IPv6 ULA Support in GCP
cloud.google.com> Each IPv6-enabled VM will be assigned a /96 address range from the subnet, which provides you with 4 billion unique IPv6 addresses for each VM interface.
That's odd. Almost every attempt to reflect IPv4 blacklisting seems to treat /56 or even /48 blocks the same as a regular IP address, since that is (or was) the recommended size to hand out to end users for residential ISPs. /64 is the smallest network size available for most applications so network level firewalls will often use that as the smallest range to ban in case of abuse.
Of course ULA networks aren't going reach out to the internet, but even on internal load balancers and attack detection mechanisms will need to be configured for this default. Which is very strange, given that ULAs are /48s with arbitrary 16 bit subnets and then a /64 at the end. I can't imagine exceeding 65k subnets being a common use case on these networks.
That said, I applaud the native availability of ULAs on cloud platforms. You can make it work yourself with VPNs and other overlay networks, but this is a much cleaner solution.
Subnets look to still be /64s it sounds like each VM is just being given /96 worth of IPs instead of /128 worth of IPs. Regardless of how it's implemented the impact on applications/rules/etc shouldn't really be any different unless up until now you've only ever deployed 1 VM per /64 subnet.
These days if you want to request a routable prefix through LIR you’re likely getting a /48 which is sometimes referred to as “site prefix” though i think this is also now outdated
> Additionally, multi-nic VM instances may be dual-homed with both ULA (internal) and GUA (external) addresses.
You need a multi-NIC VM for that? Isn't it commonplace in the IPv6 world for a single NIC to have multiple addresses? In fact I just checked: my computer at home has a single NIC but it has multiple addresses (both ULA and GUA) configured through SLAAC with privacy extension. In fact I count 14 addresses, excluding link-local.
Given that ipv6 addressing often includes the outbound link (e.g. 26:01::02%eth0), I feel like it may not be required perhaps but also it could in some cases be helpful to have different devices for each.
It's all heavily virtualized nic stuff anyways so, I guess I'd ask: why not?