Im interested in thoughts for a scenario where you want to do small-scale multi-site activities, with site-to-site connectivity.
Here’s a couple of constraints:
-
you’re not going to pay the money to get an assignment, you’ll just have ISP global.
-
your two or more sites will have different ISPs.
-
You’re doing VPN between sites instead of provider managed. The sites might be running some normal enterprise services like active directory, or other internal corporate norms.
-
you might have the need for a backup Internet connection. Load balancing would not be required.
With the fact that the globals could change at a site, would you consider using ULA? Or just stick with global and update DNS in the event of change. I know there’s a preference problem with ipv4 being chosen over ULA, so the ULA thing wouldn’t be very easy unless you went straight v6.
If ULA, would you pattern/convention match the global in each site or create one organization wide ULA and assign it something like /48 per site?
What precautions do you take on gateways to ensure globals aren’t used outside of the tunnel? ULA prevents this, but so does proper configuration I assume.
How would you do this?
I keep asking about ULA because I heard/read enough articles where the author says don’t do it, but they seem to be geared at large enterprise or hosting where they would definitely get dedicated blocks, peering, etc. I’m interested in the little guy.
It should be largely similar in v6 land. Generate yourself a random ULA /40 prefix - the randomness is here to prevent collisions should the network of your organisation merge with another.
Assign your sites a /48 each taken out of this /40 prefix. Try to future proof your addressing plan, remember that each /48 contains 65536 /64s, you can afford to “waste” them.
But also note that the “best practice” is to use ULA for intra/inter-site communications only. Since IPv6 hosts can be assigned multiple addresses, it is possible to assign them a GUA for communications with the wider internet, and a ULA for internal communications.
In reality though… Some machines may use their GUA as the source adddress even though the destination is ULA. Firewalling gets hairy. :(
This is what I worried about. The protocol advocates say this isn’t supposed to be the case, but early reports by organizations said they were seeing internal traffic on the Internet that were intended to be tunneled.
I guess the sites would need some pretty wide deny statements that block the types of traffic you don’t expect to leave.
I wonder if orgs block their own internal GUA at firewall to make sure their traffic gets tunneled? Or maybe they use GUA internally, but they block everything at the FW except the tunnel endpoints? If traffic escapes an ACL for tunnel protection, it gets blocked by default?