v6 subnet size for DSL & leased line customers
Disclaimer: I'm still very much an IPv6 wussie... :-) --------------------------------------------- But even in 2000 the policy was and still is: /128 for really a single device /64 if you know for sure that only one single subnet will ever be allocated. /48 for every other case (smart bet, should be used per default) ---------------------------------------------- I work on a network with 100K+ DSL folks and 200+ leased line customers, plus some other stuff. The leased line customers are increasing dramatically. I should plan for a /64 for every DSL customer and a /48 for every leased line customer I expect over the next 5-7 years? scott
I work on a network with 100K+ DSL folks and 200+ leased line customers, plus some other stuff. The leased line customers are increasing dramatically. I should plan for a /64 for every DSL customer and a /48 for every leased line customer I expect over the next 5-7 years?
why not a /56 by default for both, and give them an opportunity to justify more? a /64 is a bit old-think unless you are having cost issues getting your space from above. randy
On Thu, 20 Dec 2007 12:26:43 +0900 Randy Bush <randy@psg.com> wrote:
I work on a network with 100K+ DSL folks and 200+ leased line customers, plus some other stuff. The leased line customers are increasing dramatically. I should plan for a /64 for every DSL customer and a /48 for every leased line customer I expect over the next 5-7 years?
why not a /56 by default for both, and give them an opportunity to justify more?
Why not a /48 for all? IPv6 address space is probably cheap enough that even just the time cost of dealing with the occasional justification for moving from a /56 to a /48 might be more expensive than just giving everybody a /48 from the outset. Then there's the op-ex cost of dealing with two end-site prefix lengths - not a big cost, but a constant additional cost none the less.
a /64 is a bit old-think unless you are having cost issues getting your space from above.
Agree. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
Since no one seems to have mentioned it (or my spam filter blocked it), the ARIN policy recommends both /56 and /64 allocations. From the ARIN Number Policy Manual: 6.5.4.1. Assignment address space size End-users are assigned an end site assignment from their LIR or ISP. The exact size of the assignment is a local decision for the LIR or ISP to make, using a minimum value of a /64 (when only one subnet is anticipated for the end site) up to the normal maximum of /48, except in cases of extra large end sites where a larger assignment can be justified. The following guidelines may be useful (but they are only guidelines): * /64 when it is known that one and only one subnet is needed * /56 for small sites, those expected to need only a few subnets over the next 5 years. * /48 for larger sites For end sites to whom reverse DNS will be delegated, the LIR/ISP should consider making an assignment on a nibble (4-bit) boundary to simplify reverse lookup delegation. RIRs/NIRs are not concerned about which address size an LIR/ISP actually assigns. Accordingly, RIRs/NIRs will not request the detailed information on IPv6 user networks as they did in IPv4, except for the cases described in Section 6.4.4 and for the purposes of measuring utilization as defined in this document. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Why not a /48 for all? IPv6 address space is probably cheap enough that even just the time cost of dealing with the occasional justification for moving from a /56 to a /48 might be more expensive than just giving everybody a /48 from the outset. Then there's the op-ex cost of dealing with two end-site prefix lengths - not a big cost, but a constant additional cost none the less.
And let's not ignore the on-going cost of table-bloat. If you provide a /48 to everyone, in 5 years, those allocations may/may not look stupid. :) Right now, we might say "wow, 256 subnets for a single end-user... hogwash!" and in years to come, "wow, only 256 subnets... what were we thinking!?" Its up to the ISP or LIR with minimum recommendations. "RIRs/NIRs are not concerned about which address size an LIR/ISP actually assigns. Accordingly, RIRs/NIRs will not request the detailed information on IPv6 user networks as they did in IPv4, except for the cases described in Section 6.4.4 and for the purposes of measuring utilization as defined in this document." :) Deepak
Why not a /48 for all? IPv6 address space is probably cheap enough that even just the time cost of dealing with the occasional justification for moving from a /56 to a /48 might be more expensive than just giving everybody a /48 from the outset. Then there's the op-ex cost of dealing with two end-site prefix lengths - not a big cost, but a constant additional cost none the less.
And let's not ignore the on-going cost of table-bloat. If you provide a /48 to everyone, in 5 years, those allocations may/may not look stupid. :)
Right now, we might say "wow, 256 subnets for a single end-user... hogwash!" and in years to come, "wow, only 256 subnets... what were we thinking!?"
Well, what's the likelihood of the "only 256 subnets" problem? Given that a "subnet" in the current model consists of a network that is capable of swallowing the entire v4 Internet, and still being virtually empty, it should be clear that *number of devices* will never be a serious issue for any network, business or residential. You'll always be able to get as many devices as you'd like connected to the Internet with v6. This may ignore some /current/ practical issues that devices such as switches may impose, but that doesn't make it any less true. The question becomes, under what conditions would you need separate "subnets". We have to remember that the answer to this question can be, and probably should be, relatively different than it is under v4. Under v4, subnet policies involved both network capacity and network number availability. A small business with a /25 allocation might use a /26 and a /27 for their office PC's, a /28 for a DMZ, and the last /28 for miscellaneous stuff like a VPN concentrator, etc. The office PC /26 and /27 would generally be on different switches, and the server would have more than one gigE port to accomodate. To deal with higher bandwidth users, you typically try to split up those users between the two networks. Under a v6 model, it may be simpler and more convenient to have a single PC network, with dual gigE LAG (or even 10G) to the switch(es). So I am envisioning that separate networks primarily imposed due to numbering reasons under v4 will most likely become single networks under v6. The primary reasons I see for separate networks on v6 would include firewall policy (DMZ, separate departmental networks, etc)... And I'm having some trouble envisioning a residential end user that honestly has a need for 256 networks with sufficiently differently policies. Or that a firewall device can't reasonably deal with those policies even on a single network, since you mainly need to protect devices from external access. I keep coming to the conclusion that an end-user can be made to work on a /64, even though a /56 is probably a better choice. I can't find the rationale from the end-user's side to allocate a /48. I can maybe see it if you want to justify it from the provider's side, the cost of dealing with multiple prefix sizes. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
The primary reasons I see for separate networks on v6 would include firewall policy (DMZ, separate departmental networks, etc)...
This is certainly one reason for such things.
And I'm having some trouble envisioning a residential end user that honestly has a need for 256 networks with sufficiently differently policies. Or that a firewall device can't reasonably deal with those policies even on a single network, since you mainly need to protect devices from external access.
Perhaps this is a lack of imagination. Imagine that your ethernet->bluetooth gateway wants to treat the bluetooth and ethernet segments as separate routed segments. Now, imagine that some of your bluetooth connected devices have reasons to have some topology behind them... For example, you have a master appliance control center which connects via Bluetooth to your network, but, uses a different household control bus network to talk to various appliances. For security reasons, you've decided not to have your kitchen appliances be able to talk to your media devices (Who wants a virus in some downloaded movie to be able to change the temperature in your refrigerator?).
I keep coming to the conclusion that an end-user can be made to work on a /64, even though a /56 is probably a better choice. I can't find the rationale from the end-user's side to allocate a /48. I can maybe see it if you want to justify it from the provider's side, the cost of dealing with multiple prefix sizes.
I can easily envision the need for more than a /64 in the average home within short order. If nothing else, the average home will probably want to be able to accommodate: Guest network Home wired network Wireless network(s) Bluetooth segment(s) Media network Appliance Control netowrk Lighting Control network etc. However, I agree that in any vision I can come up with today, the need for more than 256 is beyond my current imagination. I think it makes sense to assign as follows: /64 for the average current home user. /56 for any home user that wants more than one subnet /48 for any home user that can show need. Owen
Once upon a time, Owen DeLong <owen@delong.com> said:
I think it makes sense to assign as follows:
/64 for the average current home user. /56 for any home user that wants more than one subnet /48 for any home user that can show need.
Dumb question alert: why the 8 bit boundary? That makes sense for IPv4, where reverse DNS delegation is cumbersome on non-octet boundaries, but IPv6 reverse DNS can be delegated at the nibble boundary. Why not assign /60, /52, etc.? A /60 would probably satisfy virtually all home users (up to 16 subnets) for example. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Chris Adams <cmadams@hiwaay.net> writes:
Once upon a time, Owen DeLong <owen@delong.com> said:
I think it makes sense to assign as follows:
/64 for the average current home user. /56 for any home user that wants more than one subnet /48 for any home user that can show need.
Dumb question alert: why the 8 bit boundary? That makes sense for IPv4, where reverse DNS delegation is cumbersome on non-octet boundaries, but IPv6 reverse DNS can be delegated at the nibble boundary. Why not assign /60, /52, etc.? A /60 would probably satisfy virtually all home users (up to 16 subnets) for example.
IPv6 is supposed to last a whole lot longer than the current horizon for any of our imaginations, and given the large amount of space in play it seems prudent to err on the side of giving people more rather than less so as to avoid having to revisit this issue later. ---rob
IPv6 is supposed to last a whole lot longer than the current horizon for any of our imaginations, and given the large amount of space in play it seems prudent to err on the side of giving people more rather than less so as to avoid having to revisit this issue later.
This is more a question of growth rate. If you apply the growth rate "expected" at the inception of IPv4... and compare that to the "expected" growth rate of IPv6... then go extrapolate to calculate "actual"... well, lets just say 2^128 grows a lot slower than some hockey stick patterns I've seen. Does IPv4 space become the "swamp" of IPv6 world then? DJ
The primary reasons I see for separate networks on v6 would include firewall policy (DMZ, separate departmental networks, etc)...
This is certainly one reason for such things.
Really, in most "small business" networks I've seen, it's by far the main one if we want to be honest about it. The use of multiple networks to increase performance, for example, is something you can design around differently, and modern hardware supports things like LAG without having to get into the realm of unimaginably expensive hardware. Even if you do end up putting a quad port ethernet into a server with v6, the sizes of the allocations we're discussing would allow you 64 completely separate "workgroups" with their own server at the /56 allocation size (64 * 4 = 256).
And I'm having some trouble envisioning a residential end user that honestly has a need for 256 networks with sufficiently differently policies. Or that a firewall device can't reasonably deal with those policies even on a single network, since you mainly need to protect devices from external access.
Perhaps this is a lack of imagination.
Imagine that your ethernet->bluetooth gateway wants to treat the bluetooth and ethernet segments as separate routed segments.
That /is/ a lack of imagination. ;-) Or, at least, reaching pretty far. The history of these sorts of devices has been, to date, one of trying to keep network configuration simple enough that an average user can use them. That implies a default mode of bridging will be available.
Now, imagine that some of your bluetooth connected devices have reasons to have some topology behind them... For example, you have a master appliance control center which connects via Bluetooth to your network, but, uses a different household control bus network to talk to various appliances. For security reasons, you've decided not to have your kitchen appliances be able to talk to your media devices (Who wants a virus in some downloaded movie to be able to change the temperature in your refrigerator?).
Yes, and? You're saying there are no access controls at the gateway level? I'm not entirely sure that I care for the idea of making people route things at the IP level just so they can protect their fridge from their DVD.
I keep coming to the conclusion that an end-user can be made to work on a /64, even though a /56 is probably a better choice. I can't find the rationale from the end-user's side to allocate a /48. I can maybe see it if you want to justify it from the provider's side, the cost of dealing with multiple prefix sizes.
I can easily envision the need for more than a /64 in the average home within short order.
You should probably correct that from "need" to "want." There is nothing preventing the deployment of all of the below on a single /64, it would simply mean that there would be a market for smart firewalling switches that could isolate devices by address or range, rather than having smart firewalling routers that could isolate devices by subnet.
If nothing else, the average home will probably want to be able to accommodate: Guest network Home wired network Wireless network(s) Bluetooth segment(s) Media network Appliance Control netowrk Lighting Control network etc.
However, I agree that in any vision I can come up with today, the need for more than 256 is beyond my current imagination.
Again, I think this comes down to a matter of how configuration is going to be handled. I suspect that we're not going to see a substantial increase in sophistication on the part of end users. I /believe/ that this will likely mean that device manufacturers will be building devices that don't rely on routing for IPv6, since if I go on down to my employer's network and plug in a bluetooth gateway, there's really no guarantee that I'm going to be able to get my employer's network to magically route a network at my gateway, but it's pretty obvious that my device can play the role of a bridge. If we have significant customer-side routing of IPv6, then there's going to need to be some way to manage that. I guess that's RIPv6/ng. :-) More likely-seeming to me, would be that a provider might be willing to provide a CPE device that had 4, 8, or even 16 jacks on it - a mini-router with a separate /64 on each port, less "magic" to be figured out by the end user. This leaves the question of how much you want to trust your ISP's CPE for firewalling policy ... among other things.
I think it makes sense to assign as follows:
/64 for the average current home user. /56 for any home user that wants more than one subnet /48 for any home user that can show need.
I'd say skip the /64 and /48. Don't do the /64, as future-proofing. A /48 is just something I cannot see need for, given the number of addresses available as a /56, unless the "home user" is actually providing connectivity to a bunch of his nearby friends and neighbors. Having fewer options is going to be easier for the ISP, I suspect. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Dec 21, 2007, at 9:39 AM, Joe Greco wrote:
The primary reasons I see for separate networks on v6 would include firewall policy (DMZ, separate departmental networks, etc)...
This is certainly one reason for such things.
Really, in most "small business" networks I've seen, it's by far the main one if we want to be honest about it. The use of multiple networks to increase performance, for example, is something you can design around differently, and modern hardware supports things like LAG without having to get into the realm of unimaginably expensive hardware. Even if you do end up putting a quad port ethernet into a server with v6, the sizes of the allocations we're discussing would allow you 64 completely separate "workgroups" with their own server at the /56 allocation size (64 * 4 = 256).
Agreed. In fact, in any network large enough to matter, most modern hardware forwards L2 and L3 at the same speed, so, there's essentially no performance barrier. OTOH, in many business netwoks I've seen, there is reason to segment things into administrative boundaries, boundaries that result from media conversion creating routed separation of segments, and, other topology meets physical limitation issues. I find these to be at least as common as the separation between Internal/External/DMZ.
And I'm having some trouble envisioning a residential end user that honestly has a need for 256 networks with sufficiently differently policies. Or that a firewall device can't reasonably deal with those policies even on a single network, since you mainly need to protect devices from external access.
Perhaps this is a lack of imagination.
Imagine that your ethernet->bluetooth gateway wants to treat the bluetooth and ethernet segments as separate routed segments.
That /is/ a lack of imagination. ;-) Or, at least, reaching pretty far. The history of these sorts of devices has been, to date, one of trying to keep network configuration simple enough that an average user can use them. That implies a default mode of bridging will be available.
You are ignoring the reality of the difference between IPv4 and IPv6. With DHCP6 prefix delegation, creating a hierarchical routed topology becomes as simple (from the end user perspective) as the bridged topology today, and, requires a lot less thinking ability on the device. Especially when you consider the possibility of many such topologies evolving in a situation that could create a loop and the fact that most such existing devices implement bridging without spanning tree.
Now, imagine that some of your bluetooth connected devices have reasons to have some topology behind them... For example, you have a master appliance control center which connects via Bluetooth to your network, but, uses a different household control bus network to talk to various appliances. For security reasons, you've decided not to have your kitchen appliances be able to talk to your media devices (Who wants a virus in some downloaded movie to be able to change the temperature in your refrigerator?).
Yes, and? You're saying there are no access controls at the gateway level? I'm not entirely sure that I care for the idea of making people route things at the IP level just so they can protect their fridge from their DVD.
I'm saying that bridges tend not to have access controls or at least not adequate access controls except in a few (l2 firewall oddities like Netscreen/PIX in Bridge mode) exceptional cases. The point here is that in IPv6, you aren't "making people route things", the routing topology will mostly handle itself automatically, although, people may wish to intervene to design the security policy or at least have the ability to modify it from the default. You are trying to apply strictly IPv4 thinking to IPv6, and, there are some reasons that a significant paradigm shift is required.
I keep coming to the conclusion that an end-user can be made to work on a /64, even though a /56 is probably a better choice. I can't find the rationale from the end-user's side to allocate a /48. I can maybe see it if you want to justify it from the provider's side, the cost of dealing with multiple prefix sizes.
