[arin-ppml] GUA vs ULA vs ?
farmer at umn.edu
Tue Mar 30 20:36:06 EDT 2010
Thomas Narten wrote:
> I'd like to understand what has changed and whether that warrants
> reopening the discussion based on new or different thinking. What I
> fear, however, is a repeat of the same long, passionate and
> inconclusive discussion that has been had several times before.
What has changed? Well, people are starting to take seriously
implementing IPv6, including some end-users. See ARIN's own statistics;
Furthermore, we have a PI policy such that ULA-C shouldn't end up being
an end around to get PI. At least, if the RIR's have control of the
policy for assignment of ULA-C, with an expectation that they would be
similar if not identical to PI the policies. Which I'm starting to hear
some consensus for, at least on PPML, we might not be there yet, but I
think we are getting close.
Are these enough to make the difference this time? I don't know.
There are a number of legitimate uses for ULA-C, for which providing
guaranteed uniqueness and reverse DNS provides an operational advantage
over ULA-R (A.K.A. ULA-L).
VPNs - whatever the technology, IPSec, MPLS, L2TP, ETC...
Private Networks - things you don't ever want talking to the Internet
Compliance - point-haired boss repellent!
Right or wrong a lot of enterprise architecture is based on the concept
of private addressing, security, load-balancing, etc... If we want
people to move to IPv6, taking away their security blankets (their warm
fuzzy blankies) is not a good way to get them to embrace the change.
This is not about technology it is about human psychology. If as a
network person I want to implement IPv6 I need to get buy-in from a lot
of other people.
And yes, people want to do NAT66 too, so what, this is really
irrelevant. They can do NAT66 with ULA-L now. How is allowing them to do
NAT66 with guaranteed uniqueness and reverse DNS going to make it any
worse? In fact it might make it better, PI NAT66ed to ULA-C looks a lot
like Identifier/Locator split, at least to me, not there yet and
hopefully it would only be a step toward that evolution. :)
I'll provide some specific uses I have for ULA-C here at the University
We have a number of MPLS VPNs on our campus network for things such as
security cameras, door access control and monitoring, building SCADA
systems, point of sale systems (including vending machines) with PCI
requirements. Beyond these internal systems, we have a number of
special access IPSEC VPNs with a number of business partners over the
Internet and some using dedicated access circuits. Our medical school
has dedicated GigE circuits to a number of hospitals, can you say HIPPA.
Also, we have a police department, that integrates with 911 and all
sorts of city, county, state, and federal criminal and emergency
response systems, that have the own system designers with security
I'll tell you when the Secret Service shows up and says they want this
done that way, what I have to say doesn't hold much weight.
So, technically we could use PI or even PA for these, but I would need
to argue with auditors, security consultants, compliance officers, and
not just our own internal ones but with the one from our business
So, if I can tell them we have guaranteed unique private (not routed)
addressing there are many political advantages to this. How many
meetings arguing over this issue does it take to make what ever an RIR
wants to charge for ULA-C to start looking cheep? Not, that I'm
suggesting that it should be expensive, but there is value, especially
to enterprise network operators, maybe not so much ISPs, but enterprises
are your customers.
We could use regular ULA-L, but I would rather have guaranteed
uniqueness and reverse DNS that ULA-C could give us. This gives us
something way better than RFC1918 in IPv4 and I believe will make
enterprise network operations easier and generally less expensive.
If you have arguments against ULA-C please let them be known, I'm open
to be convinced that it is a bone-headed idea. I see some utility in
ULA-C, and I have no intention of implementing NAT66, or at least I
never WANT to, time will only tell, I said the same thing about IPv4 NAT
not that long ago, we just started to do some IPv4 NAT last fall.
I'm capable of using, GUA and making my own non-routed prefix, filtering
a prefix at my border and null routing it in my upstream ISP
infrastructure to insure it doesn't leak, etc... (we run our own DFZ
ISP, which our campus and a number of other entities are a customer of)
Any ISPs out there that are advocating enterprises use GUA for
non-routed private addressing are you willing do special filtering and
null routing on a customer by customer basis, or would filtering
FC00::/7 be easier?
David Farmer Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
More information about the ARIN-PPML