With NAT I have a single entry/exit point to those infrastructure subnets which can be easily policed. If I give them public IPs then they're routable and potentially can reach the internet via devices that don't police the traffic.
My real question is does anyone bother with the fc00::/7 addressing or do you use your public space (and police that)? kind regards Pshem On Fri, 9 Sep 2016 at 10:27 Mark Andrews <[email protected]> wrote: > > In message <CAEaZiRU+wgQ0GDzxcmtqKO=_ > [email protected]>, Pshem Kowalczyk writes: > > Hi, > > > > We're looking at rolling out IPv6 to our internal DC infrastructure. > Those > > systems support only our internal network and in the IPv4 world they all > > live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses > the > > fc00::/7 space for these sort of things or do ppl use a bit of their > public > > IPv6 allocation and manage the security for those ranges? > > I realise I'd have to use a proxy or NAT66 for the regular outbound > > connectivity (but we do it already for IPv4 anyway). The truth is that > even > > if we do use something out of our public allocation we're likely to do > the > > same thing (just to be sure that nothing spills out accidentally). > > > > So what do you do in this space? > > > > kind regards > > Pshem > > If you have a NAT you can't prevent things spilling out. The ONLY > way to prevent things spilling out is to not connect the network > in any shape or form. > > All NAT does is make it harder to run your network and increases > the cost of software development. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] >
