On Jan 31, 2011, at 10:26 PM, Michael Dillon wrote:
In my opinion, RFC 4193 is just a bad idea and there's no benefit to it vs. GUA. Just put a good stateful firewall in front of your GUA.
I mean, really, how many things do you have that don't need access to/from the internet. Maybe your printers and a couple of appliances.
The rest... All those TiVOs, Laptops, Desktops, iPads, etc. all need public addresses anyway, so, why bother with the ULA?
Because the ULA addressing is free, not that hard, and provides an extra layer of protection to prevent vandals from using up your printer ink or turning your fridge on defrost during the night.
Well, 2 out of 3 isn't bad, I suppose, but, do you really get even that? ULA addressing is free, except for the costs imposed by using it instead of GUA in most circumstances. I'll give you 0.5 for this one. ULA addressing is not that hard. Neither is GUA. In fact they both pose exactly the same difficulty. So, though I have to grant that it isn't that hard, you failed to show how this fact gives it any advantage over GUA. Additionally, it does create additional difficulties since you now need to maintain two address spaces instead of just one. So, since it's harder than GUA, but, still not that hard, I'll give you 0.5 for that one, too. The last one is specious at best. The stateful firewall provides all the protection there. The ULA doesn't really provide any because if the FW is compromised, you just bounce the print requests off of one of the hosts that has GUA+ULA. Sorry, 0 points here. So, let's see... 0.5+0.5+0 = 1.0 -- Nope, not even 2 out of 3.
And some networks will have a lot more stuff that could use an extra layer of protection like that, for instance SCADA networks.
If there were an extra layer of protection, sure, but, since there actually isn't, no joy there. If you want to isolate your SCADA network so it doesn't have anything on it that talks to the internet, then, ULA could be just fine, but, in that case, GUA or Link Local may be equally fine with all the same protections and less hassle if you decide to change the policy later.
Supplying every end site with a /48 of global address space is neither stupid or wasteful. It's a good design with some nice future-proofing and some very nice features available if people take better advantage of the capabilities offered as we move forward.
Just because it's more than you can imagine using today does not mean that it is more than you will ever imagine using. I'm very happy that I have a /48 at home and I look forward to making better use of it as the Consumer Electronics vendors start to catch on that the internet is being restored to full functionality for end users.
Agreed. /48 is good for even the smallest home user living in a one bedroom apartment. They may not fully exploit it, but at the same time, they should not be treated as second class citizens when there is enough IPv6 address wealth to share around.
Well, I'd give /48s even to studios, small lofts, dorm rooms, and any internet- connected janitorial closets in multi-tenant buildings. I see no reason to draw the line at one-bedroom apartments. Owen