IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment
-
IPv6 can be NAT'ed.
-
@tinfoilmatt said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:
IPv6 can be NAT'ed.
I'm aware. But NAT-ing (apart from NPt) defeats the purpose of Temporary Addresses.
-
I was replying to @JKnott.
-
@bfisher said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:
And your LAN devices are generating both Stable and Temporary addresses for the GUA Prefix but only Stable addresses for the ULA Prefix?
The ULA behaves exactly like the GUA. That is one stable address and up to seven temporary addresses.
-
@tinfoilmatt said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:
IPv6 can be NAT'ed.
Why???
NAT was developed as a means to stretch out the IPv4 addresses. There is no need for it in IPv6.
-
This thread identifies one possible legitimate use case: ULA-addressed LAN clients requiring Internet access.
-
While I view SLAAC as a potentially useful approach for a completely unmanaged network, such as a Starbucks, in a managed network it is a curse.
-
It's true. While temporary addresses resolve some privacy concerns about SLAAC that have been understood for a while now, the 'fingerprintable' subnet size that can be derived from them is definitely concerning.
The only way to actually manage SLAAC is to manually subnet a SLAAC prefix on the LAN side, which sort of defeats the purpose of SLAAC in the first place. (And even then, managing individual clients that employ temporary addresses is impossible.)
-
@tinfoilmatt said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:
This thread identifies one possible legitimate use case: ULA-addressed LAN clients requiring Internet access.
Why not give them global addresses? It's not as though there was a shortage of addresses, as there was on IPv4.
-
@JKnott said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:
Why not give them global addresses? It's not as though there was a shortage of addresses, as there was on IPv4.
When using SLAAC, it seems that you either need to accept that your machines will use Temporary (Private) addresses for all outbound connections (effectively making it impossible to target a specific device) or you need to disable Privacy Extensions on each device you want to target, enabling that device to be tracked across the internet. Neither option seems great to me.
I might be able to use Managed instead of SLAAC, but I think that this still enables tracking of a device across the internet (correct me if I'm wrong).
It seems to me that the best of both worlds would be to use SLAAC and Privacy Extensions (Temporary Addresses) for GUA (which will be prioritized for outbound connections destined for the internet) while using Managed for ULA (which will be prioritized for local traffic and enable targeting of specific devices).
