On 29-mei-2007, at 13:41, Adrian Chadd wrote:
* So is DHCPv6 the "way to go" for deploying IPv6 range(s) to end- customers? Considering the current models of L2TP over IP for broadband aggregation and wholesaling where the customer device speaks PPPoX.
IP6CP in PPP doesn't have the capability to negotiate actual IPv6 addresses, like IPCP can for IPv4. Also, giving out individual addresses isn't likely to be a useful model in IPv6 where the abundance of address space and the lack of NAT make giving out at least one subnet to a user a more natural model. With IPv4, DHCP gives out an address to a host, accompanied by a default gateway address and additional information such as DNS resolvers. IPv6 DHCP (DHCPv6) is capable of giving out addresses, but this isn't universally implemented because IPv6 hosts traditionally get their addresses from stateless autoconfig. DHCPv6 can't provide a default gateway, you need stateless autoconfig for that even if you use DHCPv6 for address assignment. And there is the extra info, but DNS resolvers may be availalbe in stateless autoconfig in the future as well. However, DHCPv6 also has a different mode of operation: prefix delegation. This does what the name implies. What you can do today with a Cisco router is request a prefix from a DHCPv6 server, and then, on a different interface, send out router advertisements using a subprefix from the DHCPv6 one so that hosts will receive addresses in that prefix using stateless autoconfig. When the DHCPv6 server gives out a new prefix, the router and all the hosts are automatically renumbered without much impact, if any. This is probably the way we want to do IPv6 address provisioning for end-users in the future, but that requires that home gateways that implement IPv6 routing functionality come with the DHCPv6 prefix delegation client capability and have this configured by default so it all works out of the box.
* Has anyone sat down and thought about the security implications for running native IPv6 addresses on end-devices which, at the moment, don't have 'direct' access to the internet (ie sitting behind a NAT.)
Sure: http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars