On Jan 25, 2012, at 10:03 AM, Justin M. Streiner wrote: > On Wed, 25 Jan 2012, Dale W. Carder wrote: > >> We have one customer in particular with a substantial non-publicly >> reachable v6 deployment with globally assigned addresses. I believe >> there is no need to replicate the headaches of rfc1918 in the next >> address-family eternity. > > The one big issue I could see with doing that is that the vulnerability > exposure, particularly from the outside world, is larger if devices that > don't need public addresses have them. For example, if a network engineer or > NOC person accidentally removes a "hide my public infrastructure from the > outside world" from an interface on a border router... >
Use different GUA ranges for internal and external. It's easy enough to get an additional prefix. > As others have mentioned, things like management interfaces on access > switches, printers, and IP phones would be good candidates to hide with ULA. Or non-advertised, filtered GUA. Works just as well either way. Owen
