On Sep 27, 2011 6:49 AM, "Christopher Morrow" <christopher.mor...@gmail.com> wrote: > > On Tue, Sep 27, 2011 at 9:36 AM, Roland Bless <roland.bl...@kit.edu> wrote: > > Hi, > > > > it seems that there is currently not much interest in ULA-Cs (centrally > > assigned ULAs). I came across several use cases, where manufacturers > > (e.g, those of cars, airplanes, or smart metering environments) > > would need internal/closed IPv6-based networks (maybe only for internal > > control and management), that have no connection to the Internet. > > For several reasons (esp. security) those networks > > should operate isolated and independent from the Internet. In some cases > > these products or installations may get merged, so prefix uniqueness > > would be beneficial. Using locally assigned ULAs still bears the risk of > > getting conflicts between manufacturers, esp. when considering the > > number of manufacturers and products. > > why can't these just use globally unique addresses? > are we certain they will never be connected to the Internet? (no > really, you are sure? really?) >
To this, I ask the question are you sure private gua will not get leaked when the security policy is that they not be router on the inernet? Really sure? This is not my first rodeo, and I have had no luck keeping public ips from leaking in ipv4... especially on large networks with new engineers coming on the team every few weeks to few months. I believe ula is a good part of layered security and there are statistical mechanisms to ensure uniqueness. The prevailing ipv6 religion says no ula ever, but its not entirely logical or consistent with the reality of how folks run networks and make policy. If the security policy changes in a BIG way, you have renumber or proxy from ula to gua, but factor that into your planning for if ula is really the right fit. I use ula for anything that does not need to speak to the internet... and in my network, that is a lot of stuff. Cb > -chris > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
