You can also easily police a subnet. On Sep 8, 2016 6:11 PM, "Pshem Kowalczyk" <pshem.k@gmail.com> wrote:
With NAT I have a single entry/exit point to those infrastructure subnets which can be easily policed. If I give them public IPs then they're routable and potentially can reach the internet via devices that don't police the traffic.
My real question is does anyone bother with the fc00::/7 addressing or do you use your public space (and police that)?
kind regards Pshem
On Fri, 9 Sep 2016 at 10:27 Mark Andrews <marka@isc.org> wrote:
In message <CAEaZiRU+wgQ0GDzxcmtqKO=_ SASAVsNX31Q_70Q+uDM1oeoHrQ@mail.gmail.com>, Pshem Kowalczyk writes:
Hi,
We're looking at rolling out IPv6 to our internal DC infrastructure. Those systems support only our internal network and in the IPv4 world they
all
live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses the fc00::/7 space for these sort of things or do ppl use a bit of their public IPv6 allocation and manage the security for those ranges? I realise I'd have to use a proxy or NAT66 for the regular outbound connectivity (but we do it already for IPv4 anyway). The truth is that even if we do use something out of our public allocation we're likely to do the same thing (just to be sure that nothing spills out accidentally).
So what do you do in this space?
kind regards Pshem
If you have a NAT you can't prevent things spilling out. The ONLY way to prevent things spilling out is to not connect the network in any shape or form.
All NAT does is make it harder to run your network and increases the cost of software development.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org