IPv6 newbie alert!
I thought the maximum prefix length for IPv6 was 64 bits, so the comment about a v6 /112 for peering vexed me. I have Googled so much that Larry Page called me and asked me to stop.
Can someone please point me to a resource that explains how IPv6 subnets larger than 64 bits function and how they would typically be used?
thanks, Kelly
The use of a 64-bit prefix is a requirement if using Stateless addressing, nothing more. Allocation of a 64-bit prefix for every host network means you won't need to play games with subnetting based on the number of current or potential hosts, and keeps things clean; you SHOULD allocate a 64-bit prefix for every host network, though extending this logic to everything is a bit ignorant. There is a denial of service attack vector that exists on most current production IPv6 routers: IPv6 Neighbor Table Exhaustion. Writing a quick program to sweep through every IPv6 address within a 64-bit prefix is enough to cause most routers to drop neighbor entries for known hosts once the table is full. This attack is specifically targeted against routers, which makes it more troubling. Note that I was a naysayer of this vector being a problem until I actually wrote an implementation of it in a lab. I was able to kill all IPv6 traffic within seconds from a single server. Because of this, I strongly encourage you to make use of smaller prefixes for link networks. We use 126-bit prefixes (see http://tools.ietf.org/rfc/rfc3627.txt for why we avoid 127). We also don't consider Stateless desirable for the majority of our host networks. If you enable stateless on a network, every host with an IPv6 stack will start making use of it. If you use DHCPv6 you can enable global IPv6 on a per-host basis. This makes it much, much, easier to get buy-in on rolling out IPv6 everywhere, and while IPv6 is nice, it's not required yet, so you have time for the non-DHCPv6 hosts to be upgraded over the next few years (Mac OS X Lion will actually introduce a full DHCPv6 client implementation, for example). If you don't require stateless, then using prefixes longer than 64 is an option. Our current practice is to allocate a full 64-bit prefix in the schema, but only use what is currently required for actual implementation. Most of our IPv6 prefixes are actually 119 or 120-bit prefixes. Once better protection against neighbor table exhaustion is available we plan to migrate to 64. Also very strongly recommend enabling IPv6 on all your networks even if you disable RA or don't hand out addresses. This provides you with viability of IPv6 traffic on your IPv4 networks (e.g. the ability to check for rogue IPv6 routers). Finally, until RA Guard is available, use of L3 switches that support IPv6 PACL's is highly desirable as they allow you to apply a port-level traffic filter to drop RA from unauthorized ports (we do this system-wide at this point, and network stability has improved dramatically as a result). MLD snooping still needs work; the current Cisco implementation is bugged to the point where it drops ND traffic. I'm strongly looking forward to support for things like DHCPv6 snooping, I was hoping that we'd see it by now but vendors are slow to come around. -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/