nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IPv6 Subscriber Access Deployments

From: Josh Moore <jmoore () atcnetworks net>
Date: Tue, 8 Sep 2015 20:03:57 +0000
That makes sense now understanding how CPE equipment has evolved into segmenting layer 2 services like that. /48 it is.

Most GPON networks are composed of large layer 2 rings. No way to break that up without adding additional equipment and 
that can get costly. With IPv4 we got around the need to configure discrete VLANs/subnets by putting all customers in 
the same VLAN and turning on the DHCP snooping/source-guard features. My remaining question is why isn't this desired 
with IPv6? What security concerns are there with turning up SLAAC / DHCPv6 within the same /64 for everyone that are 
different from IPv4?




Joshua Moore
Network Engineer
ATC Broadband
912.632.3161 - O | 912.218.3720 - M



-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Tuesday, September 08, 2015 3:55 PM
To: Josh Moore
Cc: Owen DeLong; nanog () nanog org
Subject: Re: IPv6 Subscriber Access Deployments

On Tue, 08 Sep 2015 19:40:44 -0000, Josh Moore said:


The question becomes manageability. Unique VLAN per customer is not 
always scalable. For example, only ~4000 VLAN tags. What happens when 
you have more than that many customers?


If you're hanging 4K customers off the same switch, you probably have bigger issues than running out of VLAN tags...


We are talking very, very, small customers here. SOHO to say the most.
/64 should be more than sufficient for their CPE router.


A Linksys WNDR3800 running CeroWRT (and probably OpenWRT by now) will prefer to create multiple /64's - one for the 4 
wired ports, one for private access on the 2.4G radio, one for guest access on the 2.4, and another private/guest pair 
on the 5G radio. So there is CPE gear out there now that can blow through 5 /64s by default, and more if you enable 
VLANs.

A /56 allocated via DHCPv6-PD would be a *minimum*.  And prefixes are cheap, so you may as well hand them a /48, just 
in case they have a second WNDR3800 at the other end of the building for coverage - because that one will then ask the 
upstream one for a -PD allocation.  So if you give the CPE a /48, it can keep a /56 for itself, and hand the downstream 
a /56, and they can each allocate /64s as needed.

And remember - prefixes are cheap and plentiful, so don't bother with /52 or /60, just split on 8-bit boundaries to 
make life easier for yourself...
Previous By Date Next
Previous By Thread Next

Current thread: