On Jan 25, 2012, at 10:03 AM, Justin M. Streiner wrote:
On Wed, 25 Jan 2012, Dale W. Carder wrote:
We have one customer in particular with a substantial non-publicly reachable v6 deployment with globally assigned addresses. I believe there is no need to replicate the headaches of rfc1918 in the next address-family eternity.
The one big issue I could see with doing that is that the vulnerability exposure, particularly from the outside world, is larger if devices that don't need public addresses have them. For example, if a network engineer or NOC person accidentally removes a "hide my public infrastructure from the outside world" from an interface on a border router...
Use different GUA ranges for internal and external. It's easy enough to get an additional prefix.
As others have mentioned, things like management interfaces on access switches, printers, and IP phones would be good candidates to hide with ULA.
Or non-advertised, filtered GUA. Works just as well either way. Owen