Re: [v6ops] I-D Action: draft-ietf-v6ops-ula-usage-recommendations-02.txt

[Ray Hunter <v6ops@globis.net>]

Lorenzo Colitti wrote:
> On Thu, Feb 20, 2014 at 10:52 AM, Brian E Carpenter 
> <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>
>     > 2. A piece of remarkably bad luck, rather less likely than
>     >> winning any lottery I'm aware of.
>
>
> Can you elaborate on exactly how bad this luck is as a function of how 
> many ULA prefixes you use your organization?
>
> For example - if two large organizations that each use 200 ULA /48s 
> (one per site) merge, what is the chance that one of them will collide?
>
> I don't feel it's satisfactory to say "the probability of a collision 
> is low" without saying how low it actually is. In fact, I think the 
> draft should not be published without giving a few examples of these 
> numbers. If *nobody* among the authors or on this list knows what the 
> numbers actually are, then we should not advocate using ULAs. It is 
> not good engineering practice to recommend something that you do not 
> understand.
>
>     > You assume that people will actually follow the rules instead of
>     saying
>     > "let's just do this like IPv4, and use NAT at the border".
>
>     If CERs do the right thing the ULA prefix will be generated
>     correctly. But you're right, there will be a generation of
>     old-time IPv4 operators who will do exactly that whatever we
>     put in RFCs.
>
>
> I'm not talking about home networks here, I'm talking about corporate 
> IT environments.
Having being involved in a number of mergers, de-mergers, and 
acquisitions, I suspect that a ULA clash will be the least of your worries.
[Although I have to admit I've never actually merged or de-merged 
multiple IPv6 ULA's]

IMHO I think the real worry would be any remaining hard coded addresses 
and ranges [in firewalls, load balancers, name servers, hot standby 
systems, WAN optimizers, Active Directory servers (which LANs does each 
DC serve), licence servers .... ]

Is there any serious effort underway to solve how exactly you specify 
network security zones and firewall rules for ULA based systems, and for 
systems running multiple IPv6 prefixes?

Does a ULA prefix need to map 1:1 to a network security zone?
Do you also have to map the ULA space onto your GUA space(s) to ensure 
the classification and filtering rules for different prefixes remain in 
synch?
When de-merging a single ULA into 2 enterprises, how do you draw a line 
in the sand to separate A from B?

Does the "corporate firewall" function have to become distributed so 
that the filtering really does sit at the network security zone borders 
(rather than relying on anti-spoof filters, and a single centralised 
pair of firewalls)

At this point, I'd much rather merge or de-merge two sets of GUA space, 
and have predictable behaviour during any transition.

-- 
Regards,
RayH