Hi, 2015-01-30 0:28 GMT+01:00 Eric Louie <elouie@techintegrity.com>:
I'm putting together my first IPv6 allocation plan. The general layout: /48 for customers universally and uniformly /38 for larger regions on an even (/37) boundary /39 for smaller regions on an even (/38) boundary A few /48's for "internal use" to allow us to monitor and maintain systems.
Depending on how many regions you have I would just go for /40 as it is the byte boundary or request a bigger block and use the /32.
For security sake, do I need (am I better off) to "reserve" a "management block" (/39, /40, /41 or something of that nature) that does NOT get advertised into BGP to my upstreams, and use that for my device management and monitoring address space? In other words, make a small "private" address space for management? What are folks doing around that?
Do not spam the BGP table for that. Use firewalls or ACLs to prevent unwanted access. You could use Unique Local addresses (ULA) for this if you have some VPN infrastructure in your network. Not announcing these blocks does not prevent people on your network to access these areas.
If I have to do 6-to-4 conversion, is there any way to do that with multiple diverse ISP connections, or am I "restricted" to using one entry/exit point? (If that's true, do I need to allocate a separate block of addresses that would be designated "6 to 4" so they'd always be routed out that one entry/exit point?)
I would not use 6to4 as it tunnels the IPv6 traffic over IPv4 which is a pain to control. Best regards Karsten