[artdigital]

> You have to be careful with site-to-site VPN since even your internal services like database are now globally addressable. You really need proper firewall rules / routing policies to not leak unencrypted packets over internet.

Uhmm I might be wrong here, but can’t you just not assign global IPv6s then? Keep your local network on ULAs (https://en.wikipedia.org/wiki/Unique_local_address) for network-internal routing

[daper]

Sure, you can. But on advantage of IPv6 is you addresses are globally unique. If you ever need to connect two networks that were created independently (like different companies), unique addresses, even local are very helpful.

[snuxoll]

Sure, but ULA's within your network are still an extremely useful tool to deal with annoying problems like renumbering if you don't have PI address space (and a majority of businesses won't). It's not an ideal solution, but unless you're a large enough shop to have multi-homed BGP sessions the IANA doesn't give a shit about how much headache changing ISPs or backup connections cause and getting a new allocation causes; so ULAs fill that gap to give a non-changing, probably-unique (if you follow the proper process to generate your prefix) address space.