Re: ipv6 book recommendations?

[Seth Mos <seth.mos () dds nl>]

Op 5-6-2012 23:23, William Herrin schreef:
> On 6/5/12, David Hubbard<dhubbard () dino hostasaurus com>  wrote:
> Hi David,
>
> Instead of going the book route, I'd suggest getting some tunneled
> addresses from he.net and then working through
> http://ipv6.he.net/certification/ .
>
> They have the basics pretty well covered, it's interactive and it's free.
+1 it's one of the best ways to learn. Do.
> Some additional thoughts:
>
> 1. Anybody who tells you that there are security best practices for
> IPv6 is full of it. It simply hasn't seen enough use in the
> environment to which we're now deploying it and rudimentary
> technologies widely used in IPv4 (e.g. NAT/PAT to private address
> space) haven't yet made their transition.
Well, not quite, but firewall rules work just the same as before. Use those.
The longer version is that some people used from internet to any rules 
on their wan which in a IPv4 NAT really translated to allow everything 
to my external address. Unless you used 1:1 ofcourse, but I digress.

In IPv6 such a rule really means anything internal. People that have 
administered firewalls that route public addresses will know exactly 
what I mean.

> d. Default customer assignments should be /56 or /48 depending on who
> you ask. /48 was the IETF's original plan. Few of your customers
> appear to use tens of LANS, let alone thousands. Maybe that will
> change but the motivations driving such a thing seem a bit pie in the
> sky. /56 let's the customer implement more than one LAN (e.g. wired
> and wireless) but burns through your address space much more slowly.
> /60 would do that too but nobody seems to be using it. /64 allows only
> one LAN, so avoid it.
You seem to miss a semi important thing here. Daisy chaining of routers 
in the premises.
Some routers (pfSense included) allow for setting up prefix delegation, 
this means that you can connect routers behind the one you have and 
still have native v6.

Although the automatic setup system I wrote for this works with /56 
networks it will only setup PD for /64 networks at this point. I 
allocate a part of the assigned /56 network for prefix delegation 
automatically.

If the PD is /48 I can delegate /56 networks to the subrouters, which on 
their turn can delegate /64 networks to another sub router.

It's not that the user itself will actually assign all those networks, 
but routers will do automatically and you need proper route aggregation. 
It's unlikely that all networks will be directly assinged as /64 
networks either, it could also be multiple routers.

Even if it was done manually I'd assign a /60 route out of  a /56 PD. 
The notion that it will always be a /64 is... well.

Regards,

Seth