There are several issues in this section, not just the NAT:
> 2.1.2. Use of ULAs
>
> ULAs are intended for scenarios where IP addresses will not have
> global scope so they should not appear in the global BGP routing
> table.
We need to align that with the clarification in draft-bchv-rfc6890bis:
ULAs are intended for scenarios where IP addresses are not globally
reachable, despite formally having global scope. They must not appear
in the routing system outside the administrative domain where they
are considered valid. Therefore, packets with ULA source and/or
destination addresses MUST be filtered at the domain boundary.
> ULAs could be useful for infrastructure hiding as described in
> RFC4864 [RFC4864]. Alternatively Link-Local addresses RFC7404
> [RFC7404] could also be used.
LL addresses don't help if you have multiple LANs. I suggest simply
deleting the second sentence; it will confuse people.
> Although ULAs are supposed to be used
> in conjunction with global addresses for hosts that desire external
> connectivity
Change that to
ULAs may be used for internal communication, in conjunction with
globally reachable unicast addresses (GUAs) for hosts that also
require external connectivity through a firewall. For this reason,
no form of address translation is required in conjunction with ULAs.
Then I suggest deleting *all* the rest of the section, but add this
at the end:
Using ULAs as described here might simplify the filtering rules
needed at the domain boundary, by allowing a regime in which
only hosts that require external connectivity possess a globally
reachable address. However, this does not remove the need for
careful design of the filtering rules.
Thus the whole section would read (with a little more editing):
2.1.2. Use of Unique Local Addresses
Unique Local Addresses (ULAs) [RFC4193] are intended for scenarios
where IP addresses are not globally reachable, despite formally
having global scope. They must not appear in the routing system
outside the administrative domain where they are considered valid.
Therefore, packets with ULA source and/or destination addresses
MUST be filtered at the domain boundary.
ULAs are assigned within pseudo-random /48 prefixes created as
specified in [RFC4193]. They could be useful for infrastructure
hiding as described in [RFC4864].
ULAs may be used for internal communication, in conjunction with
globally reachable unicast addresses (GUAs) for hosts that also
require external connectivity through a firewall. For this reason,
no form of address translation is required in conjunction with ULAs.
Using ULAs as described here might simplify the filtering rules
needed at the domain boundary, by allowing a regime in which
only hosts that require external connectivity possess a globally
reachable address. However, this does not remove the need for
careful design of the filtering rules.
Brian
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
