Im interested in thoughts for a scenario where you want to do small-scale multi-site activities, with site-to-site connectivity.

Here’s a couple of constraints:

  • you’re not going to pay the money to get an assignment, you’ll just have ISP global.

  • your two or more sites will have different ISPs.

  • You’re doing VPN between sites instead of provider managed. The sites might be running some normal enterprise services like active directory, or other internal corporate norms.

  • you might have the need for a backup Internet connection. Load balancing would not be required.

With the fact that the globals could change at a site, would you consider using ULA? Or just stick with global and update DNS in the event of change. I know there’s a preference problem with ipv4 being chosen over ULA, so the ULA thing wouldn’t be very easy unless you went straight v6.

If ULA, would you pattern/convention match the global in each site or create one organization wide ULA and assign it something like /48 per site?

What precautions do you take on gateways to ensure globals aren’t used outside of the tunnel? ULA prevents this, but so does proper configuration I assume.

How would you do this?

I keep asking about ULA because I heard/read enough articles where the author says don’t do it, but they seem to be geared at large enterprise or hosting where they would definitely get dedicated blocks, peering, etc. I’m interested in the little guy.

  • @Yaztromo
    link
    English
    211 months ago

    To be clear, the issue with IPv4 being preferred over ULA is only an issue with calls to things like getaddrinfo which can return multiple results for a single host/domain name query.

    The solution to this is easy — either don’t put your IPv4 addresses for hosts in your DNS, or give them a different name. I.e.: maybe you’re using hostname.domainname.xyz for your IPv6 addresses, and hostname.ipv4.domainname.xyz for your IPv4 addresses. Lookups against hostname.domainname.xyz will return ULAs in this case, as there is no A record for the same domain name.

    People (many who should know better) act like machine A can somehow magically determine that machine B has an IPv4 address and just start using it instead of ULAs — but the precedence rules only apply to a DNS query the returns both an IPv4 and a ULA. Design your DNS so that this isn’t the case, and you won’t have to worry about it.

    • RedFoxOP
      link
      fedilink
      English
      211 months ago

      That’s a good point, I didn’t think about that.