Im interested in thoughts for a scenario where you want to do small-scale multi-site activities, with site-to-site connectivity.

Here’s a couple of constraints:

  • you’re not going to pay the money to get an assignment, you’ll just have ISP global.

  • your two or more sites will have different ISPs.

  • You’re doing VPN between sites instead of provider managed. The sites might be running some normal enterprise services like active directory, or other internal corporate norms.

  • you might have the need for a backup Internet connection. Load balancing would not be required.

With the fact that the globals could change at a site, would you consider using ULA? Or just stick with global and update DNS in the event of change. I know there’s a preference problem with ipv4 being chosen over ULA, so the ULA thing wouldn’t be very easy unless you went straight v6.

If ULA, would you pattern/convention match the global in each site or create one organization wide ULA and assign it something like /48 per site?

What precautions do you take on gateways to ensure globals aren’t used outside of the tunnel? ULA prevents this, but so does proper configuration I assume.

How would you do this?

I keep asking about ULA because I heard/read enough articles where the author says don’t do it, but they seem to be geared at large enterprise or hosting where they would definitely get dedicated blocks, peering, etc. I’m interested in the little guy.

  • orangeboats@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    11 months ago

    This reminds me of this article about ULA. The TL;DR I got from it was: yeah, use ULA if you are a multi-sited organization, but you can’t afford PI space.

    Quote:

    In the meantime, we’ll have to use kludges like NAT66 and ULAs in mid-market IPv6 implementations, not because we love them, but because they’re the best tools we have at our disposal.

    ULA is problematic with dual-stacked networks just as you have mentioned, although there are drafts trying to fix it. For now, you may have to consider running a NAT64 gateway in your network and go IPv6-only.

    • RedFox@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      Do you have thoughts or experience with ULA planning for sites?

      In v4 land, I took a private /18 in private space and assigned it to each of four sites as /20s.

      Looking for any reason I couldn’t do the same.

      • orangeboats@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        It should be largely similar in v6 land. Generate yourself a random ULA /40 prefix - the randomness is here to prevent collisions should the network of your organisation merge with another.

        Assign your sites a /48 each taken out of this /40 prefix. Try to future proof your addressing plan, remember that each /48 contains 65536 /64s, you can afford to “waste” them.

        But also note that the “best practice” is to use ULA for intra/inter-site communications only. Since IPv6 hosts can be assigned multiple addresses, it is possible to assign them a GUA for communications with the wider internet, and a ULA for internal communications.

        In reality though… Some machines may use their GUA as the source adddress even though the destination is ULA. Firewalling gets hairy. :(

        • RedFox@infosec.pubOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          Firewalling gets hairy. :(

          This is what I worried about. The protocol advocates say this isn’t supposed to be the case, but early reports by organizations said they were seeing internal traffic on the Internet that were intended to be tunneled.

          I guess the sites would need some pretty wide deny statements that block the types of traffic you don’t expect to leave.

          I wonder if orgs block their own internal GUA at firewall to make sure their traffic gets tunneled? Or maybe they use GUA internally, but they block everything at the FW except the tunnel endpoints? If traffic escapes an ACL for tunnel protection, it gets blocked by default?