Here are my replies on this e-mail. Sorry for the late replies!
On Sun, 10 Jul 2016 21:53:52 +0300, Nikolai Petrov said:
1. Currently we do not have IPv6 in our network but I have seen the ISP is giving us a "/56 Block" which from what I understand is a couple hundred "/64 Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we
You can have other sized subnets, but 64 is very handy if you intend to use SLAAC auto-configure. There's also the danger of running into broken equipment that doesn't understand other sized subnets (similar to very old IPv4 gear that understood a /24, but exploded if told about a /23 or /25).
I really like SLAAC and its design and I would very much like to use it. Therefore we will be using /64 IP Ranges. Is there any way to limit the amount of devices in a subnet to avoid problems and attacks? I don't think the equipment will work with 2^64 devices in a single subnet..
have 32 addresses, four of which I will use for NAT and the remaining needed for online services and servers. In IPv6 we have a lot of addresses but I am not sure whether I should give an address of the ISP to every device. I found
Assign a /64 to everyplace that you would assign a subnet in IPv4. Give each device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever gets the job done in your situation. Don't worry about NAT anymore, you have enough addresses.
that there is an organization that can help avoid collisions in private IPs: https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a registry, but I am thinking of registering the ranges there and then use these subnets and NAT them to the IPv6 address of the router.
Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel free to give every single device a global address. (You'll still want a stateful firewall someplace, but it doesn't have to do NAT, it just has to keep track of legitimate versus malicious traffic).
So why are these addresses there? For installations not connected to the Internet?
And don't freak out if a device has more than one address. As I'm writing this from the sofa in my living room, my laptop wireless has:
ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.150 netmask 255.255.255.224 broadcast 192.168.1.159 inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431:c01:a589:19a4:236e prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431::d67 prefixlen 128 scopeid 0x0<global> inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf prefixlen 64 scopeid 0x0<global> inet6 fe80::cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x20<link> inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9 prefixlen 64 scopeid 0x0<global> ether c8:d7:19:37:0c:02 txqueuelen 1000 (Ethernet)
(One DHCPv6 - ::d67. One SLAAC - the one with ff:fe in it. And 4 different RFC3041 privacy addresses that it's chunked out over the weekend. It works just fine that way - and it's *designed* to do so. (Of course, in a corporate environment, you may want to turn the privacy addresses off, and only use one of DHCPv6/SLAAC - I do it this way because it tests for broken software...)
Thanks for letting me know ahead of time. I have looked up about the privacy addresses and we don't need them as you say. Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I use the DHCPv4 to give out DNSv6 addresses?
Oh, and don't block ICMPv6. :)
I was never a fan of blocking ICMP except the redirects in some cases..
something strange. The WAN port of our router gets a /64 IPv6 address which is not in our IPv6. Should I use this for NAT or one of "our" addresses?
You use it for the IP address of the provider-facing interface of your router. Assign the "inside" interface(s) addresses on the appropriate /64 subnet that they will be on.
Oh, so this is like BGP.. In my previous company we had BGP connections and we used an IPv4 /30 for these connections which was not within our IP range. I thought they would give us a /126 and not a full /64 so I did not think that was it.. Thanks!