I can easily envision the need for more than a /64 in the average home within short order.
You should probably correct that from "need" to "want." There is nothing preventing the deployment of all of the below on a single /64, it would simply mean that there would be a market for smart firewalling switches that could isolate devices by address or range, rather than having smart firewalling routers that could isolate devices by subnet.
We will agree to disagree on this. Enforcing security policy within a subnet is ugly at best and unreliable at worst. It makes troubleshooting harder. It makes security policy design more complex. It causes many many more problems than it solves in my opinion.
If nothing else, the average home will probably want to be able to accommodate: Guest network Home wired network Wireless network(s) Bluetooth segment(s) Media network Appliance Control netowrk Lighting Control network etc.
However, I agree that in any vision I can come up with today, the need for more than 256 is beyond my current imagination.
Again, I think this comes down to a matter of how configuration is going to be handled. I suspect that we're not going to see a substantial increase in sophistication on the part of end users. I /believe/ that this will likely mean that device manufacturers will be building devices that don't rely on routing for IPv6, since if I go on down to my employer's network and plug in a bluetooth gateway, there's really no guarantee that I'm going to be able to get my employer's network to magically route a network at my gateway, but it's pretty obvious that my device can play the role of a bridge.
Actually, there is some guarantee that, in IPv6, you'll be able to do that, or, you will know that you could not. You will make a DHCP6 request for a prefix delegation, and, you will receive it or be told no. Most likely, that is how most such v6 gateways will function. I think that bridges are less likely to be the norm in IPv6.
If we have significant customer-side routing of IPv6, then there's going to need to be some way to manage that. I guess that's RIPv6/ng. :-)
Nope... DHCPv6 prefix delegation and Router discovery.
More likely-seeming to me, would be that a provider might be willing to provide a CPE device that had 4, 8, or even 16 jacks on it - a mini- router with a separate /64 on each port, less "magic" to be figured out by the end user.
Sure. And likely, the /64s on each port will be assigned via DHCPv6 from the upstream segment.
This leaves the question of how much you want to trust your ISP's CPE for firewalling policy ... among other things.
LoL... Trust my ISPs CPE? Not if they control it.
I think it makes sense to assign as follows:
/64 for the average current home user. /56 for any home user that wants more than one subnet /48 for any home user that can show need.
I'd say skip the /64 and /48. Don't do the /64, as future- proofing. A /48 is just something I cannot see need for, given the number of addresses available as a /56, unless the "home user" is actually providing connectivity to a bunch of his nearby friends and neighbors.
I have no objection to skipping the /64, but, I don't think you'll get much traction with that with most of the larger ISPs (think AOL, Comcast, etc.) as I think they will want to charge more for a topology-supporting service than a single subnet if current business models are an example of their plans for the future.
Having fewer options is going to be easier for the ISP, I suspect.
Nope. Each ISP can choose to offer whatever subset of these options they consider easiest. Having fewer options for them to choose from isn't easier for them, it's putting them in a straight-jacket, which, from my experience as an active participant in the ARIN policy process is usually not appreciated by them. Owen
Agreed. In fact, in any network large enough to matter, most modern hardware forwards L2 and L3 at the same speed, so, there's essentially no performance barrier.
Except we're primarily discussing what are almost certain to be small networks here, so there's probably not even any significant concern about this.
OTOH, in many business netwoks I've seen, there is reason to segment things into administrative boundaries, boundaries that result from media conversion creating routed separation of segments, and, other topology meets physical limitation issues. I find these to be at least as common as the separation between Internal/External/DMZ.
Yes, and just how many of those business networks actually involve more than a handful of networks with a DSL-class upstream connection? Let's not get confused here. I don't ever see large enterprises hanging off residential broadband Internet connections, and quite frankly, if they try, I'm not that concerned about how easy it is for them to manage.
That /is/ a lack of imagination. ;-) Or, at least, reaching pretty far. The history of these sorts of devices has been, to date, one of trying to keep network configuration simple enough that an average user can use them. That implies a default mode of bridging will be available.
You are ignoring the reality of the difference between IPv4 and IPv6.
No, I'm not.
With DHCP6 prefix delegation, creating a hierarchical routed topology becomes as simple (from the end user perspective) as the bridged topology today, and, requires a lot less thinking ability on the device. Especially when you consider the possibility of many such topologies evolving in a situation that could create a loop and the fact that most such existing devices implement bridging without spanning tree.
I look at the practical realities. Let's look at the big IPv6 picture. It is unlikely that there will be wide acceptance of the ability to create ad-hoc routed topologies in many environments; controlled-access corporate environments certainly represent one such environment. That implies that the capability to do bridging (or, if you prefer, switching) will remain as a virtually mandatory option. Creating a hierarchical routed topology certainly seems and sounds nice, and in fact, I'm all in favor of it, but I don't actually expect that it's going to be the default.
I'm saying that bridges tend not to have access controls or at least not adequate access controls except in a few (l2 firewall oddities like Netscreen/PIX in Bridge mode) exceptional cases. The point here is that in IPv6, you aren't "making people route things",
You aren't?
the routing topology will mostly handle itself automatically, although,
Oh, you are, you're just pretending you aren't. I see.
people may wish to intervene to design the security policy or at least have the ability to modify it from the default.
But that's pretty much something that we could and should want regardless. Honestly, how hard would it be, today, to build a little switch-widget that implemented access controls to various ports? And if you do that, does it matter if it's happening on a "router" or on a switch? (hint: answer is "it does not, really, though it may blow the minds of traditionalists.")
You are trying to apply strictly IPv4 thinking to IPv6, and, there are some reasons that a significant paradigm shift is required.
No, actually, I'm not really thinking IPv-anything. I'm thinking more in terms of network blobs and how they interrelate. I could just as easily say that you're applying traditionalist network design paradigms to next-generation networks, when in fact that may not be the right thing to do.
We will agree to disagree on this. Enforcing security policy within a subnet is ugly at best and unreliable at worst. It makes troubleshooting harder. It makes security policy design more complex. It causes many many more problems than it solves in my opinion.
Your average home user isn't going to know about any of that. He's going to have his Netgear (or pick your $fav vendor) smartthing that either routes or switches at Layer 2 or Layer 3, depending. Ultimately, what /he/ is going to want to do is to see a little interface come up, that displays a little graphic view of his network, lets him click on a device, and set security policy. He'll want to be able to set "Vista PC" to access "Everything". He'll want to be able to set "Home Media Server" to access "Local Only". He'll want to be able to set "Vonage VoIP Adapter" to access "Specific Network Only." He isn't going to know or care about your "security policy design," he isn't going to be engaging in any serious "troubleshooting," and he's going to rely on the logic in the device to determine if the policy is even enforceable (which /can/ be determined). He isn't going to be concerned about, or even want to be concerned about, L2 vs L3 or where the firewalling takes place. He's going to expect his device to be smart enough to tell him what he needs to do, and whether the underlying network is one thing or another isn't a serious consideration. You simply have to realize that L2 and L3 aren't as different as you seem to think. You can actually consider them flip sides of a coin in many cases.
Actually, there is some guarantee that, in IPv6, you'll be able to do that, or, you will know that you could not. You will make a DHCP6 request for a prefix delegation, and, you will receive it or be told no.
So, as I said...
Most likely, that is how most such v6 gateways will function.
/Possibly/. It would be much more likely to be that way if everyone was issued large CIDR blocks, every router was willing to delegate a prefix, and there was no call for bridging.
I think that bridges are less likely to be the norm in IPv6.
I'm skeptical, but happy to be proven wrong someday.
If we have significant customer-side routing of IPv6, then there's going to need to be some way to manage that. I guess that's RIPv6/ng. :-)
Nope... DHCPv6 prefix delegation and Router discovery.
We'll see. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
the "but what if they want the toaster on a separate subnet from the blender" gives a new depth to 'reaching.' the one case i can think of for firewalling/routing within the home is to keep the bathroom scale from locking the fridge. and if you can't make a reasonable case for it today, then yagni. leave boiling the ocean to the experts at the tvtf. randy
Randy Bush wrote:
the "but what if they want the toaster on a separate subnet from the blender" gives a new depth to 'reaching.' the one case i can think of for firewalling/routing within the home is to keep the bathroom scale from locking the fridge.
and if you can't make a reasonable case for it today, then yagni. leave boiling the ocean to the experts at the tvtf.
If ipv6 subnetting is going to be hosed up at this point it's going to be done by people deploying it.
randy
Joel Jaeggli wrote:
Randy Bush wrote:
the "but what if they want the toaster on a separate subnet from the blender" gives a new depth to 'reaching.' the one case i can think of for firewalling/routing within the home is to keep the bathroom scale from locking the fridge. If ipv6 subnetting is going to be hosed up at this point it's going to be done by people deploying it.
unfortunately, 'hosed up' only seems to be understood some years out. smb's point is apt, we always end up too small. but i still have a very hard time understanding what we are gonna do with more than a /56 to a consumer connection. and if i start to go to the left of a /56, where do i stop? there is no obvious detent on the knob. randy
Randy Bush wrote:
Joel Jaeggli wrote:
Randy Bush wrote:
the "but what if they want the toaster on a separate subnet from the blender" gives a new depth to 'reaching.' the one case i can think of for firewalling/routing within the home is to keep the bathroom scale from locking the fridge. If ipv6 subnetting is going to be hosed up at this point it's going to be done by people deploying it.
unfortunately, 'hosed up' only seems to be understood some years out.
smb's point is apt, we always end up too small.
but i still have a very hard time understanding what we are gonna do with more than a /56 to a consumer connection.
Leave enough address space for pd to occur? We know that if I hand you the end-user a /64 that the first device that you connect to the network (wireless/ethernet router) will nat because it wants a l3 boundary between the outside and the inside for v6 just like it has for v4. If that device, when it boots and requests pd receives a /64, cool... but what does it do when some device downstream from it asks for address space? So is a /64 ok for an end customer? No because it doesn't meet the criterion of a location where one and only one subnet will be needed. Does it need a whole /48? Probably not. What you need in your provisioning system and how you structure address-space usage for the benefit of your IGP is that downstream devices need to be able to request and receive blocks of a size commiserate with their needs without increasing the footprint of your routing table.
and if i start to go to the left of a /56, where do i stop? there is no obvious detent on the knob.
There is a huge detent at /48, but there's a certain amount of guidance that can only be derived from operational experience. It's not clear to me why /56 would be unacceptable, particularly if you're delegating them to a device that already has a /64. Are one's customers attached via point-to-point links, or do they sit on shared broadcast domain where their cpe is receiving a /128 and requesting pd from the outset? When someone plugs an apple airport into a segment of the corporate lan should it be be able to request pd under those circumstances as well? how is that case different than plugging it in on a residential connection? These are issues providers can and should grapple with. Much as assigning a /32 to a residential customer vs /30 or /28 is a business decision. In many if not most cases we don't currently provide as many v4 addresses as there are devices within the customer premises. Enough addresses isn't going to be an issue in v6, The dynamic creation of topology that was automatically and at least in one direction transparently created by restricted-cone nats is obviously something new.
randy
Randy Bush wrote:
There is a huge detent at /48
other than the perennial operational pontification from on high by the gods of the ietf (brought to us by the folk who brought us the wonderful TLA, NLA, etc. classfulness++), could you elucidate?
From one angle, last time I looked, the RIRs were converging on that as acceptable minimum for a single PI allocation.
/48 is a large enough block that single site however you choose to define that, is not going to have to renumber out of it due to inability to subnet. If you mean there's no detent between /48 and /56 wouldn't you a wholesale operator determine that based on the need and guidance from your rir? We do not in ipv4 land just hand out /19s and /20s to customers until we can go back to arin for another /12... If you're asking why ipng doesn't incorporate the lessons of cidr (they're both responses to the same problem), then you tell me, you were there and I was in high-schol.
randy
There is a huge detent at /48 other than the perennial operational pontification from on high by the gods of the ietf (brought to us by the folk who brought us the wonderful TLA, NLA, etc. classfulness++), could you elucidate? From one angle, last time I looked, the RIRs were converging on that as acceptable minimum for a single PI allocation.
look again
/48 is a large enough block that single site however you choose to define that, is not going to have to renumber out of it due to inability to subnet.
one: as smb says, no amount turns out to be enough in the long run two: my point is that, for the reasonably forseable future, hard to see need for more than 256 routing segments needed by an end consumer site
If you mean there's no detent between /48 and /56 wouldn't you a wholesale operator determine that based on the need and guidance from your rir?
you said there was a huge detent at /48. i am trying to see how you got there. excuse my density, but i still can not.
If you're asking why ipng doesn't incorporate the lessons of cidr (they're both responses to the same problem), then you tell me, you were there and I was in high-school.
expedience and politics ruled over prudent engineering. classic tvtf. randy
On 23 dec 2007, at 7:07, Joel Jaeggli wrote:
If you mean there's no detent between /48 and /56
What does "no detent between..." mean?
If you're asking why ipng doesn't incorporate the lessons of cidr
What lessons would that be? On 23 dec 2007, at 7:59, Mikael Abrahamsson wrote:
Does IPv6 capable CPEs have the possibility to source packets from local network (received via pd) and only have FE80: IP for upstream routing which is never used as an SRC address for communication with the outside world (apart from upstream router)?
IPv6 routing protocols allow this, yes. I can't remember if I tried it with Cisco's prefix delegation but I'm fairly confident it would work for that, too. On 23 dec 2007, at 9:49, Mohacsi Janos wrote:
The dibbler seemed to be rather complete DHCPv6 implementation. I think default gateway and prefix length distribution via DHCPv6 will be quite problematical any many situation. There plenty of organisation who has a dedicated team/person for network management (routers, switches etc.), while another team/person for system management (dhcp, servers etc.). So configuring DHCPv6 requires cooperation which takes time, but users are complaining....
Hm, I haven't heard that argument used against DHCPv6. (On principle, I'm against doing something that's technically suboptimal because it's easier organizationally, though.) Having a default router in DHCPv6 would be a mistake because if the DHCPv6 server isn't also the default router, this introduces an opportunity for failures that isn't there with router advertisements. I've heard people argue that prefixes should be in RAs for much the same reason and therefore it's a good thing that DHCPv6 doesn't know about the prefix _length_ but that doesn't convince me: if you give someone an address, you impliccitly also give them a prefix, so it makes no sense to withhold the prefix length and require another protocol to learn this information. On 23 dec 2007, at 10:03, Randy Bush wrote:
so, what problems are there with dhcpv6 that differ from those we have experienced with dchpv4? what would be good to know before trying to deploy it?
The difference is that for IPv4, it's DHCP or manual configuration. With IPv6, you also have stateless autoconfig using router advertisements. So it's no so much what DHCPv6 does that IPv4 DHCP doesn't do, but what you can do without DHCPv6 that you couldn't do without DHCP in IPv4. In small IPv4 networks the DHCP server runs on the router so there is fate sharing, but this doesn't work well if there is more than one router. In that case you'll soon be running a DHCP server that's separate from the routers and thus opening up a new failure mode. With RAs hosts get the same address regardless of which router they happen to talk to so it's a lot more robust than either the single router model or the separate DHCP server model.
do organizations you know prefer autoconf or dhcpv6? and why?
What I hear is that enterprise admins want DHCPv6 because they want to have control. Me, I want to run a DHCPv6-free network because RAs give me what I want and more protocols just means more headaches. On 23 dec 2007, at 18:54, Ross Vandegrift wrote:
Second, we currently have two mechanisms to configure IPv6 hosts with an address: router advertisements and DHCPv6. The former has been implemented in ALL IPv6 stacks but doesn't work if your subnet isn't a /64.
But the protocols don't imply or require this. All of the messages used in stateless autoconfig will behave as expected with longer prefix lengths. So it seems that because the interface identifier has to be 64-bits, stateless autoconfig is unnecessarily crippled.
