Windows (Vista and later) and OS X (as of Lion) now have mature IPv6 implementations and support DHCPv6 for address allocation. Furthermore, they correctly let the network decide which method is used and only provide the user with the option of "Manual" or "Automatic", where Automatic will make use of SLAAC, DHCPv6, or both, depending on the flags set in the IPv6 RA. We run both systems, in production, using DHCPv6 on prefixes much smaller than 64-bit (typically 120 or 119; we mirror whatever the IPv4 prefix length is). There is functionality (current and future) that the use of a 64-bit prefix provides; so it's a good idea to reserve that space for any LAN network, even if you implement it as a 120-bit prefix on the router. Just to be clear, I don't recommend not reserving a 64-bit prefix per network. That said; neighbor table exhaustion is a real problem. A few lines of C can kill IPv6 on enterprise- and carrier-grade routers. It's a problem that has gone largely ignored because people are still in a private address space mindset. We use 126-bit prefixes for link networks (we would have used 127, but the arguments against them in RFC 3627 were compelling enough to avoid them; after all we don't have a lack of space). There are a few reasons for this: 1. It let's us keep link address short by using the beginning of our allocation (e.g. you'll see things like 2610:48::66 in traceroutes to us), which are easily memorized in the event of DNS failure (face it; there are still some addresses you'll memorize; even if they are IPv6). 2. We know that the number of hosts on these networks is finite; it will always be 2, so using a 64-bit prefix isn't useful in any way; and until we see routers hardened against neighbor table exhaustion, they're actually harmful. 3. We have thousands of link networks; giving them all a 64-bit prefix seems rather wasteful. We've been running IPv6 in production since 2009, and when we first jumped into it I was in the same camp of being a purist; thinking SLAAC was the best; that DHCPv6 wasn't needed; that every network should always be a 64-bit prefix; etc. A few years of experience with using IPv6 in an operational environment has taught me otherwise. I'm not saying posts on list about not using anything but a 64-bit prefix are wrong; but it's a little more complicated than one-size-fits-all networking. It is perfectly valid to make use of prefixes other than 64-bit; so long as you understand the implications of doing so. SLAAC is a great bootstrapping mechanism for ad-hoc networking; and the link-local scope (allowing all IPv6 traffic to happen over IPv6; even neighbor discovery). Just because it's a neat and useful way of addressing doesn't mean it's the best way for every network. Different strokes for different blokes and all that. To those who noticed me and Owen seem to have this argument on-list a few times a year, sorry for the recycled content. ;-) On Mon, Nov 28, 2011 at 5:00 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Nov 28, 2011, at 4:51 52PM, Owen DeLong wrote:
On Nov 28, 2011, at 7:29 AM, Ray Soucy wrote:
It's a good practice to reserve a 64-bit prefix for each network. That's a good general rule. For point to point or link networks you can use something as small as a 126-bit prefix (we do).
Technically, absent buggy {firm,soft}ware, you can use a /127. There's no actual benefit to doing anything longer than a /64 unless you have buggy *ware (ping pong attacks only work against buggy *ware), and there can be some advantages to choosing addresses other than ::1 and ::2 in some cases. If you're letting outside packets target your point-to-point links, you have bigger problems than neighbor table attacks. If not, then the neighbor table attack is a bit of a red-herring.
The context is DOCSIS, i.e., primarily residential cable modem users, and the cable company ISPs do not want to spend time on customer care and hand-holding. How are most v6 machines configured by default? That is, what did Microsoft do for Windows Vista and Windows 7? If they're set for stateless autoconfig, I strongly suspect that most ISPs will want to stick with that and hand out /64s to each network. (That's apart from the larger question of why they should want to do anything else...)
--Steve Bellovin, https://www.cs.columbia.edu/~smb
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/