[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributing site-wide RFC 3484 policy

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Distributing site-wide RFC 3484 policy
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Fri, 27 Jul 2007 18:39:23 +0200
Cc: Jun-ichiro itojun Hagino <itojun@itojun.org>, v6ops@ops.ietf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=LAegpeObwhEVan9oHu+ha/DLtWsQWIMufpTB+rTnxDpKsWdZRiDxHgLuwSweSZkVRabt8iZqwWbPTAlK+Sbgcul9oSWqhs1XmjfUJj5yhc5nILgxBQUgZ6+tqPRkdBHAvMOXcslM3c01uNUlm2j6mkLUjzO8h1zupgHyIMwOuwU=
In-reply-to: <287B5080-25CD-4935-A4A3-D84F9184BBE2@muada.com>
References: <20070726211709.A6DFB233C4@coconut.itojun.org> <287B5080-25CD-4935-A4A3-D84F9184BBE2@muada.com>
User-agent: Thunderbird 1.5.0.12 (Windows/20070509)


Pref

Hm, could it be that the problem you foresee is where www.example.comhas both global::/128 and ula::/128 where people from outside aresupposed to connect to the global address and people from the inside tothe ula address?
Although I can see one or two cases where people may want this, I wouldagree that such a setup is a bad idea.


Normally the security people would dislike this - the globally available
boxes will be in the DMZ, not in the intranet. If you decide to trust
end-system security and run without a DMZ, I suppose this could happen,
and we certainly need to assume it will happen.

However, if you havewww.example.com with global::/128 and secret-internal-only.example.comwith ula::/128 that would make sense and not cause problems.


Indeed, I think this will be common practice for servers. But for
clients (employee desktops) both ula and global addresses are needed,
or you will rapidly need a ULA-to-Global NAT. (P2P would be the same.)

(ASCII art, view in Courier)


             ULA to ULA  -----------
 --------  <..........> | internal  |
|employee|              | server    |
|desktop |               -----------                ----------
 --------  <..........................{ DMZ }....> | external |
              Global to Global                     | server   |
                                                    ----------

    Brian

References:
- Re: Distributing site-wide RFC 3484 policy
  - From: Jun-ichiro itojun Hagino <itojun@itojun.org>
- Re: Distributing site-wide RFC 3484 policy
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Distributing site-wide RFC 3484 policy
Next by Date: Re: Distributing site-wide RFC 3484 policy
Previous by thread: Re: Distributing site-wide RFC 3484 policy
Next by thread: Re: Distributing site-wide RFC 3484 policy
Index(es):
- Date
- Thread