Build the Next-Generation Data Center
6 week online course starting in spring 2017

PA, PI or ULA IPv6 Address Space? It depends

Having “do we need ULAblogologs with Ed Horley is great … and the best part of them is that we’re both right (aka: It Depends). OK, let’s try to quantify that last part.

Service providers have their own IPv6 address space. Using ULA is counterproductive.

Residential customers don’t need Provider Independent (PI) space or Unique Local Addresses (ULA). Getting something between /64 and /48 delegated to their CPE router via DHCPv6 is more than good enough.

Large enterprises should get their own PI IPv6 address space. If they implement Internet access through a central site or through proxy servers (per-site proxy or a central proxy), they could easily use their PI space throughout the network.

The challenges start when an organization with PI space wants to implement local (per-site) Internet connectivity – they have to ensure that the ISP providing connectivity to a remote site advertises the site’s PI prefix to the Internet.

As always, there are numerous ways of achieving that goal:

  • Use BGP to advertise the PI prefix to the ISP. Works all the time, but tends to get expensive (not many ISPs offer BGP connectivity on low-cost DSL connections);
  • Persuade the ISP to configure static routing toward the PI prefix. Some ISPs offer a standard product that does that, trying to persuade an ISP without such a product to configure static routing might turn into a nightmare;
  • Get a Provider Assigned (PA) prefix (static or dynamic) from the ISP and do NPT66 for the Internet traffic;
  • Use a proxy server with PI inside address and PA outside address to access the Internet (functionally identical to NAT66, but on a transport or application layer);
  • Get a PA prefix from the ISP, configure IPv6 source address selection on all hosts on the remote site, and pray that it works for every possible operating system. Good luck with that.
  • Use ULA (ULA-versus-GUA source IPv6 address selection policy usually works).

Smaller companies with internal servers and cheap Internet connectivity using PA address space should either migrate their servers to the cloud or use ULA for internal communication. They could also believe that the IPv6 renumbering magic works … and a consultant or two will be paid quite handsomely when they have to switch ISPs and change all firewall rules, packet filters, and who knows how many server configuration files.

Looking for more IPv6 information

Check out my IPv6 webinars page. You can buy all of them in a bundle or get them with a yearly subscription. I’m also available for short consulting engagements.

7 comments:

  1. Thanks again for this instructive article.
    It brought me some side thoughts on the recent trends in networking.

    I used to be a network engineer. I haven't worked in the field for a few years (I now work in security), but I am trying to maintain some knowledge reading articles all around, like the great ones you regularly provide.
    So maybe my points are biased by my lack of skills.

    However, from my perspective and with some hindsight, I am stunned by the complexity brought by virtualization and, mostly, IPv6.

    Yes, all that is extrimely powerful and flexible. But did we really need that? Will the administrators really understand the stuff?
    I am myself having hard times to catch up and I am often getting lost in all this mess.

    I see daily configuration errors and misunderstanding on much more basic and old concepts... I mean simple IPv4 subnetting, NAT, routing, etc.
    So I am really doubting more and more on the chances of IPv6 in adoption, reliability and security in real world implementations.

    We are far from the sane "keep it simple" principle, often praised to achieve good design... As a security guy, I am really scared.

    ReplyDelete
  2. Can you give any free advice on where a large multinational company should get its PI range?
    My company is based in a RIPE region, but has almost equal presence throughout the world. We could get a large allocation from RIPE, or a smaller one from RIPE, one from ARIN, etc...

    ReplyDelete
    Replies
    1. Currently it doesn't seem like anyone plans to implement any region-based address filters (they wouldn't work anyway), so you could get a large allocation from RIPE and be done with it.

      You MIGHT want to get smaller allocations from other RIRs just to be on the safe side.

      Delete
    2. Thanks! We have a long way to go before pulling the trigger on this, but I'm trying to get my mind wrapped around it. We'll bring someone like you (maybe you!) inside to look at the details before making such a huge decision, I'm sure.

      Delete
  3. Aww, c'mon Ivan -- everyone knows the answer is IPv6 site-local addresses.
    fec0::/10 4evah!!!!! :)

    ReplyDelete
  4. Hi Ivan, Hi Jason,

    I just wrote a blogpost discussing some aspects of your question, Jason. It can be found here:
    http://www.insinuator.net/2014/01/ipv6-address-plan-considerations-part-2-the-pi-space-from-singlemultiple-rirs-debate/.

    best

    Enno

    ReplyDelete
  5. Not a great solution, but a workable one:

    - accept the fact that enterprise is going to be stuck with legacy IPv4 for far longer than the rest of the Internet

    - use MAP-T with one translation gateway per service provider; MAP (translate) the enterprise's RC1918 IPv4 to the appropriate service provider's public IPv6 on each gateway

    - for native v6, you're still stuck in the boat as most enterprises won't bother figuring out what ULA is & applying for it until it's far too late. However, at least with the plethora of unique IPv6 addresses you can do stateless 1:1 NAT on one of the gateways & not worry about it too much.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.