You can also easily police a subnet. On Sep 8, 2016 6:11 PM, "Pshem Kowalczyk" <[email protected]> wrote:
> With NAT I have a single entry/exit point to those infrastructure subnets > which can be easily policed. > If I give them public IPs then they're routable and potentially can reach > the internet via devices that don't police the traffic. > > My real question is does anyone bother with the fc00::/7 addressing or do > you use your public space (and police that)? > > kind regards > Pshem > > > On Fri, 9 Sep 2016 at 10:27 Mark Andrews <[email protected]> wrote: > > > > > In message <CAEaZiRU+wgQ0GDzxcmtqKO=_ > > [email protected]>, Pshem Kowalczyk writes: > > > Hi, > > > > > > We're looking at rolling out IPv6 to our internal DC infrastructure. > > Those > > > systems support only our internal network and in the IPv4 world they > all > > > live in 'private' space of 10.0.0.0/8. I was wondering if anyone uses > > the > > > fc00::/7 space for these sort of things or do ppl use a bit of their > > public > > > IPv6 allocation and manage the security for those ranges? > > > I realise I'd have to use a proxy or NAT66 for the regular outbound > > > connectivity (but we do it already for IPv4 anyway). The truth is that > > even > > > if we do use something out of our public allocation we're likely to do > > the > > > same thing (just to be sure that nothing spills out accidentally). > > > > > > So what do you do in this space? > > > > > > kind regards > > > Pshem > > > > If you have a NAT you can't prevent things spilling out. The ONLY > > way to prevent things spilling out is to not connect the network > > in any shape or form. > > > > All NAT does is make it harder to run your network and increases > > the cost of software development. > > > > Mark > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > >
