On 09/08/2016 04:09 PM, Pshem Kowalczyk wrote:
With NAT I have a single entry/exit point to those infrastructure subnets which can be easily policed.
I have used NAT in IPv4 scenarios as an alternative for lack of routing control in the return direction. However, this does not mean that this is the correct, best or orthodox way, even for IPv4, much less in IPv6. So, even though you can hack your way using NAT, this is really a routing problem, not an addressing problem. And you will just create problems for your users, your developers, yourself and third parties.
If I give them public IPs then they're routable and potentially can reach the internet via devices that don't police the traffic.
First: this can happen with NAT too. If other devices have access to the Internet, they can just NAT themselves even if the third-party exit has a private address. Second: private addresses can reach the Internet too. Many devices and ISPs don't block RFC5375-sourced packets from the Internet. So they can go out, although they can't come back. This is enough to create unsourceable attacks. In both cases NAT isn't really solving any of your problems fully. It's just a misconception.
My real question is does anyone bother with the fc00::/7 addressing or do you use your public space (and police that)?
I use public address space and I have made sure I have a single point of exit and return for my traffic. If I understood your concerns correctly, then I'd add that if the user forces traffic through third-party exit points, service is not guaranteed, as the third party may BCP38-filter it. If you want to absolutely prevent that, NAT will not help. You'll need other techniques. Best regards and good luck!