On 2012-07-13 18:11, Tom Cooper wrote: [..]
As an IPv6 newbie myself
Play with it and get your ears wet, it is still not entirely too late to start to learn to swim ;)
, I wonder how hosts handle link local, ULA and global addresses. For example, if you have some internal web traffic used for intranet use only, do you bind those servers to use only ULA addresses? This way your internal users with ULA addressing only have access to those servers? No need to give intranet-only servers a global address if they're not needed to be accessed globally.
You could do that indeed, thus have clients have only a global (and link-local address) and only make a certain prefix, be that ULA or a specific chunk of your global prefix only available to your internal network that are used for your internal services. As long as the prefix is stable you likely do not care if it is global or ULA, this as when a misconfiguration happens in such a way that that prefix is not properly firewalled away or gets routed it happened. As can be clearly seen in various routing tables filtering is not happening everywhere, thus it won't buy you that much; proper policy, automation and verification will avoid fat fingers much better though. Also, not that a firewalled prefix only brings one that much security, the higher chance is that the client host gets infected or compromised.
Is there a way for hosts to "prefer" or "attempt" to connect to a service by first trying a link-local scope, then a ULA and finally a global address if its off the AS?
RFC3484, aka /etc/gai.conf and friends on other OSs. It is not easy to distribute this though.
I really like the idea of ULA and think it makes much more sense than RFC1918 + NAT. I just don't have any deployment experience with it yet so I'm curious how the host would handle it.
ULA is meant for non-internet connected devices. As such NAT does not come into play as one will have a unique ULA prefix that will not clash when you inter connect them privately with other networks. RFC1918 + NAT primarily makes sense as it allows one to hookup devices to the Internet without 'wasting' more public addresses, that problem does not exist with IPv6 though. Greets, Jeroen