[arin-ppml] GUA vs ULA vs ?

David Farmer farmer at umn.edu
Tue Mar 30 20:36:06 EDT 2010 

Thomas Narten wrote:

> I'd like to understand what has changed and whether that warrants
> reopening the discussion based on new or different thinking. What I
> fear, however, is a repeat of the same long, passionate and
> inconclusive discussion that has been had several times before.
> 
> Thomas

What has changed? Well, people are starting to take seriously 
implementing IPv6, including some end-users.  See ARIN's own statistics;

https://www.arin.net/knowledge/statistics/historical.html
https://www.arin.net/knowledge/statistics/index.html

Furthermore, we have a PI policy such that ULA-C shouldn't end up being 
an end around to get PI.  At least, if the RIR's have control of the 
policy for assignment of ULA-C, with an expectation that they would be 
similar if not identical to PI the policies.  Which I'm starting to hear 
some consensus for, at least on PPML, we might not be there yet, but I 
think we are getting close.

Are these enough to make the difference this time? I don't know.

There are a number of legitimate uses for ULA-C, for which providing 
guaranteed uniqueness and reverse DNS provides an operational advantage 
over ULA-R (A.K.A. ULA-L).

VPNs - whatever the technology, IPSec, MPLS, L2TP, ETC...

Private Networks - things you don't ever want talking to the Internet

Compliance - point-haired boss repellent!

Right or wrong a lot of enterprise architecture is based on the concept 
of private addressing, security, load-balancing, etc...  If we want 
people to move to IPv6, taking away their security blankets (their warm 
fuzzy blankies) is not a good way to get them to embrace the change. 
This is not about technology it is about human psychology.  If as a 
network person I want to implement IPv6 I need to get buy-in from a lot 
of other people.

And yes, people want to do NAT66 too, so what, this is really 
irrelevant. They can do NAT66 with ULA-L now. How is allowing them to do 
NAT66 with guaranteed uniqueness and reverse DNS going to make it any 
worse?  In fact it might make it better, PI NAT66ed to ULA-C looks a lot 
like Identifier/Locator split, at least to me, not there yet and 
hopefully it would only be a step toward that evolution. :)

I'll provide some specific uses I have for ULA-C here at the University 
of Minnesota;

We have a number of MPLS VPNs on our campus network for things such as 
security cameras, door access control and monitoring, building SCADA 
systems, point of sale systems (including vending machines) with PCI 
requirements.  Beyond these internal systems, we have a number of 
special access IPSEC VPNs with a number of business partners over the 
Internet and some using dedicated access circuits.  Our medical school 
has dedicated GigE circuits to a number of hospitals, can you say HIPPA. 
  Also, we have a police department, that integrates with 911 and all 
sorts of city, county, state, and federal criminal and emergency 
response systems, that have the own system designers with security 
dictates.

I'll tell you when the Secret Service shows up and says they want this 
done that way, what I have to say doesn't hold much weight.

So, technically we could use PI or even PA for these, but I would need 
to argue with auditors, security consultants, compliance officers, and 
not just our own internal ones but with the one from our business 
partners too.

So, if I can tell them we have guaranteed unique private (not routed) 
addressing there are many political advantages to this.  How many 
meetings arguing over this issue does it take to make what ever an RIR 
wants to charge for ULA-C to start looking cheep?  Not, that I'm 
suggesting that it should be expensive, but there is value, especially 
to enterprise network operators, maybe not so much ISPs, but enterprises 
are your customers.

We could use regular ULA-L, but I would rather have guaranteed 
uniqueness and reverse DNS that ULA-C could give us.  This gives us 
something way better than RFC1918 in IPv4 and I believe will make 
enterprise network operations easier and generally less expensive.

 > Cheers,
 >
 > Steve

If you have arguments against ULA-C please let them be known, I'm open 
to be convinced that it is a bone-headed idea.  I see some utility in 
ULA-C, and I have no intention of implementing NAT66, or at least I 
never WANT to, time will only tell, I said the same thing about IPv4 NAT 
not that long ago, we just started to do some IPv4 NAT last fall.

I'm capable of using, GUA and making my own non-routed prefix, filtering 
a prefix at my border and null routing it in my upstream ISP 
infrastructure to insure it doesn't leak, etc...  (we run our own DFZ 
ISP, which our campus and a number of other entities are a customer of) 
  Any ISPs out there that are advocating enterprises use GUA for 
non-routed private addressing are you willing do special filtering and 
null routing on a customer by customer basis, or would filtering 
FC00::/7 be easier?

-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota	
2218 University Ave SE	    Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

More information about the ARIN-PPML mailing list