The idea is that your interface identifier that you create locally from a MAC address is unique. With less than 46 bits that's not going to happen. Unforatunately, the 17 or 18 bits that you don't need for this are in the middle. But at some point in the future we can revist this and free up 16 bits so anyone with a /64 can create 65535 fresh subnets out of nothing, which is good insurance against possible bad address allocation policies. Note that there's duplicate address detection but that only _detects_ the problem and doesn't fix it if there are duplicate addresses. On 23 dec 2007, at 21:44, David Barak wrote:
How about this for a modest proposal for a capability: Allow autoconfigured generation of IPv6 interface addresses to use this format:
(one byte VLAN ID) (48 bit MAC address)
What I always tell people is to do it like this: <given /48 bits>:<decimal VLAN ID>:</64 subnet> I.e., VLAN 288 would be something like 2001:db8:31:288::/64 If you then also tell routers to fill in the bottom 64 bits with an EUI-64, your configs are extremely straightforward. -- I've written another book! http://www.runningipv6.net/
do organizations you know prefer autoconf or dhcpv6? and why?
What I hear is that enterprise admins want DHCPv6 because they want to have control. Me, I want to run a DHCPv6-free network because RAs give me what I want and more protocols just means more headaches.
I would much prefer DHCPv6 to work "just like DHCPv4" - which means that the great bulk of our customers are configured with an unnumbered interface on a BRAS, and all the relevant IP configuration is on the DHCP server. The key here is avoidance of customer-specific config on the BRAS. It's beginning to sound like IPv6 is going to be considerably more complex than IPv4 here - which is certainly going to slow its uptake... Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On Dec 23, 2007 1:21 PM, Iljitsch van Beijnum <iljitsch@muada.com> wrote:
do organizations you know prefer autoconf or dhcpv6? and why?
What I hear is that enterprise admins want DHCPv6 because they want to have control. Me, I want to run a DHCPv6-free network because RAs give
not control, but 'the same functionality and capabilities as exist today' (which is atleast resolver definitions, default-gw, ip-addressing, equipment/asset tracking... more)
me what I want and more protocols just means more headaches.
and trying to keep 50k machines updated with proper resolvers (in the simplest example) is easier with RA than DHCP how? Seriously, its head-out-of-sandpile time here. Enterprise admins and dsl/cable-modem folks use DHCP today so that they can have some flexibility to migrate their services around if there are issues, concerns, or new/better platforms that could be taken advantage of by their users. If you do not provide that level of flexibility with the same (or better hopfully) overhead you've lost the game. If your 'network' is 5 machines in a basement all with ssh+root then this conversation doesn't matter. If your network is a 50k+ mixed platform global enterprise network you are F'd with a capital F if you have to spend cycles running to all 50k+ machines to update their resolver settings (in just the simplest of examples). -Chris
and trying to keep 50k machines updated with proper resolvers (in the simplest example) is easier with RA than DHCP how?
do you really mean skip RA or all of autoconf? i want to explore RA(only) + DHCP, to save me from running a routing protocol or vsrp to have redundant exits for a LAN. randy, about to go off net, heading for a rural onsen & ryokan
On Dec 23, 2007 8:44 PM, Randy Bush <randy@psg.com> wrote:
and trying to keep 50k machines updated with proper resolvers (in the simplest example) is easier with RA than DHCP how?
do you really mean skip RA or all of autoconf?
I think what makes sense is to use the parts of ipv6 that work well, RA, but blend in what works already well and is folded already into the enterprise model... dhcpv6.
i want to explore RA(only) + DHCP, to save me from running a routing protocol or vsrp to have redundant exits for a LAN.
ok, somewhere there's a blend of things that will work for enterprises and cable/dsl/mso folk. I think that some enterprises don't mind 'random address selection' while they want to pass out info required (cause like it or not DNS is required) in a sane manner, one that's even part of their current method. RA/Autoconf won't work at all for some folks with deployed server infra, all they want is a method to get a static addr on a box and route properly. Perhaps RA gets them the 'route properly' part easily enough but I can imagine places where that is even turned off. Basically my rant here is that autoconf isn't enough, it's not even a starting point for enterprise folks who rely on DHCP for all it's bells + whistles. Taking a giant leap backwards is never going to fly for them, so wake up and smell the cafe, dhcpv6 needs to be viable, workable, operable, built-in and well tested.
randy, about to go off net, heading for a rural onsen & ryokan
have fun! -Chris
Christopher Morrow wrote:
RA/Autoconf won't work at all for some folks with deployed server infra, all they want is a method to get a static addr on a box and route properly. Perhaps RA gets them the 'route properly' part easily enough but I can imagine places where that is even turned off.
I think it would be great to be able to do hybrids with RA for other situations where a shotgun approach is ok but I do not think we will want to use that in server environments. Hopefully vrrpv6 will work with RA turned completely off. - Kevin
On 24 dec 2007, at 20:00, Kevin Loch wrote:
RA/Autoconf won't work at all for some folks with deployed server infra,
That's just IPv4 uptightness. As long as you don't change your MAC address you'll get the same IPv6 address every time, this works fine for servers unless you need a memorable address. BTW, I don't know anyone who uses DHCP for their servers.
Hopefully vrrpv6 will work with RA turned completely off.
With router advertisements present you don't need VRRP because you have dead neighbor detection.
Iljitsch van Beijnum wrote:
On 24 dec 2007, at 20:00, Kevin Loch wrote:
RA/Autoconf won't work at all for some folks with deployed server infra,
That's just IPv4 uptightness. As long as you don't change your MAC address you'll get the same IPv6 address every time, this works fine for servers unless you need a memorable address. BTW, I don't know anyone who uses DHCP for their servers.
Hopefully vrrpv6 will work with RA turned completely off.
With router advertisements present you don't need VRRP because you have dead neighbor detection.
And that helps the hosts on the same l2 segment that need different gateways how? Or hosts with access to multiple l2 segments with different gateways? RA is a shotgun. All hosts on a segment get the same gateway. I have no idea what a host on multiple segments with different gateways would do. Hosting environments can get complex thanks to customer requirements and baggage from previous migrations. Load balancer and VPN configurations are common culprits but there are also cases where servers need different gateways for routing policy reasons. All of this is easily accommodated with static gateways and the redundancy provided by vrrpv4. Please don't take that away from us. Migration to v6 will be difficult enough without subtracting functionality from our existing tools. Other than that I look forward to seeing what wonderful things we can do with RA to simplify things in cases where shotgun == ok. - Kevin
On Dec 24, 2007, at 9:43 PM, Kevin Loch wrote:
Iljitsch van Beijnum wrote:
On 24 dec 2007, at 20:00, Kevin Loch wrote:
RA/Autoconf won't work at all for some folks with deployed server infra, That's just IPv4 uptightness. As long as you don't change your MAC address you'll get the same IPv6 address every time, this works fine for servers unless you need a memorable address. BTW, I don't know anyone who uses DHCP for their servers. Hopefully vrrpv6 will work with RA turned completely off. With router advertisements present you don't need VRRP because you have dead neighbor detection.
And that helps the hosts on the same l2 segment that need different gateways how? Or hosts with access to multiple l2 segments with different gateways?
I think the point is that RA and VRRPv6 are not designed to depend on each other in any way. While you can certainly run both on any given segment, it is hard to imagine many cases where one would want to do so. In places where all you need is to know a valid gateway that can do the right thing with your packets, RA is probably the right solution. This, generally, turns out to be the vast majority of LAN segments. Clearly, RA is intended only for scenarios where a gateway is a gateway is a gateway. In places where you need tighter control over the usage of various gateways on a common L2 segment, VRRP probably makes more sense. However, as things currently stand, that means static routing configuration on the host since for reasons passing understanding, DHCP6 specifically won't do gateway assignment. I don't know the state of the current VRRP6 draft or protocol, but, I can't imagine what would be left in VRRP6 if it couldn't be statically configured without RA. If that's the case, then, what would it possibly do, exactly, that would be different from RA without VRRP? Owen
In places where you need tighter control over the usage of various gateways on a common L2 segment, VRRP probably makes more sense. However, as things currently stand, that means static routing configuration on the host since for reasons passing understanding, DHCP6 specifically won't do gateway assignment.
For those of us with lots of IPv4 customers dependent on DHCP, it would be good to know more detail about this point. What is the problem, and are there plans to do anything about it in DHCPv6? Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Thus spake <sthaug@nethelp.no>
In places where you need tighter control over the usage of various gateways on a common L2 segment, VRRP probably makes more sense. However, as things currently stand, that means static routing configuration on the host since for reasons passing understanding, DHCP6 specifically won't do gateway assignment.
