There are several issues in this section, not just the NAT: > 2.1.2. Use of ULAs > > ULAs are intended for scenarios where IP addresses will not have > global scope so they should not appear in the global BGP routing > table.
We need to align that with the clarification in draft-bchv-rfc6890bis: ULAs are intended for scenarios where IP addresses are not globally reachable, despite formally having global scope. They must not appear in the routing system outside the administrative domain where they are considered valid. Therefore, packets with ULA source and/or destination addresses MUST be filtered at the domain boundary. > ULAs could be useful for infrastructure hiding as described in > RFC4864 [RFC4864]. Alternatively Link-Local addresses RFC7404 > [RFC7404] could also be used. LL addresses don't help if you have multiple LANs. I suggest simply deleting the second sentence; it will confuse people. > Although ULAs are supposed to be used > in conjunction with global addresses for hosts that desire external > connectivity Change that to ULAs may be used for internal communication, in conjunction with globally reachable unicast addresses (GUAs) for hosts that also require external connectivity through a firewall. For this reason, no form of address translation is required in conjunction with ULAs. Then I suggest deleting *all* the rest of the section, but add this at the end: Using ULAs as described here might simplify the filtering rules needed at the domain boundary, by allowing a regime in which only hosts that require external connectivity possess a globally reachable address. However, this does not remove the need for careful design of the filtering rules. Thus the whole section would read (with a little more editing): 2.1.2. Use of Unique Local Addresses Unique Local Addresses (ULAs) [RFC4193] are intended for scenarios where IP addresses are not globally reachable, despite formally having global scope. They must not appear in the routing system outside the administrative domain where they are considered valid. Therefore, packets with ULA source and/or destination addresses MUST be filtered at the domain boundary. ULAs are assigned within pseudo-random /48 prefixes created as specified in [RFC4193]. They could be useful for infrastructure hiding as described in [RFC4864]. ULAs may be used for internal communication, in conjunction with globally reachable unicast addresses (GUAs) for hosts that also require external connectivity through a firewall. For this reason, no form of address translation is required in conjunction with ULAs. Using ULAs as described here might simplify the filtering rules needed at the domain boundary, by allowing a regime in which only hosts that require external connectivity possess a globally reachable address. However, this does not remove the need for careful design of the filtering rules. Brian _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec