On Sat, 2016-03-05 at 16:19 -0500, Laurent Dumont wrote:
We are currently considering deploying IPv6 for a Lan event in April. We are assigned a /48 which we then split into smaller subnets for each player vlan. That said, what remains to be decided is how we are going to assign the IPv6. Basically, it seems that are two ways, one SLAAC where the endpoints uses RA to generate it's own IP and DHCPv6 which is basically DHCP but for IPv6.
SLAAC is way easier: - no DHCPv6 server is required - every IPv6-capable device can do it - you only have to configure the router With SLAAC you don't get DNS names, whereas DHCPv6 can update the DNS for you. You can let player hosts update the DNS directly, but it's more open to abuse. Or maybe you don't need names anyway. Other thing with SLAAC is that you get 64-bit subnets and only 64-bit subnets. This should not be any kind of problem with a flat /48, but if you will have more complicated subnetting you should keep an eye on it. Unless you take steps to prevent SLAAC happening, SLAAC will happen. The simplest way to prevent it happening is to allocate non-64-bit subnets to the router interfaces. The biggest gotcha (or gotchas) you will face is/are buggy IPv6 implementations on the router/switch side - especially the switches. A small test setup to make sure that your expected host operating systems all work as expected with your planned network infrastructure would be a Very Good Idea. Second biggest gotcha will be forgetting to secure IPv6. IPv6 packet filters, firewall rules etc are all completely separate and independent from your IPv4 stuff. Third gotcha - related to the second - is forgetting that your IPv6 -connected hosts are not behind NAT and are thus directly exposed to the Internet via IPv6 unless you take steps to make it not so. You should probably provide at least the same basic setup for IPv6 on your outside router interfaces that NAT provides for IPv4, plus ICMPv6. I.e.: - allow established/related inbound - allow all ICMPv6 - allow all outbound - block all inbound A possible gotcha is people using temporary or privacy IPv6 addressing, which is the default on many modern operating systems. Addresses change - on boot for temporary addresses, at regular intervals. Whether that will be a problem or not depends on whether the hosts will be using long-lived connections. You may find that some participants have disabled IPv6. Since you are dual stack this shouldn't be an issue, unless your IPv6 connectivity is faster than your IPv4 connectivity. Might be worth getting up to speed on how to enable/disable IPv6 on various operating systems so that you can advise people. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4