For those of us with lots of IPv4 customers dependent on DHCP, it would be good to know more detail about this point. What is the problem, and are there plans to do anything about it in DHCPv6?
For most hosts, there is no need for anything like VRRP or getting a default gateway via DHCP in v6 because all hosts are required to implement RA/RS. The vast majority of hosts either have one default gateway or two-plus equivalent ones, so that works fine. For hosts with multiple gateways that are unequal, VRRP+DHCP doesn't solve the problem any better than RA/RS; you have to fiddle with the hosts' routing tables to get things set up right. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On 25 dec 2007, at 6:43, Kevin Loch wrote:
With router advertisements present you don't need VRRP because you have dead neighbor detection.
And that helps the hosts on the same l2 segment that need different gateways how? Or hosts with access to multiple l2 segments with different gateways?
In my opinion, having hosts with different default gateways on the same LAN is not the most desirable way to build a network. If you have hosts with multiple interfaces and you want to set routes on those host for stuff that's reachable through a router on the interface that's not talking to the default router, then I agree VRRP would be useful. But again, I would probably try to avoid a setup like that. (Not saying that I'm dead set against the availability of VRRP for IPv6, though.) On 25 dec 2007, at 11:24, sthaug@nethelp.no wrote:
since for reasons passing understanding, DHCP6 specifically won't do gateway assignment.
For those of us with lots of IPv4 customers dependent on DHCP, it would be good to know more detail about this point. What is the problem, and are there plans to do anything about it in DHCPv6?
It looks like many people working on DHCP for IPv6 favor a model where there is a separation of tasks between RAs and DHCPv6. So one does one thing, the other does something else. No overlap. Now I don't subscribe to that philosophy, because I want my hosts to learn their DNS servers from RAs (and finally we have RFC 5006!) but in this case I agree: there is no good way to make sure that what a DHCP server says is actually working, while a router advertising its own presence obviously does that. Address configuration and everything associated with it is the place where IPv4 and IPv6 are really different, so don't try to copy existing stuff in this area to IPv6 blindly, more often than not that's not the most optimal approach. There are actually some people asking for default gateways in DHCPv6. If this happens, it should be such that a DHCPv6 server can tell you which of the available gateways to prefer, but nothing stronger than that.
In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500, Kevin Loch wrote:
RA is a shotgun. All hosts on a segment get the same gateway. I have no idea what a host on multiple segments with different gateways would do. Hosting environments can get complex thanks to customer
I would like to point out that in IPv4 we have ICMP Router Advertisement messages. I have never seen them used on a production network. I know one of the worries is security, that a compromised host could send out advertisements, drawing traffic to it that it can then snoop and pass on to the real gateway. Having not looked in great detail, I am unclear if IPv6 has done something to fix this concern or not. Is this feature going to get turned off when the first worm comes along that spoofs RA's -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
* Leo Bicknell:
In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500, Kevin Loch wrote:
RA is a shotgun. All hosts on a segment get the same gateway. I have no idea what a host on multiple segments with different gateways would do. Hosting environments can get complex thanks to customer
I would like to point out that in IPv4 we have ICMP Router Advertisement messages. I have never seen them used on a production network. I know one of the worries is security, that a compromised host could send out advertisements, drawing traffic to it that it can then snoop and pass on to the real gateway.
DHCP and ARP face the same issue. That's why "one host per subnet" is so appealing.
On Dec 26, 2007, at 8:26 AM, Leo Bicknell wrote:
In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500, Kevin Loch wrote:
RA is a shotgun. All hosts on a segment get the same gateway. I have no idea what a host on multiple segments with different gateways would do. Hosting environments can get complex thanks to customer
I would like to point out that in IPv4 we have ICMP Router Advertisement messages. I have never seen them used on a production network. I know one of the worries is security, that a compromised host could send out advertisements, drawing traffic to it that it can then snoop and pass on to the real gateway.
Having not looked in great detail, I am unclear if IPv6 has done something to fix this concern or not.
Is this feature going to get turned off when the first worm comes along that spoofs RA's
It's unlikely that it will matter. In practice, ICMP router discovery died a long time ago, thanks to neglect. Host vendors didn't adopt it, and it languished. The problem eventually got solved with HSRP and its clone, VRRP. This doesn't resolve the real underlying problem: Ethernet is inherently insecure. MAC addresses can be forged, protocols (ARP, ND) can be forged and at this point, there's not much that we can do about it. Architecturally, we need authentication over each and every control plane packet sent. Getting there without invoking the full complexity of a public key infrastructure is still an unsolved problem, AFAIK. Tony
On 26 dec 2007, at 19:22, Tony Li wrote:
This doesn't resolve the real underlying problem: Ethernet is inherently insecure. MAC addresses can be forged, protocols (ARP, ND) can be forged and at this point, there's not much that we can do about it. Architecturally, we need authentication over each and every control plane packet sent. Getting there without invoking the full complexity of a public key infrastructure is still an unsolved problem, AFAIK.
Actually, for this particular purpose, this is mostly a solved problem, although there is of course no free lunch. Many switches can enforce a MAC/port relationship, so that MAC addresses can't be spoofed. Neighbor discovery and router advertisements can be secured with SEND (SEcure Neighbor Discovery). This happens through CGAs, cryptograpically generated addresses. Basically, the lower 64 bits of the IPv6 address contains a hash over a public key. This makes it possible to prove ownership over an address. The not free part is that you need to configure certificates for trust relationships = the routers that may be default gateways.
In a message written on Wed, Dec 26, 2007 at 09:19:54PM +0100, Iljitsch van Beijnum wrote:
Many switches can enforce a MAC/port relationship, so that MAC addresses can't be spoofed.
Which gets to the crux of my question. If you're a shop that uses such features today (MAC/Port tracking, DHCP snooping, etc) to "secure" your IPv4 infrastructure does IPv6 RA's represent a step backwards from a security perspective? Would IPv6 deployment be hindered until there is DHCPv6 snooping and DHCPv6 is able to provide a default gateway, a-la how it is done today in IPv4? It would be very interesting to me if the answer was "it's moot because we're going to move to CGA's as a step forward"; it would be equally interesting if the answer is "CGA isn't ready for prime time / we can't deploy it for xyz reason, so IPv6 is less secure than IPv4 today and that's a problem." -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On 26 dec 2007, at 22:40, Leo Bicknell wrote:
If you're a shop that uses such features today (MAC/Port tracking, DHCP snooping, etc) to "secure" your IPv4 infrastructure does IPv6 RA's represent a step backwards from a security perspective? Would IPv6 deployment be hindered until there is DHCPv6 snooping and DHCPv6 is able to provide a default gateway, a-la how it is done today in IPv4?
It would be very interesting to me if the answer was "it's moot because we're going to move to CGA's as a step forward"; it would be equally interesting if the answer is "CGA isn't ready for prime time / we can't deploy it for xyz reason, so IPv6 is less secure than IPv4 today and that's a problem."
With IPv4, a lot of these features are developed by vendors and (sometimes) later standardized in the IETF or elsewhere. With IPv6, the vendors haven't quite caught up with the IETF standardization efforts yet, so the situation is samewhat different. For instance, SEND/CGA is excellent work, but we've only recently seen the first implementations. Personally, I'm not a big fan of DHCPv6. First of all, from a philosophical standpoint: I believe that stateless autoconfiguration is a better model in most cases (although it obviously doesn't support 100% of the DHCP functionality). But apart from that, some of the choices made along the way make DHCPv6 a lot harder to use than DHCP for IPv4. Not only do you lack a default gateway (which is actually a good thing for fate sharing reasons) but also a subnet prefix length and any extra on-link prefixes. So even if you do address configuration with DHCPv6 you need RAs for that other information. There's also tons of ways to complicate your life by mixing stateless autoconf and DHCPv6, especially since most systems don't support DHCPv6 unless you install additional software. Last but not least, DHCPv6 has a stateful mode that's appropriate for address assignment or prefix delegation, and a stateless mode that's more efficient for the configuration of information that's not client-specific. Unfortunately, it's up to the client to initiate the desired mode. Then there are the M and O bits in RAs that tell you whether to do DHCPv6 but a number of DHCPv6 aficionados look like they want to ignore those bits. What this all boils down to is that if you want to deploy DHCPv6 you need to install software on a lot of systems and modify a lot of configurations. If you're going to do all that, it's easier to simply configure this stuff manually. The only downside to that is that it's not compatible with easy renumbering, but then, you need to do more than just automate address assignment to support easy renumbering. I don't think IPv6 address configuration in general and DHCPv6 in particular will ever be fully equivalent to how things work with IPv4. This is really the place where the differences between the two protocols are the biggest. For those of us who are familiar with IPX, AppleTalk, CLNP and IPv4: IPv6 basically uses the address configuration methods from all of those, no wonder it can get a bit complex. That being said, please go to your vendors and tell them what you need. Preferably at a high level, so they can provide the functionality in the optimal way, rather than just revert back to the IPv4 way of doing things.
