Re: [GLOBAL-V6] IPV4 to IPv6 migration

  • To: sapumal jayatissa <sjayatissa at hotmail dot com>
  • Subject: Re: [GLOBAL-V6] IPV4 to IPv6 migration
  • From: Brian E Carpenter <brian.e.carpenter at gmail dot com>
  • Date: Mon, 02 Jun 2008 16:36:30 +1200
  • Cc: global-v6 at lists dot apnic dot net
  • Delivered-to: global-v6 at mailman dot apnic dot net
  • In-reply-to: <48425F9B.3070109 at spaghetti.zurich dot ibm dot com>
  • List-archive: <http://mailman.apnic.net/mailing-lists/global-v6>
  • List-help: <mailto:global-v6-request@lists.apnic.net?subject=help>
  • List-id: Discussion of new global IPv6 policy development <global-v6.lists.apnic.net>
  • List-post: <mailto:global-v6@lists.apnic.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/global-v6>, <mailto:global-v6-request@lists.apnic.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/global-v6>, <mailto:global-v6-request@lists.apnic.net?subject=unsubscribe>
  • Organization: University of Auckland
  • References: <BLU108-W601D416B01C71DC5B6A67ED3B80@phx.gbl> <48425F9B.3070109@spaghetti.zurich.ibm.com>
  • User-agent: Thunderbird 2.0.0.6 (Windows/20070728)
    • > sapumal jayatissa wrote:
      >> Hi,
      >> In migration to IPv6 in large scale organization, can we use private
      >> IPv6 addresses ?
      > 
      > You could, but it is most likely much better to avoid any use of
      > 'private' (I do hope you mean ULA here) addresses.
      
      I respectfully disagree. I think it's entirely reasonable to use
      a ULA prefix for devices such as printers that have no legitimate
      reason to contact the outside world. (This may even have the
      side benefit of preventing such devices being able to 'call home'
      to their manufacturer without their owner's knowledge.) And since it's
      a normal state for hosts to have more than one IPv6 address, there's
      actually no technical reason why every device shouldn't have a fixed
      address under the ULA prefix, e.g. for network management purposes,
      as well as a dynamically assigned address under an ISP prefix if it
      needs external access.
      
      > 
      >> Or do we need to use Global addresses for all the nodes which may
      >> never access Internet ?
      > 
      > Using Global Addresses is generally the smarter thing to do:
      > 
      >  a) one will have plenty of addresses anyway
      >  b) one day, a device will have to talk to the public Internet
      > 
      > Especially because of b) and because of things like Path MTU, you will
      > require a public address in most places.
      
      But many corporate networks prefer to control external access; choosing
      to do this by *not* assigning an external address as the default seems
      like a perfectly reasonable practice to me.
      > 
      >> Can we use proxy servers with IPv6 ?
      > 
      > If you want, of course. But, it does break the end-end idea and when you
      > are proxying you can also stick to IPv4 and just upgrade the proxy to do
      > IPv6.
      
      If your urgent goal is to offer IPv6 service to external customers.
      a proxy may be the quick fix - however, it's obvious that the goal
      should be full deployment of v6.
      > 
      >> If we NAT, then we have to NAT in between global routable to global
      >> routable,
      >> only to hide the real IP address, Is this o.k ?
      > 
      > You *NEVER EVER EVER EVER* NAT in IPv6.
      
      to say it quietly, there's never any reason to use nat in v6.
      the only valid reason in v4 is shortage of addresses, and that
      doesn't apply. for the invalid reasons people use nat, see the
      rfc that jeroen mentions.
      
         Brian
      
      > 
      > Please read RFC4864 ("Local Network Protection for IPv6") for a lot more
      > information about this and how to solve the problems you might have.
      > 
      > If you even are going to remotely think of using NAT, just stick with
      > IPv4 as that works fine for you and you don't have to upgrade anything.
      > 
      > If you really want to 'hide' real IP addresses there is one solution
      > that you should be using: don't connect to the Internet, but allow
      > people to only to use a proxy to use services on the Internet. You are
      > then of course not talking about Internet connectivity anymore.
      > 
      > Do note that due the use of RFC3041 ("Privacy Extensions for Stateless
      > Address Autoconfiguration in IPv6") addresses will change rapidly
      > anyway, thus it will be quite difficult for hosts outside to determine
      > how many people/addresses/hosts are inside. Unfortunately for you though
      > the concept of 'cookies' will break this where webservers will have a
      > lot of other means of tracking people&hosts.
      > 
      > Greets,
      >  Jeroen
      > 
      > 
      > ------------------------------------------------------------------------
      > 
      > _______________________________________________
      > global-v6 mailing list
      > global-v6 at lists dot apnic dot net
      > http://mailman.apnic.net/mailman/listinfo/global-v6