Response inline. -----Original Message----- From: Carl Rosevear [mailto:Carl.Rosevear@demandmedia.com] Sent: Tuesday, February 17, 2009 11:59 AM To: nanog@nanog.org Subject: IPv6 Confusion
How does IPv6 addressing work?
RFC 2372 is a good starting point. With IPv6 we provide for every LAN network to be a /64. A good starting point would be counting your VLANs and trying to anticipate how many networks you will need (not how many hosts on said networks). Don't count any non-routed networks, as these can make use of ULA address space (the IPv6 equivalent to RFC 1918 space), for more info on ULA see RFC 4193. If you assign a /64 to every LAN (as you should) then the rest is deciding how much address space you need for network identifiers (remember, since the host segment of each network is a /64 there is no need to define the number of hosts you will have on any given network). A /56 for example would provide you with 256 networks, which is more than enough for most mid-sized networks. If you need more, you could jump up to a /52, providing a 12 bit address space for network identifiers (or 4096) which is the same size as the 802.1Q VLAN ID field. This could be useful in tracking your IPv6 networks as you could essentially use those 12 bits to encode the hex value of the VLAN ID for any network you create (preventing address space conflicts). For very large organizations (multi-campus organizations for example) moving up to a /48 provides enough address space for 16 /52s, or 256 /56s (again, these are just examples, I like to keep the breaks 4 bits apart for readability, but you could use any mask in between). The point is you need to get away from the mindset of determining network sizes based on the number of hosts. On a side note we do make use of /126 networks in the zero address space for link networks (router to router) as recommended by RFC 3627. The main reason for this is because a /64 for link networks (of which we have several) is very wasteful. Using the zero address space for these also provides us with the ability to have much shorter addresses for links using the :: notation; e.g. 2001:DB8::1. With that said, I think most providers are giving out either /64s or /48s right now. IMHO a /48 is often wasteful, but it's not like the address space isn't there. If you're going to be using BGP for routing IPv6 (e.g. more than one provider) you'll want to have something larger than a /48 (/48 and /32 are the most common prefix sizes we see announced through BGP). Many ISPs will refuse to route anything smaller than a /32 though, so check with who you plan on getting service from first. If you don't have need for something that is a /48 or larger, you probably should just try to go through a single provider to assign you a prefix out of their space. Hurricane Electric (HE.net) offers free IPv6 tunnels with /64 or /48 prefix assignments. It might be a good option for you to play around with IPv6 before you go out and request a /32.
I know it's been hashed and rehashed but several orgs I am associated with are about to ask for their allocations from ARIN and we are all realizing we don't really know how the network / subnet structure trickles down from the edge to the host. We really don't have a firm grasp of all of this as there seems to be multiple options regarding how many addresses should be assigned to a host, if the MAC address should be included in the address or if that is just for auto- configuration purposes or what the heck the deal is. There are a lot of clear statements out there and a lot that are clear as mud. Unfortunately, even when trying to analyze which RFC superseded another. Can I just subnet it all like IPv4 but with room to grow or is each host really going to need its own /84 or something? I can't see why hosts would need any more addresses than today but maybe I'm missing something because a lot of addressing models sure allow for a huge number of unique addresses per host.
You shouldn't make any network smaller than a /64, the exception is link networks as mentioned above, but even then there are purists who will say no to those and use /64s there as well. That's the entire point of having a 128-bit address space instead of a 64-bit address space. The intent was to do away with the need for NAT (which is costly and breaks the Internet). Stateless Autoconfiguration (RFC 4862) is your friend; don't fight it. It will be some time before we see things like DHCPv6 snooping work its way into L2 security, but work is already in progress for protection against Router Advertisement (RA)... it's called RA Guard, and you can view the current draft of it here: http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01 On a side note, I always use ::1 for the gateway address, but there is no requirement for that. If you need to assign static IPs to hosts you can start using ::2 or even leave the first handful of addresses empty for future use. Anything that doesn't have the stateless flag (FFFE inserted in the middle) shouldn't cause a conflict. Note that we're in a transition phase for IPv6 right now. That means we're talking about dual-stack network deployments (IPv6 and IPv4 running side by side). It's going to be a while before we can get away with running IPv6-only networks.
There are people here at my company that seem to get it but can't seem to explain it clearly to me. To me, its basically just larger addressing space with some new logical boundaries.... But there are so many discussions of potential addressing methods that I am confused. I know from my lab setups that I can "make it work" but I'd like to "do it right". J
I've been doing this for over 10 years now... IPv4 is native to me.
If you can point me in the direction of some good, authoritative information or even say "Dood, go get IPv6 for dummies", that's fine I just need to know where to find some good information.
Dump the IPv4 mindset, don't use anything smaller than a /64, and assign a /64 for each VLAN and you'll be fine. We have IPv6 deployed on a limited number of networks. The things slowing us down right now are mainly the lack of L2 security features that are around for IPv4 (DHCP snooping, ARP inspection, etc.) In the future we'll be looking at 802.1X for securing access, RA Guard for suppressing rogue IPv6 routers, and much later on, perhaps a shift to stateful addressing using DHCPv6 so that we can dynamically IPv6 DNS records, but that will be much later. Many operating systems don't support DHCPv6 natively yet, but all hosts that support IPv6 support stateless autoconfiguration. We do DHCPv6 on our routers to hand out IPv6 DNS servers for hosts that support DHCPv6, but that's mostly for testing IPv6 on our DNS servers. Ray