Personally, I'm not a big fan of DHCPv6. First of all, from a philosophical standpoint: I believe that stateless autoconfiguration is a better model in most cases (although it obviously doesn't support 100% of the DHCP functionality). But apart from that, some of the choices made along the way make DHCPv6 a lot harder to use than DHCP for IPv4. Not only do you lack a default gateway (which is actually a good thing for fate sharing reasons) but also a subnet prefix length and any extra on-link prefixes. So even if you do address configuration with DHCPv6 you need RAs for that other information.
Which is probably going to make IPv6 deployment slower in service provider environments.
There's also tons of ways to complicate your life by mixing stateless autoconf and DHCPv6, especially since most systems don't support DHCPv6 unless you install additional software. Last but not least, DHCPv6 has a stateful mode that's appropriate for address assignment or prefix delegation, and a stateless mode that's more efficient for the configuration of information that's not client-specific. Unfortunately, it's up to the client to initiate the desired mode. Then there are the M and O bits in RAs that tell you whether to do DHCPv6 but a number of DHCPv6 aficionados look like they want to ignore those bits.
Again, this is something that's going to slow down deployment in service provider environments. Providers are comfortable with the IPv4 DHCP model (which is definitely not stateless) and many of us would like to keep this.
What this all boils down to is that if you want to deploy DHCPv6 you need to install software on a lot of systems and modify a lot of configurations. If you're going to do all that, it's easier to simply configure this stuff manually. The only downside to that is that it's not compatible with easy renumbering, but then, you need to do more than just automate address assignment to support easy renumbering.
"Configure this stuff manually" may work for a small number of customers. It is highly undesirable (and probably won't be considered at all) in an environment with, say, 1 million customers. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On 27 dec 2007, at 11:57, sthaug@nethelp.no wrote:
"Configure this stuff manually" may work for a small number of customers. It is highly undesirable (and probably won't be considered at all) in an environment with, say, 1 million customers.
Of course not. But RAs on a subnet with a million customers doesn't work either, nor does DHCP on a subnet with a million customers. If we're talking about provisioning cable/DSL/FTTH users, that's a completely different thing. Here, DHCPv6 prefix delegation to a CPE which then provides configuration to hosts on its LAN side would be the most appropriate option. However, the specifics of that model need to be worked out as there are currently no ISPs and no CPEs that do that, as far as I know.
"Configure this stuff manually" may work for a small number of customers. It is highly undesirable (and probably won't be considered at all) in an environment with, say, 1 million customers.
Of course not. But RAs on a subnet with a million customers doesn't work either, nor does DHCP on a subnet with a million customers.
It wouldn't be a subnet with a million customers, of course. We would typically have aggregation routers handling 5000 to 30000 customers, each connected via (in our case) point to point DSL links. Important point here is that we *don't* want per-customer IPv4 (or IPv6) config on the aggregation routers - this is what we have DHCP servers for.
If we're talking about provisioning cable/DSL/FTTH users, that's a completely different thing. Here, DHCPv6 prefix delegation to a CPE which then provides configuration to hosts on its LAN side would be the most appropriate option. However, the specifics of that model need to be worked out as there are currently no ISPs and no CPEs that do that, as far as I know.
I agree that DHCPv6 prefix delegation (for instance a /56) to a CPE which provides configuration to hosts on its LAN side sounds like a reasonable model. It requires the customer to have a CPE with actual *router* functionality, as opposed to just a bridge. This is different from today's requirements, but may not be unreasonable. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On 27 dec 2007, at 12:44, sthaug@nethelp.no wrote:
I agree that DHCPv6 prefix delegation (for instance a /56) to a CPE which provides configuration to hosts on its LAN side sounds like a reasonable model. It requires the customer to have a CPE with actual *router* functionality, as opposed to just a bridge. This is different from today's requirements, but may not be unreasonable.
Ok, that would be CPE == modem. Another line of thought would be a bridging modem + a routing CPE that the customer provides. This would be similar to the home "routers" that you can buy today. (A lot of ISPs, especially in the are I just moved to, insist on providing you with a "free" "router" rather than just a modem, yuck!) Ideally, a bridging modem would be able to talk to both individual hosts, just like it can on IPv4, or to a router provided by the customer. But unlike with IPv4, these modes of operation would have to be different in the absense of NAT. Providing a prefix to a user is actually the simple part, because there is really only one way to do it (short of manual configuration): DHCPv6 prefix delegation. The trouble is how ISP equipment talks to the first IPv6 device on the customer side. The easy way would be to have a separate VLAN and IPv6 subnet for that for each customer but I gather that means more expensive equipment. Using the IPv4 model with DHCPv6 wouldn't work well because of the low DHCPv6 adoption. (This problem may or may not go away in time; I gather that Vista has it but that Apple isn't interested in adopting DHCPv6.) However, rather than snooping DHCP messages and inserting DHCP options, with IPv6 DSL/cable equipment on the ISP side (or even the modem) could intercept and modify router advertisements so each customer gets their own prefix advertised. If we then do some ingress filtering based on that prefix and force all traffic through the first IPv6 router on the ISP side this could work very well. Interestingly, in IPv6 there is no need for a default gateway to have an address in the subnet prefix that hosts use. So the problem that you'd have with this in IPv4, that two neighbors can't communicate because the hosts think they're on the same IP subnet but direct traffic between them is blocked, doesn't occur. (Unless the router sends redirects.) On 27 dec 2007, at 13:11, Mark Smith wrote:
I think it's interesting CGAs are being discussed in the same email as the one where you say you want to be able to express prefix length in DHCPv6 - because I'm guessing you want that feature to be able to shorten node addresses.
Actually I spoke up against that in the last IETF meeting. Maybe in 20 years when we made such a mess of the other bits that we need to recover some of those interface identifier bits. The issue with lacking a prefix length in DHCPv6 doesn't really lead to any trouble in normal operation, but it does make DHCPv6 mostly useless in one of the cases that it's advertised for: the situation where there is no router on the subnet. In that case, if host A gets 2001::a and host B gets 2001::b but they don't know the subnet size, the conservative assumption is /128 which means that they can't communicate. Hardcoding /64 would be bad, even in router advertisements the prefix length is carried explicitly even though stateless autoconfig won't work if it's not 64. On 27 dec 2007, at 13:19, Mark Smith wrote:
there are currently no ISPs and no CPEs that do that, as far as I know.
I haven't had a chance to test it, but according to "Deploying IPv6 Networks", IOS can support DHCPv6 based prefix delegation. It even supports multiple downstream interfaces on the CPE - you configure the subnet number you want on each of the interfaces, and the CPE will configure the DHCP-PD learned /48 on the front of them automatically and then start announcing those prefixes in RAs out those interfaces.
You're absolutely right. For some reason it never connected in my brain that my Cisco 826/827 (I always forget which) ADSL router supports this, even with a 3 year old IOS. I think when I tested this I did so on a bunch of 2500s. But if you look at Apple's Airport Extreme base station, for instance, that box will only terminate a tunnel and not handle any kind of native IPv6 routing. See http://www1.ietf.org/mail-archive/web/ipv6/current/msg08798.html for a small config example. (I think someone said the Airport Extreme bridges IPv6 and routes IPv4 (or maybe the other way around), which isn't true. You can configure it to bridge or do IPv4 NAT and separately from that to route between an IPv6 manual or 6to4 tunnel and the LAN ports (+ WAN port when bridging).)
