Thanks for the reply,

but Im still wondering..... why would I want internal devices that are NOT on a DMZ to be internet addressable, by design they will not talk directly to the internet?  I would`nt have to nat anyway as my DMZ devices, such as proxy servers, mail servers etc will have Global IP`s.

With IPv4 RFC1918, some silly person adds a firewall rule by mistake, and allows partial or all traffic on the firewalls(seen this done), my internal network is still safe as no one can route, but if that was IPv6 the world is a hackers oyster.

 Lee.

By "Not talk directly to the internet" ? You mean no outgoing connections to the internet either ? Because yeah sure, if they don't need to access the internet at all, it doesn't matter much.

But if they have outgoing connections, you'll need one of the two solutions above.

 - NAT-PT being stateless, if you screw up your firewall, you'll have the same issue as with global IPs.
 - IPv6 NAT overloading : Does that even exist at all ? I've never looked ...

But as a side note, you shouldn't let silly person manage your firewall :p  Because without a good rule, if your ISP is nasty (or compromised), it could very well send you packet with a RFC1918 destination IP and the stateful firewall is the only thing protecting you there.

Thanks all,

Some food for thought there.  It seems we maybe have to think differently with how we deploy IPv6 forgetting quite of bit of what we have learned over the years with IPv4.  It also stikes me IPv6 is still maturing with a long journey in front of it, and as you mentioned it still seems procol stacks may also need time to develope in the handling of all these different address types.

Still quite a lot to think about. But I guess Sylvain is correct.  We should embrace Global IPs with the different way of thinking, however still think there are alot of people out there still unsure which way to go.

Lee.

On the WAN side, both IPv4 and IPv6 are packet-switched, next-hop routed, best effort delivery designs, so the main differences are fairly small ones: that v6 uses bigger addresses, doesn't fragment at intermediate routers, and uses extension headers instead of options.  On the LAN side, the replacement of ARP by ND and new DHCPv6/RA entwining makes things noticeably different.  But threat models, countermeasures, and operations aren't changed all that much, except for firewall and network monitoring tweaks to cope with all those transition technologies which want to tunnel stuff.

In terms of network design, the hardest thing for me was getting out of the scarcity mindset, and designing my v6 subnets and routing from scratch, without regard to existing v4 subnets, vlan tags, and other such ephemera. In the 1980's class A v4 terms, having the usual v6 /48 (or larger) is like being MIT.  The key takeaways were to design for resilience against expected changes like new sites or increased segmentation, and align on 4 bit nibbles for easy documentation and reverse DNS.  The standard advice to start numbering subnets in the middle and work outwards in both directions is also good.  It turned out that after 3 iterations of v6 design got me to something I actually liked - routing /52's, firewall boundaries on /60's, everything /64 at the vlans - that it fed back into my v4 design, where I was able to make some corresponding improvements which significantly simplified my v4 NAT and IPsec issues.

I'm with Sylvain - get on natively routed, globally scoped v6 addresses as soon as possible, and don't look back.  Facebook is going to be nearly 100% v6 internally by the end of the year, because it's so much easier for them to manage it in large scale deployments than legacy v4.  The rest of us should take note!

-- Jim Leinweber, WI State Lab of Hygiene

Hi jeleinweber, 

Everywhere I read that using ULA in enterprise along with NAT66 is not recommended. I accept that. But what is the solution for multihoming without ULA or Provide Independent address ? 

Unfortunately v6 has no magic bullet to solve the multihoming challenge, and with the desire to avoid NAT66 it may be even worse than in v4.  You have 4 or 5 main options, all with different disadvantages.

* find an ISP that offers you redundant paths for its PA prefixes.   This may not offer the level of uplink redundancy and traffic engineering you desire, but it is simple.

* Be big enough and complicated enough to get and run PI prefixes.  This isn't much help to small organizations that need high availability and don't have BGP expertise.

* Let clients have two global addresses per interface, one from each ISP.  This makes the traffic engineering way more challenging, since it distributes it to all of the clients.  Plus it may require tuning the prefix policy tables on those clients to stabilize your internal communication on a single preferred prefix.  But it uses only standard technologies and only global addresses.

* Grit your teeth and use a native global prefix with ISP A, but use Cisco experimental prefix subtitution to rewrite to global prefix B with ISP B.  This limits the traffic engineering issue to your border, but brings back all the protocol breakage and asymmetric path hassles you'd find with any NAT66-style solution, plus it mortgages your future to a technology which isn't standardized.

* Use a single global prefix with ISP A, and use an overlay routing protocol such as the experimental LISP to have ISP B provide a backup route.  In effect, you are converting PA space into PI space.  This could be pretty good solution, but only if your gear and ISP B both support it and you are willing live with nonstandardized stuff in your critical paths.

Two of the biggest IPv6 challenges are the lack of interoperability with the legacy v4 internet in a era of v4 address exhaustion, and multihoming.  These are not perfectly solved.

-- Jim Leinweber, WI State Lab of Hygiene