Re: IPv6 Subscriber Access Deployments

[Josh Moore <jmoore () atcnetworks net>]

It's not just the tag though... You have the /64 that has to be provisioned, the helper addresses for DHCP, 
ACLs/security policy, etc.




Thanks,

Joshua Moore
Network Engineer
ATC Broadband
912.632.3161

> On Sep 9, 2015, at 1:14 PM, Owen DeLong <owen () delong com> wrote:
>
> VLAN tags aren’t global and 4096 is only a limitation on ethernet.
>
> VPI/VCI is many more.
>
> Yes, if you need more than 4096 customers on a single switch, you’ve got an issue, but there are many potential 
> issues in that scenario beyond VLAN tagging (like customers choosing not to use routers and filling up your MAC 
> tables).
>
> Owen
>
> > On Sep 8, 2015, at 12:40 , Josh Moore <jmoore () atcnetworks net> wrote:
> >
> > The question becomes manageability. Unique VLAN per customer is not always scalable. For example, only ~4000 VLAN 
> > tags. What happens when you have more than that many customers? Also, provisioning. Who is going to provision 
> > thousands of unique prefixes and VLANs, trunk them through relevant equipment and ensure they are secured as well?
> >
> > We are talking very, very, small customers here. SOHO to say the most. /64 should be more than sufficient for their 
> > CPE router.
> >
> >
> >
> >
> > Joshua Moore
> > Network Engineer
> > ATC Broadband
> > 912.632.3161 - O | 912.218.3720 - M
> >
> >
> >
> > -----Original Message-----
> > From: Owen DeLong [mailto:owen () delong com] 
> > Sent: Tuesday, September 08, 2015 3:31 PM
> > To: Josh Moore
> > Cc: Valdis.Kletnieks () vt edu; nanog () nanog org
> > Subject: Re: IPv6 Subscriber Access Deployments
> >
> > Short answer to that is “DHCPv6-PD”
> >
> > Longer answer:
> >
> > Customer’s router should get an address on the external interface through one of SLAAC, DHCP-PD, Static Assignment, 
> > depending on how the ISP prefers to do this.
> >
> > If the ISPs equipment supports IPv6 on shared VLANs with DHCP snooping and other security, you can implement it with 
> > a single /64 giving each router a unique address within that segment, but it’s not really ideal. This was mainly 
> > done in IPv4 to conserve addresses. Separate point to point VLANs are a cleaner solution and since there are enough 
> > addresses in IPv6 to do this, that is how most providers implement. I prefer using /64s (or at least assigning /64s) 
> > to these VLANs, but there are those who argue for /127, some equipment is broken and requires a /126, and yet others 
> > argue for other nonsensical prefixes.
> >
> > Once the router has an external address communicating point to point with the ISP router, it should then send an 
> > DHCPv6-PD request asking for a prefix that it can manage. The ISPs DHCP server should then send back a /48 (or if 
> > you want to be silly, a /56 or a /60, and if you want to be insane, a /64).
> >
> > The reality is that if you send a smaller prefix back, you risk having difficulty with your future ARIN applications 
> > as your Provider Allocation Unit is based on the smallest prefix you delegate to end-users. So if you, for example, 
> > assign /48 to business customers and /60 to residential customers, you’re going to have to justify why each of your 
> > business customers needed 4096 /60s when you claim that you need more IPv6 space.
> >
> > OTOH, if you simply issue /48s to everyone, you can just go back and say “Each end site got a /48 and there are N 
> > end-sites” and you’re good, no questions asked about the size of any of those end-sites.
> >
> > Owen
> >
> > > On Sep 8, 2015, at 12:12 , Josh Moore <jmoore () atcnetworks net> wrote:
> > >
> > > We are talking a purely bridged environment. However, I have been wondering how in the world end-to-end IPv6 
> > > connectivity is supposed to work if a customer hooks up their own router. That is one of the points of IPv6...
> > >
> > >
> > >
> > >
> > > Joshua Moore
> > > Network Engineer
> > > ATC Broadband
> > > 912.632.3161 - O | 912.218.3720 - M
> > >
> > >
> > > -----Original Message-----
> > > From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
> > > Sent: Tuesday, September 08, 2015 3:08 PM
> > > To: Josh Moore
> > > Cc: nanog () nanog org
> > > Subject: Re: IPv6 Subscriber Access Deployments
> > >
> > > On Tue, 08 Sep 2015 19:04:06 -0000, Josh Moore said:
> > > > I'm reading that the recommended method for assigning IPv6 addresses to end-users is to do this via a dedicated 
> > > > VLAN and /64.
> > >
> > > Important question - are you talking about the IPv6 address supplied to the CPE router itself, or a /48 or /56 
> > > delegated to the CPE router to allocate to subnets and devices behind it?