to talk to Comcast).
I do, however, have some static DHCP entries in my dhcpd.conf file on my dhcp server.
> Are YOU going to tell everyone that sets values there that they no longer
> can do the same thing for IPv6. That they need to fully renumber all their
> devices just because the ISP gave them a different prefix this morning?
Nopeâ?¦ But thereâ??s _NO_ reason that canâ??t do that equally well with a PI block
(or a free /48 from HE that they just donâ??t bother to really connect to a tunnel)
instead of ULA.
Soâ?¦ I stand by my pointâ?¦ ULA offers noâ?¦ ZERO advantages over GUA.
All the defense of ULA makes strange assumptions about the nature of GUA.
I did not. Any form of GUA that suits the purpose is fine with me. If youâ??re
comfortable with PA, great. If you prefer PI, great. If you need something
free, get a /48 from HE, they hand them out on a simple web form. If youâ??re
using it locally, nothing says you _HAVE_ to actually turn on the tunnel.
OTOH, if you want, youâ??re certainly free to do so and it will solve certain address
selection oddities that happen with some systems when ULA is used and
greatly simplify your DNS life.
>> I think the tech will advance fast enough that keeping up with an IPv6
>> route table will be a non-issue. IPv6 adoption is, unfortunately, slow
>> enough that there will be no issues keeping up, even assuming a "slow"
>> hardware refresh cycle.
>> On Thu, Mar 1, 2018 at 5:48 PM, Mark Andrews <marka at isc.org> wrote:
>>>> On 2 Mar 2018, at 9:28 am, Owen DeLong <owen at delong.com> wrote:
>>>>> On Mar 1, 2018, at 1:20 PM, Harald Koch <chk at pobox.com> wrote:
>>>>> On 1 March 2018 at 15:18, Owen DeLong <owen at delong.com <mailto:owen at delong.com>> wrote:
>>>>> Second, RFC-1918 doesnâ??t apply to IPv6 at all, and (fortunately) hardly anyone
>>>>> uses ULA (the IPv6 analogue to RFC-1918).
>>>>> Wait. What's the objection to ULA? Is it just that NAT is bad, or is there something new?
>>>> No particular objection, but I donâ??t see the point.
>>>> What can you do with ULA that GUA isnâ??t suitable for?
>>> ULA provide stable internal addresses which survive changing ISP
>>> for the average home user. Now, I know you can do the same thing
>>> by going to a RIR and getting a prefix but the RIRâ??s arenâ??t setup
>>> to supply prefixes like that to 10 billion of us.
>>> They are also in a specific range which makes setting filtering
>>> rules easier for everyone else.
>>> Now I would love it if we could support 100 billion routes in the
>>> DFZ but we arenâ??t anywhere near being able to do that which would
>>> be a requirement for abandoning ULA. Until them they have there
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org