IETF Logo Mail Archive

Re: [v6ops] ULA draft revision #2 Regarding isolated networks

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 28 May 2014 02:48 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36DFD1A02E9 for <v6ops@ietfa.amsl.com>; Tue, 27 May 2014 19:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAxQbLf9soPE for <v6ops@ietfa.amsl.com>; Tue, 27 May 2014 19:48:41 -0700 (PDT)
Received: from mail-pb0-x22f.google.com (mail-pb0-x22f.google.com [IPv6:2607:f8b0:400e:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FD761A02D9 for <v6ops@ietf.org>; Tue, 27 May 2014 19:48:41 -0700 (PDT)
Received: by mail-pb0-f47.google.com with SMTP id rp16so10256387pbb.6 for <v6ops@ietf.org>; Tue, 27 May 2014 19:48:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=hCbdQyLpVQs6jHb9wCC7LLsyKbY4bqEIyMhaJKuKVTo=; b=O87lPlxHd7Y673YLXSdHlmy0QcuQmFM5l+bfIqjN3ATjHC5yTQu+JR6rU+FzaoN+xR Q2p8qKxpCaQ1FmqmOUd/crIzyy9HNs3XmO/CmLYoeXO+030Ty62HIp4bfIQMYZVdjbnt IlggaW0AVe+0hl829wVR6zLtSIyIFy9FaYmo3CVcOUTTfPzX80ThLoAfUcAOkXhI4cSk AHquvH7dz3py8EY4rYKajoMtm+umT1a4bg/qWyEo83DVawfua/hxqiMrC/MxxCbCivxX csyYU65xYnqNtgIQGl913dWXxRXT7yveYH7kLeJFwImWgmJgjWCTwn3BC9PZUv5OnimU hBAw==
X-Received: by 10.66.164.201 with SMTP id ys9mr42081219pab.40.1401245317783; Tue, 27 May 2014 19:48:37 -0700 (PDT)
Received: from [192.168.178.23] (178.200.69.111.dynamic.snap.net.nz. [111.69.200.178]) by mx.google.com with ESMTPSA id ia2sm11407474pbb.32.2014.05.27.19.48.35 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 19:48:37 -0700 (PDT)
Message-ID: <53854E87.9020500@gmail.com>
Date: Wed, 28 May 2014 14:48:39 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Sander Steffann <sander@steffann.nl>
References: <8AE0F17B87264D4CAC7DE0AA6C406F453D8B6B9A@nkgeml506-mbx.china.huawei.com> <m261ks7xww.wl%randy@psg.com> <53840070.90801@gmail.com> <m2y4xn7wep.wl%randy@psg.com> <53840723.8010606@gmail.com> <CAKD1Yr1O_poMR200sjU=ttRvGaeQRkC1ZfXC0Ok4uQxdq3K=NQ@mail.gmail.com> <m2mwe37tbn.wl%randy@psg.com> <CAKD1Yr2t3-vxuG=iDi4biBNFpJwuzuHgfpB74i_uydWWRV7qZg@mail.gmail.com> <8AE0F17B87264D4CAC7DE0AA6C406F453D8B6E02@nkgeml506-mbx.china.huawei.com> <m2fvjv7q4h.wl%randy@psg.com> <m1WpDcc-0000BMC@stereo.hq.phicoh.net> <43BB867C-7BCA-45F6-8ADC-A49B34D6C0DC@nominum.com> <m1WpHrp-0000BQC@stereo.hq.phicoh.net> <9DB71B37-999E-4F7F-A7DA-6B243574E818@nominum.com> <9255C827-9F28-4E4E-9A2E-A678ADFACDAF@steffann.nl>
In-Reply-To: <9255C827-9F28-4E4E-9A2E-A678ADFACDAF@steffann.nl>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/Fuf0nMm0tPcnZj6ZCAUb4TMN0nw
Cc: Philip Homburg <pch-v6ops-3a@u-1.phicoh.com>, v6ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] ULA draft revision #2 Regarding isolated networks
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 02:48:42 -0000

On 28/05/2014 02:26, Sander Steffann wrote:
> Hi Ted,
> 
> Op 27 mei 2014, om 16:08 heeft Ted Lemon <Ted.Lemon@nominum.com> het volgende geschreven:
> 
>> On May 27, 2014, at 9:56 AM, Philip Homburg <pch-v6ops-3a@u-1.phicoh.com> wrote:
>>> If you are a large entrprise, just spend the 50 euro or so (RIPE service region) it
>>> costs to get your own prefix.
>> Yes, but do we tell them to do that?   Do we tell them how to make it work?   Do we tell them how to make source address selection do the right thing?  ULAs have a nice feature that GUAs don't: your stack won't choose a ULA as a source when the destination is a GUA.   If they get a GUA from RIPE, they lose that feature.
> 
> I know one big enterprise that uses ULA for certain networks for exactly that reason. They have networks that are by security policy not allowed to have any direct layer-3 connection to the outside world. All such communication must go through layer-7 gateways/proxies. Using ULA for such high-security-zones makes the source address selection simpler for the devices on its border, like the proxy servers. All other networks use the RIPE-assigned /48.

Exactly. This was always one of the expected use cases for ULAs. Some
people think it's a bad idea, but some corporate security policies will
prefer this, and it isn't for the IETF ivory tower to tell them not to.

The nature of ULAs makes it easier to talk them out of NAT, though,
which is absolutely not the case for RFC 1918 addresses. (If we say
anything about NATs in this draft, it should be to say that since
ULAs are guaranteed* not to clash, and can co-exist with routeable
GUAs, NAT is always unnecessary.)

*i.e., guaranteed to very high probability if correctly generated.

    Brian

v2.23.0 | Report a Bug | By Email