This would be a huge improvement on the existing text—thanks for writing it!
> On Apr 19, 2017, at 12:02 AM, Brian E Carpenter <[email protected]> > wrote: > > There are several issues in this section, not just the NAT: > >> 2.1.2. Use of ULAs >> >> ULAs are intended for scenarios where IP addresses will not have >> global scope so they should not appear in the global BGP routing >> table. > > We need to align that with the clarification in draft-bchv-rfc6890bis: > > ULAs are intended for scenarios where IP addresses are not globally > reachable, despite formally having global scope. They must not appear > in the routing system outside the administrative domain where they > are considered valid. Therefore, packets with ULA source and/or > destination addresses MUST be filtered at the domain boundary. > >> ULAs could be useful for infrastructure hiding as described in >> RFC4864 [RFC4864]. Alternatively Link-Local addresses RFC7404 >> [RFC7404] could also be used. > > LL addresses don't help if you have multiple LANs. I suggest simply > deleting the second sentence; it will confuse people. > >> Although ULAs are supposed to be used >> in conjunction with global addresses for hosts that desire external >> connectivity > > Change that to > > ULAs may be used for internal communication, in conjunction with > globally reachable unicast addresses (GUAs) for hosts that also > require external connectivity through a firewall. For this reason, > no form of address translation is required in conjunction with ULAs. > > Then I suggest deleting *all* the rest of the section, but add this > at the end: > > Using ULAs as described here might simplify the filtering rules > needed at the domain boundary, by allowing a regime in which > only hosts that require external connectivity possess a globally > reachable address. However, this does not remove the need for > careful design of the filtering rules. > > Thus the whole section would read (with a little more editing): > > 2.1.2. Use of Unique Local Addresses > > Unique Local Addresses (ULAs) [RFC4193] are intended for scenarios > where IP addresses are not globally reachable, despite formally > having global scope. They must not appear in the routing system > outside the administrative domain where they are considered valid. > Therefore, packets with ULA source and/or destination addresses > MUST be filtered at the domain boundary. > > ULAs are assigned within pseudo-random /48 prefixes created as > specified in [RFC4193]. They could be useful for infrastructure > hiding as described in [RFC4864]. > > ULAs may be used for internal communication, in conjunction with > globally reachable unicast addresses (GUAs) for hosts that also > require external connectivity through a firewall. For this reason, > no form of address translation is required in conjunction with ULAs. > > Using ULAs as described here might simplify the filtering rules > needed at the domain boundary, by allowing a regime in which > only hosts that require external connectivity possess a globally > reachable address. However, this does not remove the need for > careful design of the filtering rules. > > Brian > > > > > > > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
