While I am pretty firmly in the IPv6 camp of no NAT66 and limited NPTv6 use I do understand there are times where those can be appealing to use in a design (see my personal blog post about NAT66 and NPTv6 if you don’t understand the difference between them). The interesting part for me is the fact you don’t necessarily need ULA at all for any of those designs to work properly. Let’s critically think about it. ULA is intended for private (not to be seen by the Internet) networks. So the logical question is; Is there a legitimate use case for ULA in a network? As I mentioned in my previous Infoblox COE post “ULA may have some good use cases labs out of band networks super secure networks but all the functions you can do with ULA you can do with global unicast addresses.”
So lets talk about some corner cases where ULA might come up as a solution in a design and if global unicast can serve the same function. I want to challenge some of your IPv4 legacy design thinking and question why you are carrying it over to IPv6.
1. Client VPN networks leveraging ULA. It is easy to set up a client routing policy that defines the ULA prefix space you are using for your VPN network and it is easy to define those ACL’s too. It also insures your client’s will only access those resources with a ULA (since only your network should route your ULA space) and not a global IPv6 address you might not manage. It also means they will not be accessing the IPv6 Internet with that VPN interface (if you do not have NAT66 or NPTv6 in place for that ULA prefix) which may help put tighter controls on your VPN solution.
Why is this still IPv4 legacy design thinking? Because you are thinking that ULA is like RFC 1918. The argument is that ULA is more secure because you would require NAT66 or NPTv6 to allow the VPN ULA space to route out to the Internet.
Can global unicast do the same function? Absolutely. You can allocate a portion of your global unicast prefix for the purpose of VPN access. You can write routing policy and ACL’s in the same way you do for the ULA prefix and you can firewall them just as easily. So what is ULA really buying you in the use case for VPN?
2. WAN links and loopbacks will also be a case where ULA will come up for many designs especially if you don’t intend to use IPv6 addresses to access the gear remotely. WAN links may suffer from path MTU discovery issues if you are using the links to backhaul public Internet access but for all other functions they should not have an issue if you use ULA. Loopbacks are not something you typically want propogated outside of your own routing domain so utilizing ULA may help reduce their exposure.
ULA may be appropriate here but given there is no shortage of global unicast prefix allocations you can assign for WAN or loopbacks what do you really gain? You can apply ACL’s and routing policy on the WAN and loopback global unicast prefix to have the same behavior as a ULA design. In addition you can allow the correct ICMPv6 traffic on the network and not potentially break path MTU discovery. Finally it is fine to allocate WAN links and loopbacks from global unicast addresses from multiple prefixes which make IPv6 readdressing easier so arguing that ULA with NAT66 or NPTv6 is easier to manage doesn’t really fly since you will have to build out all the new prefixes in your firewall anyway.
3. Out of band management networks also seem like a candidate for ULA. If you are running an OOB to manage your Internet Edge equipment or your Firewalls for instance utilizing ULA could reduce your exposure to issues from the IPv6 Internet. But those resources already likely have IPv6 Internet accesses. You may not be managing those Internet Edge devices with those global unicast IPv6 addresses but there is no reason you could not put an additional global unicast IPv6 prefix for the purpose of OOB management. Then a simple routing policy and ACL would perform the same function as ULA. This is acceptable because more than likely even with a ULA for OOB you would still do a routing policy and ACL for the ULA prefix. The end resulting work is the same.
4. Lab networks seem ideal for ULA. You can assign a ULA prefix and then leverage NAT66 or NPTv6 to translate those lab networks to a global unicast prefix. Even with ULA you will likely firewall these resources you don’t want lab network traffic escaping to your production or corporate network unless you need it to.
There really are two arguments why this isn’t any better solution then just assigning a global unicast prefix for the lab. First assigning a global unicast prefix allows those resources to reach the IPv6 Internet without needing NAT66 or NPTv6 reducing application breakage. Second you are still having to apply firewall rules for the lab prefix what difference does it make if it is a global unicast or a ULA?
5. Finally are the super secure networks. ULA can be useful because you can allocate a large prefix allocation with limited likelihood of overlapping ULA address space. While it is not globally unique it does allow for agencies that need to maintain secure networks to have prefix allocations that will not conflict but still not be routable on the public Internet.
I think ULA has a legitimate use case for super secure networks that are not supposed to connect to the public IPv6 Internet. To insure they truly are secure there can be no NAT66 or NPTv6 solution in place and no hosts that have global unicast and ULA at the same time. There are very limited number of agencies that fit in the category of needing to run networks of these kind. I could see large utilities some government agencies and perhaps hospitals or other life service networks.
I still believe you can run those networks with global unicast and appropriate routing policy ACL’s and firewall rules but given their critical nature it would not be a hard to agree that ULA might make a lot of sense.
So what do you think? Does ULA have more uses than I have outlined? Do you see ULA as a key critical solution in your IPv6 designs? If so why? What is it about doing global unicast IPv6 prefixes for networks do people find so alarming? I hope I’m not the only one thinking about this issue. Ivan Pepelnjak has a great blog post talking about global unicast and ULA so I encourage you to check that out.
I look forward to hearing what you think so please share!
– Ed