On Thu, Jan 29, 2015 at 6:28 PM, Eric Louie <elouie@techintegrity.com> wrote:
I'm putting together my first IPv6 allocation plan. The general layout: /48 for customers universally and uniformly
Hi Eric, Good luck with that. Personally, I'd be inclined to think that some customers will (reasonably) want more than a /48 and I'd be in less of a rush to burn through my /32 for the sake of customers who would have been perfectly happy with a /56. The only deliberately static sizes I'd endorse is /64 for an ethernet LAN and the 4-bit nibble boundary for any delegations.
/38 for larger regions on an even (/37) boundary /39 for smaller regions on an even (/38) boundary A few /48's for "internal use" to allow us to monitor and maintain systems.
Suggest you delegate to regions, purposes and customers on the 4-bit nibble boundary. This makes it easier to read your IPv6 addresses and it simplifies DNS operations.
For security sake, do I need (am I better off) to "reserve" a "management block" (/39, /40, /41 or something of that nature) that does NOT get advertised into BGP to my upstreams, and use that for my device management and monitoring address space? In other words, make a small "private" address space for management? What are folks doing around that?
If it is strictly internal (not used for router interfaces that have to transmit destination unreachables) select and use a ULA block. That way when you find you really need to advertise a covering route for your /32 to get full IPv6 connectivity, your management network still won't be exposed to the Internet at large. Otherwise, address with firewalls and access lists. If you try to micromanage your /32's advertisement you'll both earn yourself grief and engender the annoyance of other IPv6 participants trying to keep the routing table small.
If I have to do 6-to-4 conversion, is there any way to do that with multiple diverse ISP connections, or am I "restricted" to using one entry/exit point? (If that's true, do I need to allocate a separate block of addresses that would be designated "6 to 4" so they'd always be routed out that one entry/exit point?)
Let's clarify some terminology: 6to4 - a system for facilitating IPv4-only end sites creating a configuration-free local IPv6 network that reaches out to the native IPv6 Internet. Run by unaffiliated volunteers. Algorithmically matched an IPv6 /48 to every possible IPv4 address. It did good service in IPv6's experimental days but is not production grade and basically should never be used again. Replace with free tunnels from Hurricane Electric or similar. 6rd - allows ISPs to deploy IPv6 to their customers without dual-stacking the ISP's network. Get your feet wet at minimal cost and then wait to see what happens before undertaking the substantial risk and expense of dual-stacking your entire network. Uses the network protocols developed for 6to4 but is implemented entirely within your organization and is production grade. 6rd uses *your* IPv6 addresses, so you route those IPv6 addresses with your peers as normal -- no special considerations needed. nat64/nat46 - allows an IPv6-only host to interact in limited ways with IPv4-only hosts. Don't go down this rabbit hole. This will probably be useful in the waning days of IPv4 when folks are dismantling their IPv4 networks but for now the corner cases will drive you nuts. Plan on dual-stacking any network which requires access to IPv4 resources such as the public Internet. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>