On Mon, 9 Jul 2007, [EMAIL PROTECTED] wrote:
<snip>
- we don't need the full internet connectivity or reachability, we simply
dont care whats on the internet from our point of view. We have RIR
assigned IPblock for _all_ our global needs and let our chosen ISP provide
us global internet when they announce _our_ RIR assigned netblock
- unique addresses so when we interconnect to other organization we dont
get collision ever, neither now or in 10years time. ULA-L simple isnt
enough, 2^40 is not good enough. No point in argueing over that.
- we dont want NAT anywhere in our network, that break the end to end
connectivity we need for lots of things. Our internal video or phone
system or whatever other application we have/will get.
- we need full reverse DNS control over the ULA-C/G blocks we have (we
will get several thousands of them) since that way the other organization
just have to go to the internet root DNS to lookup our IPs, they dont need
to tune their DNS for reaching thing in OUR network.
You are referring to "other organization(s)". Will these be entities to whom
you directly connect, or have VPN connections to? Or do you mean,
generally, the Internet at large?
yes they have their own internet connection, and they are closed network
much like ours, some have interent but have closed zones (DMZ) we
communicate with. In neither cases does internet mather since it is two
network that interconnect through a direct connection totaly outside
internet.
Without NAT, ULA is *not* allowed into the DFZ. Period.
You don't want NAT.
You *must* then choose to use PA blocks assigned by ISPs, or your own PI
block(s).
no, for _all_ our internal communicate we are consider to use ULA
addresses, may be using some addresses from our PA block or a PI block
for some special services, depending.
No one are allowed to communicate direct out of our network so they will
anyway have to go through some sort of "relay", mail-servers, webproxies
etc... and them again will communicate with internet through DMZ setups
with our PA-addresses.
(and yeah we know there are services that dont can be sent through
relayes but thats okay, we have other solution for them)
You may not care about the global DFZ, but if you plan on connecting to
it, it certainly cares about you, and everyone else. Specifically, that
certain rules be observed, ruthlessly. Everything else goes, however. Once
you have your address space, it is yours to do with as you wish. There is
no limit to the way you carve it up - google "VLSM" (variable-length
subnet mask) to get some good ideas. But what goes into the DFZ is
something all members of the DFZ care very greatly about.
you didnt either read the entire mail... we have a PA block we use for our
external needs. ULA-C/G are for _internal_ usage, nothing else.
sure we could just get a bigger PA block from our RIR but they dont buy
_OUR_ arguments for why we need more IP, which is okay since it is our
INTENRAL network that required the amount of IP we need. We dont have any
issues to justify that we need a /32 after the current policies, or any of
the other I've seen suggested.
You should not be dealing with PA blocks if you have the need for global
reverse DNS that you control, and for the size and complexity of your
network(s). PI is where you should be looking, and nowhere else.
And, since we're discussing ULA, your needs suddenly become irrelevant.
Sorry. Thanks for providing your input.
eh we have PA for _our_ external needs, that one are okay.
We have PI for some special usage (there will quite certain be some needs
for it someday).
And for the big internal usage we are consider to use ULA-C/G if it will
provide us with global reverse control... that is any of our ULA-C/G
addresses can be looked up through the global DNS.
what part is irrelevant?
<snip>
I guess other enterprises see this the same way. They simply want INTERNAL
unique IP addresses with global reverse DNS options, nothing less, nothing
more.
They probably wont bother to become LIR just for internal IP, their ISP(s)
provide them with their internet connectivity, and they can probably
easy justify to get PI if they want that.
The general argument on ULA-C/ULA-G vs PI is this - PI is what should be
used if you want globally unique address space, and will want this to be
known (without NAT) on reverse query lookups, to anyone else who is
connected indirectly (via the DFZ).
The model for ULA-C/ULA-G is one of non-Internet connected networks, or
networks who may use Internet-based transparent transport services, such
as VPN or MPLS-VPN or whatever else. VPN-VPN connections, which have in
the past been referred to as "extra-nets", are what are envisioned.
Globally unique addresses used by all such VPNs, mean that interconnnecting
them, deliberately or accidentally, permanently or temporarily, just works.
Excactly that is why we need GLOBAL unique ULA blocks for our usage. We
dont know who we will private/direct interconnect with in the future but
it will not be over internet.
And, just because you plan on running an internal network, does not mean
that none of that network will want to reach the outside world. If it does,
certainly plan on using firewalls, but don't plan on using NAT just because
you used NAT in IPv4. There's nothing wrong with mixing ULA address space
and PI or PA address space on your internal infrastructure - that too is
meant to just work, and might well suit your needs. But if you plan on
having everything on your internal network reach out to the internet, my
advice is to get a single PI block and use that from the very beginning.
Exactly *how* you use that is your business and yours alone.
forget our external needs, they are taken care of by our PA block, or PI
block if we want that for some special usage.
It is the internal networking that are the issue now. ULA-C/G looks like
the best candidate if it goes through.
But, the community at large *will* tell you - we do not intend on allowing
anyone to get, use, and announce, large quantities of PI *blocks*.
The scalability of the DFZ requires very conservative growth and use of
numbers of prefixes, regardless of their size. It is router slots, aka
prefixes, aka netblocks in the DFZ, that we care about. Nothing in that is
impacted by the size of the blocks in question.
If you need to have 1000000 blocks internally, that's fine - but those
will need to be aggregated by you into one single PI block when you talk
to the world, or however many blocks your minimal topological needs can
justify.
(Or aggregated by one or more ISPs in PA blocks, that's fine too.)
externaly we have PA so forget that. Internal we have three options
with lots of variation on howto implement it:
- use our PA block one way or another
- use PI blocks (several different onces)
- use ULA-C/G
--
------------------------------
Roger Jorgensen | - ROJO9-RIPE - RJ85P-NORID
[EMAIL PROTECTED] | - IPv6 is The Key!
-------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
