On Thu, Mar 26, 2015 at 10:49 PM, Andre Keller <ak@list.ak.cx> wrote:

On 26.03.2015 15:37, Sanjeev Gupta wrote:
> I am part of a team deploying IPv6 in S E Asia, for enterprises in
> their offices. As we do not have clarity on who the ISP will be, and
> this will change frequently till v6 availability stabilises, use of
> ULA is common. A NAT66 device is used much a normal IPv4 NAT gateway;
> the NAT66 means that if the upstream IPv6 prefix address changes, all
> the PCs do ot end up with new addresses.

Why would you bother with NAT66 in this case? I mean using ULA for local
traffic (like printing, filesharing, building control etc.) seems fine
to me. For global connectivity you could just use SLAAC or DHCPv6 as an
additional address? Does it really matter, if these additional addresses
change from time to time?

The idea is to stay in known territory, and replicate what the client 's team knows first. With ULA and a NAT66 device, their network policies can be implemented "the way we have always done this"'; ie all outgoing allowed (mapped onto a unique global address, with the lower 64 bits the same), and all incoming blocked except where authorised.

With IPv4, they use NAT and PAT. With IPv6, they no longer need to do PAT. At sometime in future, once they have experience with v6, hopefully a better-thought-out firewall policy can be implemented.

--
Sanjeev Gupta
+65 98551208 http://www.linkedin.com/in/ghane