IETF Logo Mail Archive

Re: [v6ops] ULA draft revision #2 Regarding isolated networks

Sander Steffann <sander@steffann.nl> Tue, 27 May 2014 14:26 UTC

Return-Path: <sander@steffann.nl>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C744E1A041C for <v6ops@ietfa.amsl.com>; Tue, 27 May 2014 07:26:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.194
X-Spam-Level:
X-Spam-Status: No, score=0.194 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfRuhzoiUL-Y for <v6ops@ietfa.amsl.com>; Tue, 27 May 2014 07:26:27 -0700 (PDT)
Received: from mail.sintact.nl (mail.sintact.nl [83.247.10.6]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AA091A0424 for <v6ops@ietf.org>; Tue, 27 May 2014 07:26:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.sintact.nl (Postfix) with ESMTP id 9FFD463; Tue, 27 May 2014 16:26:22 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail.sintact.nl
Received: from mail.sintact.nl ([127.0.0.1]) by localhost (mail.sintact.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uiQ9W3dYJfKl; Tue, 27 May 2014 16:26:18 +0200 (CEST)
Received: from [IPv6:2a00:8640:1::5572:2ac8:dfe6:71dc] (unknown [IPv6:2a00:8640:1:0:5572:2ac8:dfe6:71dc]) by mail.sintact.nl (Postfix) with ESMTPSA id 09F8856; Tue, 27 May 2014 16:26:17 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Sander Steffann <sander@steffann.nl>
In-Reply-To: <9DB71B37-999E-4F7F-A7DA-6B243574E818@nominum.com>
Date: Tue, 27 May 2014 16:26:17 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <9255C827-9F28-4E4E-9A2E-A678ADFACDAF@steffann.nl>
References: <8AE0F17B87264D4CAC7DE0AA6C406F453D8B6B9A@nkgeml506-mbx.china.huawei.com> <m261ks7xww.wl%randy@psg.com> <53840070.90801@gmail.com> <m2y4xn7wep.wl%randy@psg.com> <53840723.8010606@gmail.com> <CAKD1Yr1O_poMR200sjU=ttRvGaeQRkC1ZfXC0Ok4uQxdq3K=NQ@mail.gmail.com> <m2mwe37tbn.wl%randy@psg.com> <CAKD1Yr2t3-vxuG=iDi4biBNFpJwuzuHgfpB74i_uydWWRV7qZg@mail.gmail.com> <8AE0F17B87264D4CAC7DE0AA6C406F453D8B6E02@nkgeml506-mbx.china.huawei.com> <m2fvjv7q4h.wl%randy@psg.com> <m1WpDcc-0000BMC@stereo.hq.phicoh.net> <43BB867C-7BCA-45F6-8ADC-A49B34D6C0DC@nominum.com> <m1WpHrp-0000BQC@stereo.hq.phicoh.net> <9DB71B37-999E-4F7F-A7DA-6B243574E818@nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/bl-O0UBN27KS4fqFSpp6UwOMCMo
Cc: Philip Homburg <pch-v6ops-3a@u-1.phicoh.com>, v6ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] ULA draft revision #2 Regarding isolated networks
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 14:26:28 -0000

Hi Ted,

Op 27 mei 2014, om 16:08 heeft Ted Lemon <Ted.Lemon@nominum.com> het volgende geschreven:

> On May 27, 2014, at 9:56 AM, Philip Homburg <pch-v6ops-3a@u-1.phicoh.com> wrote:
>> If you are a large entrprise, just spend the 50 euro or so (RIPE service region) it
>> costs to get your own prefix.
> 
> Yes, but do we tell them to do that?   Do we tell them how to make it work?   Do we tell them how to make source address selection do the right thing?  ULAs have a nice feature that GUAs don't: your stack won't choose a ULA as a source when the destination is a GUA.   If they get a GUA from RIPE, they lose that feature.

I know one big enterprise that uses ULA for certain networks for exactly that reason. They have networks that are by security policy not allowed to have any direct layer-3 connection to the outside world. All such communication must go through layer-7 gateways/proxies. Using ULA for such high-security-zones makes the source address selection simpler for the devices on its border, like the proxy servers. All other networks use the RIPE-assigned /48.

Cheers,
Sander

v2.23.0 | Report a Bug | By Email