top | item 44771795

(no title)

mshroyer | 7 months ago

You can additionally set up ULA: https://en.wikipedia.org/wiki/Unique_local_address

The way I do this, my internal DNS resolves hosts to their fixed ULA addresses. For the handful that are accessible externally, public DNS resolves to their address on the current public prefix.

discuss

throw0101d|7 months ago

Note that currently with ULA if you have dual-stack IPv4 will be given priority over ULA. There is a late-stage—Submitted to IESG for Publication—draft that will change this:

* https://datatracker.ietf.org/doc/html/draft-ietf-6man-rfc672...

clysm|7 months ago

More than just IPv4 priorities, almost all other IPv6 addresses are given higher priority which makes routing between ULAs on an internal network problematic.

That draft doc seems to fix multiple problems at once.

CaliforniaKarl|7 months ago

Ah, thanks for posting that, I was wondering how things were going there.

herczegzsolt|7 months ago

I did try that, but it ended in an infinite fight with the source address selection algorithm and DNS caches. Also, unique-local addresses are deprecated as far as I know.

simoncion|7 months ago

> ...it ended in an infinite fight with the source address selection algorithm and DNS caches...

What did this fight look like? For the past fifteen, twenty years, I have NATted IPv4, globally-routable IPv6, and ULA IPv6 addresses on all of my machines attached to the internet-accessible VLANs on my LAN. The only trouble I've noticed was when ISP maintenance caused me to lose the globally-routable prefix for a little while and my franken-router started passing ULA traffic out the WAN interface. [0]

I'd love to hear what you've been seeing, so I can see if there's trouble that I've been overlooking.

> ...unique-local addresses are deprecated as far as I know.

ULAs are not deprecated. You may be thinking of site-local addresses. See the first paragraph of section 1 here: [1]

[0] The obvious firewall rule fixed that.

[1] <https://www.ietf.org/archive/id/draft-ietf-v6ops-ula-usage-c...>

dogcow|7 months ago

Doesn't using ULAs kind of defeat the purpose (or one of the main intents) of IPv6, which is every device having a globally rotatable IP address? It kind of puts us right back in the IPv4 with NAT situation, only with longer, uglier addresses.

I personally think it is absurd that the ISPs that do actually support IPv6 are being so difficult and stingy about assigning static v6 prefixes.

RiverCrochet|7 months ago

IPv4/NAT is not the only "to get to system X you must pass through system Y" scenario.

Example: You have a bastion host that is Internet-accessible, and it has one or more server behind it you only want accessible "through" the bastion host. The bastion host might be running nginx and reverse proxying multiple servers behind it, and this host is doing caching in addition to WAF and some other stuff.

So this bastion host would have at least 2 NICs, one for the Internet-facing connection and one or more where servers exist on a non-public LAN. The small network(s) connecting these servers to the bastion host can use a ULA and thus be guaranteed to not be globally routable.

Link-locals are suboptimal because since they are link local, they only have to be unique per link. This means some commands insist you specify interface name with the LLA, e.g. fe80::aaaa%eth1.