IPv6

To be clear, the issue with IPv4 being preferred over ULA is only an issue with calls to things like getaddrinfo which can return multiple results for a single host/domain name query.

The solution to this is easy — either don’t put your IPv4 addresses for hosts in your DNS, or give them a different name. I.e.: maybe you’re using hostname.domainname.xyz for your IPv6 addresses, and hostname.ipv4.domainname.xyz for your IPv4 addresses. Lookups against hostname.domainname.xyz will return ULAs in this case, as there is no A record for the same domain name.

People (many who should know better) act like machine A can somehow magically determine that machine B has an IPv4 address and just start using it instead of ULAs — but the precedence rules only apply to a DNS query the returns both an IPv4 and a ULA. Design your DNS so that this isn’t the case, and you won’t have to worry about it.

The main disadvantage of ULAs is in dual stack networks windows prefers IPv4 over them. In principle Linux should too but glibc follows an older RFC and as a result in practice picks ULAs over IPv4. If your GUA space is subject to change I would definitely recommend ULAs. Dynamic DNS is more headache than it's worth. As others have mentioned I would keep IPv4 out of your internal DNS so that ULAs are preferred, if you want to dual stack your internal DNS then there are ways to configure clients to prefer ULAs over v4. Personally I run both ULAs and GUAs internally even with my own direct allocation but that's because of dn42. What I do on my gateways to prevent leaks is I have a routing policy that returns an ICMP host unreachable if source is fd00::/8 and destination is 2000::/3 that way the gateway blocks any address mismatch. I also have a policy for the opposite GUA to ULA scenario. One other note, technically ULAs are supposed to be random /48s, others have mentioned generating a /40 but that's not technically in spec. Ideally you would generate one /48 per site or use a single /48 and then do a /56 per site. Obviously do what you want and what makes the most sense for you but I'm going to put that info out there.

This reminds me of this article about ULA. The TL;DR I got from it was: yeah, use ULA if you are a multi-sited organization, but you can't afford PI space.

Quote:

In the meantime, we’ll have to use kludges like NAT66 and ULAs in mid-market IPv6 implementations, not because we love them, but because they’re the best tools we have at our disposal.

ULA is problematic with dual-stacked networks just as you have mentioned, although there are drafts trying to fix it. For now, you may have to consider running a NAT64 gateway in your network and go IPv6-only.

I'll take a stab at this, although I profess no professional experience in network management and my interest in IPv6 is primarily in advocacy and in homelabs. With that said...

This seems like a situation where ULAs make some sense, but only for inter-site traffic. So I'd probably first provision for global addressing from each site's ISP. Then overlay ULA addressing to those sites as well, carving /48 subnets using the procedure from an RFC that I can't remember, so that the prefixes are randomized. This reduces the chance that a future site will conflict, as well as any conflicts due to mergers and acquisitions of the company.

Keeping the ULA traffic off the WAN is relatively easy with a reject rule on egress, and the ISP should be dropping that traffic anyway. Keeping global traffic off of the tunnels can be done the same, with reject rules if a non ULA src or dst address is used.

DNS for internal site resources can use ULA just fine, unless you absolutely need reverse DNS. For resources needing exposure externally, I'm not sure if this plan accommodates that.

TL:DR: use both ULA and global addresses. Routing rules to reject.