nanog mailing list archives
RE: Assigning IPv6 /48's to CPE's?
From: "Church, Charles" <cchurc05 () harris com>
Date: Mon, 31 Dec 2007 15:26:51 -0600
So after reading this thread for a while, it's starting to make sense that all subnets need to be /64. So it's best to think of IPv6 like IPX, but with a 64 bit network address. I'm curious where the 64 bits reserved for interface comes from though. Haven't seen the history behind that discussed really. Ethernet MACs being 48 bits would seem like a natural choice, leaving 80 bits for network addressing. This waste of space seems vaguely familiar to handing out Class A netblocks 20+ years ago. "We'll never run out"... Maybe it's just me though. Chuck -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Joe Greco Sent: Monday, December 31, 2007 11:18 AM To: Rick Astley Cc: nanog () merit edu Subject: Re: Assigning IPv6 /48's to CPE's?
I see there is a long thread on IPv6 address assignment going, and I apologize that I did not read all of it, but I still have some
unanswered
questions.
The answers to some of this are buried within it.
I believe someone posted the ARIN recommendation that carriers assign
out
/64's and /56's, and in a few limited cases, /48. I can understand corporations getting more than a /64 for their needs,
but
certainly this does not mean residential ISP subscribers, right?
That answer, along with detailed information, is within that thread. In an ideal world, yes, it does mean resi subscribers. Some of us would like to see that very much, but are simultaneously expecting that something less optimal will happen.
I can understand the need for /64's because the next 64 bits are for
the
client address, but there seems to be this idea that one and only one
node
may use a whole /64.
Certainly, if the node is the only one on the subnet.
So in the case of Joe, the residential DSL subscriber who has 50,000 PCs, TiVo's, microwaves, and nanobots that all need
unique
routable IP addresses, what is to stop him from assigning them unique
client
ID's (last 64 bits) under the same /64? We can let Joe put in some
switches,
and if that isn't enough he should consider upgrading from his
$35/month DSL
or $10/month dial up anyway.
I don't think it was ever in doubt that people could stick lots of devices on a single /64. The question is more one of "under what circumstances would a site want more than a /64." One is when you're crossing boundaries between network protocols (Ethernet to HomeControlNet or whatever). Repeat for Bluetooth or any other alternative technology. Many would prefer to see firewalling handled at the L3 boundary between networks, which is an indication for multiple /64's. While I certainly agree that this is attractive, and ought to be possible in IPv6, the fact is that it still represents a disruption of the broadcast domain, and requires that all firewall-candidate traffic be routed. This could have an impact to a site that deems a sudden firewall policy change necessary, such as "my PC #3 just got infected, stop it from talking to local network but allow it to download virus updates." I believe that there could (and should) be a natural evolution towards deconstructing the requirements at which layer these sorts of policies are implemented. I would very much like to see a layer 2/3 switch that is capable of implementing a firewall policy /for a port/, and having the onboard software be sufficiently intelligent that an end-user can deal with his firewalling switch as an abstract item, without having to understand the underlying network topology. This could even be generalized into a useful "general purpose networking" device, that could provide services such as VPN's. However, I am certain that there will be situations in which DHCP PD does not work, and so I expect that most protocol bridges will in fact be able to support bridging from an already populated IPv6 /64.
My next question is that there is this idea that there will be no NAT
in the
IPv6 world. Some companies have old IPv4 only software, some companies
have
branch offices using the same software on different networks, and some
like
the added security NAT provides.
What "added security" would that be, exactly? Introducing a proper stateful firewall would give you about the same security, without the penalties of having to write proxyware for every new protocol that comes along. There /are/ some differences; a NAT gateway is less likely to fail to firewall in a catastrophic manner, for example: if it isn't working, network connectivity vaporizes. A stateful firewall might go away and leave you with your pants down. However, that doesn't really make NAT a better technology... {P,N}AT is a technology that was designed to allow more than one computer to share {ports, addresses}. This is fundamentally unnecessary in IPv6 because there are plenty of addresses available, and providers are expected to hand them out like candy. I would much prefer to see a different security model evolve, where even residential class equipment gains the ability to do smart firewalling. Some of that discussion is in the thread you skipped.
There are also serious privacy concerns with having a MAC address
within an
IP address. Aside from opening the doors to websites to share
information on
specific users, lack of NAT also means the information they have is
more
detailed in households where separate residents use different
computers. I
can become an IPv4 stranger to websites once a week by deleting
cookies,
IPv6 means they can profile exactly what I do over periods of years
from
work, home, starbucks, it doesn't matter. I don't see NAT going away
any
time soon.
This seems to be an urban myth. Your current average broadband customer is leased an IP address that may stay active for years at a time. To imagine that most websites care about "a specific PC behind a NAT gateway" as opposed to "the small set of users behind this IP address" is a minor distinction at best - they can still track you, and since most households only have a single computer, it's best to assume they can already deal with the more difficult realities of multiple users on a single computer. Given the ready availability of addresses, it may not be that long before we start seeing the anti-NAT happen; a single PC that utilizes a vaguely RFC3041-like strategy, but instead of allocating a single address at a time, it may allocate a /pool/ of them from the local subnet, and use a different IPv6 address for each outgoing request. Think of it as extending the port number field into the lower bits of the address field... I'm sure someone has a name for this already, but I have no idea what it is. Anyways, I suggest you run over and read http://www.6net.org/publications/standards/draft-vandevelde-v6ops-nap-01 .txt as it is useful foundation material to explain IPv6 strategies and how they differ from IPv4. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Assigning IPv6 /48's to CPE's? Rick Astley (Dec 31)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Dec 31)
- Re: Assigning IPv6 /48's to CPE's? Sascha Lenz (Dec 31)
- Re: Assigning IPv6 /48's to CPE's? Joe Greco (Dec 31)
- RE: Assigning IPv6 /48's to CPE's? Church, Charles (Dec 31)
- Re: Assigning IPv6 /48's to CPE's? Mark Smith (Dec 31)
- Re: Assigning IPv6 /48's to CPE's? William Herrin (Dec 31)