Re: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

["Brzozowski, John" <John_Brzozowski () Cable Comcast com>]

See below.


On 12/1/11 5:11 AM, "Dmitry Cherkasov" <doctorchd () gmail com> wrote:

> John,
>
> Due to your note I carefully read again Cable Labs specs and found
> that really SLAAC is not prohibited. According to CM-SP-MULPIv3.0:
[jjmb] I was part of the team that wrote IPv6 for DOCSIS, so I know the
history well.  ;)

> * If the M bit in the RA is set to 1, the CM (cable modem) MUST use
> DHCPv6 ...;
> * If there are no prefix information options in the RA, the CM MUST
> NOT perform SLAAC;
[jjmb] even if there are PIOs and the A bit is set to 0, the CM will
not/must not perform SLAAC.

> * If the RA contains a prefix advertisement with the A bit set to 0,
> the CM MUST NOT perform SLAAC on that prefix.
[jjmb] yes, see above.
> That means that if M bit in the RA is set to 0 and RA contains a
> prefix advertisement with the A bit set to 1 nothing prevents CM from
> SLAAC.
[jjmb] correct.

> And if so we probably better reserve /64 per network just in case we
> may use SLAAC in it in the future. While we do not use SLAAC we can
> shorten the range of actually used IPv6 addresses by using longer then
> /64 prefix.
[jjmb] I suppose, again not sure why you would want to take this route.
This also assumes no PIOs in the RA.  Please note there are other
operational reason why SLAAC is not a truly deployable alternative.  We
can discuss off list if you are interested.
> You are completely right that prefix delegation enforce DHCPv6 so
> SLAAC mentioned above can be used only for CMs, not for CPE.
[jjmb] similar to cable modems, CPEs that only request or require IA_NA
could conceivably use SLAAC.  Same caveat and comments as above.

> Just a note: as far as I can see available DOCSIS 3.0 CMTSes do not
> support the ability of SLAAC for CMs currently (checked Casa and Cisco
> uBR10K).
[jjmb] I am sure you make it work on at least one of the above. :)
> Dmitry Cherkasov
>
>
>
> 2011/11/30 Brzozowski, John <John_Brzozowski () cable comcast com>:
> > Technically this is not true.  SLAAC is not prohibited, it does come
> > with
> > side affects that complicate the deployment of IPv6.  It is technically
> > feasible to use SLAAC, it is just not practical in most cases.
> >
> > Stateful DHCPv6 is the preferred mechanism for address and configuration
> > assignment.  Prefix delegation requires the use of stateful DHCPv6 in
> > DOCSIS networks.
> >
> > John
> > =========================================
> > John Jason Brzozowski
> > Comcast Cable
> > e) mailto:john_brzozowski () cable comcast com
> > o) 609-377-6594
> > m) 484-962-0060
> > w) http://www.comcast6.net
> > =========================================
> >
> >
> >
> >
> > On 11/29/11 7:09 AM, "Dmitry Cherkasov" <doctorchd () gmail com> wrote:
> >
> > > Steven,
> > >
> > > SLAAC is prohibited for using in DOCSIS networks, router
> > > advertisements that allow SLAAC must be ignored by end-devices,
> > > therefore DHCPv6 is the only way of configuring (if not talking about
> > > statical assignment). I have seen at least Windows7 handling this
> > > properly in its default configuration: it starts DHCPv6 negotiation
> > > instead of auto-configuration.
> > >
> > > Dmitry Cherkasov
> > >
> > >
> > >
> > > 2011/11/29 Steven Bellovin <smb () cs columbia edu>:
> > > > On Nov 28, 2011, at 4:51 52PM, Owen DeLong wrote:
> > > >
> > > > > On Nov 28, 2011, at 7:29 AM, Ray Soucy wrote:
> > > > >
> > > > > > It's a good practice to reserve a 64-bit prefix for each network.
> > > > > > That's a good general rule.  For point to point or link networks you
> > > > > > can use something as small as a 126-bit prefix (we do).
> > > > >
> > > > > Technically, absent buggy {firm,soft}ware, you can use a /127.
> > > > > There's
> > > > > no
> > > > > actual benefit to doing anything longer than a /64 unless you have
> > > > > buggy *ware (ping pong attacks only work against buggy *ware),
> > > > > and there can be some advantages to choosing addresses other than
> > > > > ::1 and ::2 in some cases. If you're letting outside packets target
> > > > > your
> > > > > point-to-point links, you have bigger problems than neighbor table
> > > > > attacks. If not, then the neighbor table attack is a bit of a
> > > > > red-herring.
> > > >
> > > > The context is DOCSIS, i.e., primarily residential cable modem users,
> > > > and
> > > > the cable company ISPs do not want to spend time on customer care and
> > > > hand-holding.  How are most v6 machines configured by default?  That
> > > > is,
> > > > what did Microsoft do for Windows Vista and Windows 7?  If they're set
> > > > for
> > > > stateless autoconfig, I strongly suspect that most ISPs will want to
> > > > stick
> > > > with that and hand out /64s to each network.  (That's apart from the
> > > > larger
> > > > question of why they should want to do anything else...)
> > > >
> > > >
> > > >                --Steve Bellovin, https://www.cs.columbia.edu/~smb