RE: ULA scope [draft-ietf-6man-rfc3484-revise-05.txt]

["Marc Lampo" <marc.lampo@eurid.eu>]

Allow me to clarify with an example.

In my IP(v4) experience, I have a customer with offices over multiple
Continents - private address space in use everywhere -
site-to-site VPN's (== connecting networks) connect the offices.

If I map to IPv6 this might be one /48 ULA range;
Some networks in central HQ, others remotely, behind site-to-site VPN.

--> if one end-node in one network wants to reach another,
     in another network, its traffic must travel through the VPN.


Please observe that using public addresses (not using ULA)
might do away with address selection "challenges"
but would imply that networks on all continents will have to be
renumbered if the central HQ changes ISP (and hence : public IPv6
addresses).
Something I'd like to avoid ...


Kind regards,

Marc Lampo


-----Original Message-----
From: Mark Andrews [mailto:marka@isc.org] 
Sent: 19 March 2012 03:14 PM
To: Marc Lampo
Cc: 'Dave Thaler'; 'Brian E Carpenter'; 'Hemant Singh (shemant)'; 'Arifumi
Matsumoto'; 'Brian Haberman'; ipv6@ietf.org; 'Bob Hinden'
Subject: Re: ULA scope [draft-ietf-6man-rfc3484-revise-05.txt]


In message <00f801cd05a2$abfce190$03f6a4b0$@lampo@eurid.eu>, "Marc Lampo"
write
s:
> Hello,
> 
> +1 for Brian's statement : ULA within same /48, prefer ULA.
> 
> For ULA not within same /48 :
> Please do not forget VPN !
> In the IPv4 world, numerous devices, with private address space, 
> Communicate through site-to-site VPN's.
> I'd assume this is equivalent to "ULA not in same /48".
> How could an end-device decide whether or not VPN is in place ?
> 
> Wouldn't it be preferable to let "name resolving" decide which address 
> to return to a client ?
> And if name resolving returns ULA, let end-device use ULA as well.
> (If there is no VPN in place, it would be a configuration error  in 
> the name resolving infrastructure) That way, network admins decide 
> centrally, trough name resolving, how some party is can be reached.
> 
> Any errors there would be name resolving which can, through DNS,  be 
> centrally solved.
> As opposed to some "smart" algorithm on end nodes that mistakingly  
> choses the wrong address (and requiring some update on all of them 
> ...)
> 
> Kind regards,
> 
> Marc Lampo

Are connecting a node or a net over the VPN?

For a node this is a non-issue as the VPN's interface will be in one ULA
and home net in the other ULA.  The node is a site boundary.

If you are connecting a net then you can do PD request(s) and advertise
the returned prefixes.  If the upstream starts to run out of prefixes they
just generate a additional ULA prefix and number all the servers from it.
Different VPN use different ULA but all can reach the central servers.  By
the time a organisation reaches this level of complexity they are a small
ISP in their own right and should be able to get /32.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org