On Thu, 27 Dec 2007 12:11:54 +0100 Iljitsch van Beijnum <iljitsch@muada.com> wrote:
On 27 dec 2007, at 11:57, sthaug@nethelp.no wrote:
"Configure this stuff manually" may work for a small number of customers. It is highly undesirable (and probably won't be considered at all) in an environment with, say, 1 million customers.
Of course not. But RAs on a subnet with a million customers doesn't work either, nor does DHCP on a subnet with a million customers.
If we're talking about provisioning cable/DSL/FTTH users, that's a completely different thing. Here, DHCPv6 prefix delegation to a CPE which then provides configuration to hosts on its LAN side would be the most appropriate option. However, the specifics of that model need to be worked out as there are currently no ISPs and no CPEs that do that, as far as I know.
I haven't had a chance to test it, but according to "Deploying IPv6 Networks", IOS can support DHCPv6 based prefix delegation. It even supports multiple downstream interfaces on the CPE - you configure the subnet number you want on each of the interfaces, and the CPE will configure the DHCP-PD learned /48 on the front of them automatically and then start announcing those prefixes in RAs out those interfaces. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
On Thu, 27 Dec 2007 11:27:13 +0100 Iljitsch van Beijnum <iljitsch@muada.com> wrote:
On 26 dec 2007, at 22:40, Leo Bicknell wrote:
<snip>
It would be very interesting to me if the answer was "it's moot because we're going to move to CGA's as a step forward"; it would be equally interesting if the answer is "CGA isn't ready for prime time / we can't deploy it for xyz reason, so IPv6 is less secure than IPv4 today and that's a problem."
With IPv4, a lot of these features are developed by vendors and (sometimes) later standardized in the IETF or elsewhere. With IPv6, the vendors haven't quite caught up with the IETF standardization efforts yet, so the situation is samewhat different. For instance, SEND/CGA is excellent work, but we've only recently seen the first implementations.
Personally, I'm not a big fan of DHCPv6. First of all, from a philosophical standpoint: I believe that stateless autoconfiguration is a better model in most cases (although it obviously doesn't support 100% of the DHCP functionality). But apart from that, some of the choices made along the way make DHCPv6 a lot harder to use than DHCP for IPv4. Not only do you lack a default gateway (which is actually a good thing for fate sharing reasons) but also a subnet prefix length and any extra on-link prefixes.
I think it's interesting CGAs are being discussed in the same email as the one where you say you want to be able to express prefix length in DHCPv6 - because I'm guessing you want that feature to be able to shorten node addresses. One of the benefits of fixed length node addresses, at the 64 bit boundary, is that it has made CGA much simpler - the CGA designers knew from the outset that they were dealing with a single, fixed length 64 bit field to store the results of their crypto functions. If people had different length autoconfigured or DHCPv6 learned addresses, not only would CGA have to had be designed to support those varying field lengths, increasing it's complexity (and therefore increasing opportunities for implementation related security failure aka bugs with security consequences), it's also likely that CGA would have had to incorporate parameter checks to prevent people enabling it, when the node address length they've chosen is too short for the security strength CGA is designed to provide. If you don't perform these sorts of checks, then too weak CGA, because of too short node addresses, might give people a false sense of security - and I think that's far worse than no security at all. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
In a message written on Thu, Dec 27, 2007 at 11:27:13AM +0100, Iljitsch van Beijnum wrote:
100% of the DHCP functionality). But apart from that, some of the choices made along the way make DHCPv6 a lot harder to use than DHCP for IPv4. Not only do you lack a default gateway (which is actually a good thing for fate sharing reasons) but also a subnet prefix length and any extra on-link prefixes. So even if you do address configuration with DHCPv6 you need RAs for that other information.
I would note, it's not too late to fix these problems. We don't have wide spread IPv6 deployment yet, and I can't imagine it's all that hard to send a default gateway in DHCPv6, for example. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Leo Bicknell Sent: Thursday, December 27, 2007 8:51 AM To: North American Network Operators Group Subject: Re: v6 subnet size for DSL & leased line customers In a message written on Thu, Dec 27, 2007 at 11:27:13AM +0100, Iljitsch van Beijnum wrote:
100% of the DHCP functionality). But apart from that, some of the choices made along the way make DHCPv6 a lot harder to use than DHCP for IPv4. Not only do you lack a default gateway (which is actually a
good thing for fate sharing reasons) but also a subnet prefix length and any extra on-link prefixes. So even if you do address configuration with DHCPv6 you need RAs for that other information.
I would note, it's not too late to fix these problems. We don't have wide spread IPv6 deployment yet, and I can't imagine it's all that hard to send a default gateway in DHCPv6, for example. ------------------------------------------------------------------------ -- Someone earlier threw out an offhand 'preferred gateway' DHCPv6 parameter as a possibility. This is actually a nifty idea... "Hey, you there, use potential gateways in the following order!" It has the same utility and simplicity that MX records do. Jamie
On Dec 27, 2007 5:27 AM, Iljitsch van Beijnum <iljitsch@muada.com> wrote:
With IPv4, a lot of these features are developed by vendors and (sometimes) later standardized in the IETF or elsewhere. With IPv6, the vendors haven't quite caught up with the IETF standardization efforts yet, so the situation is samewhat different. For instance, SEND/CGA is excellent work, but we've only recently seen the first implementations.
first implementations, in a protocol that's 'fully baked' (according to ietf closing down the v6 WG) and been in 'production' for 15 years? for features that have existed in the v4 network for 5+ years? ouch... This gets back to my point about having feature parity and the fact that that is important. People have deployed rather large environments that require these features, not having them is a step backwards and painful for the operators in question.
What this all boils down to is that if you want to deploy DHCPv6 you need to install software on a lot of systems and modify a lot of
'the largest deployed platform' already has this built-in, yes? (vista/xp)
configurations. If you're going to do all that, it's easier to simply configure this stuff manually. The only downside to that is that it's
you are crazy... seriously, have you walked around to 10k or 50k machines or attempted to get helpdesky people to do the same? have you considered that this all works fine in v4, is tied into my OSS backends and is a part of my business process? Getting some new software (firefox is a fine example) deployed to 50k workstations is an overnight event... SMS (or whatever the new MS equivalent is) rolls out the software update, there are many other options (tivoli, ca-unicenter, custom-foo) which will also do this work for you, getting proper and dynamic setup of IP info (my earlier example of resolvers) isn't quite as simple unless you use dhcp.
not compatible with easy renumbering, but then, you need to do more than just automate address assignment to support easy renumbering.
sure, like deploy v6... wait, that doesn't do it either :( It's not just renumbering, it's migration of services which the network elements are reliant on (dns, wins, tftp-root/nfs-root...) tieing my laptop to the same addr each time for some process including logs and HR details and SoX compliance perhaps. This is a bighairy beast, just saying 'dhcpv6 isnt possible use autoconf' is never going to be acceptable.
That being said, please go to your vendors and tell them what you need. Preferably at a high level, so they can provide the functionality in the optimal way, rather than just revert back to the IPv4 way of doing things.
also be sure to let your standards body(s) know that some form of feature parity is relevant. I think often there is a missing message between operators and the other folks :( this clearly (to me atleast) seems like one of those areas. -Chris
On 27 dec 2007, at 20:26, Christopher Morrow wrote:
With IPv4, a lot of these features are developed by vendors and (sometimes) later standardized in the IETF or elsewhere. With IPv6, the vendors haven't quite caught up with the IETF standardization efforts yet, so the situation is samewhat different. For instance, SEND/CGA is excellent work, but we've only recently seen the first implementations.
first implementations, in a protocol that's 'fully baked' (according to ietf closing down the v6 WG) and been in 'production' for 15 years?
You suggest that I said that IPv6 has only recently seen the first implementations. I was talking about CGA/SEND, not IPv6 proper, which was standardized some 12 years ago.
for features that have existed in the v4 network for 5+ years? ouch... This gets back to my point about having feature parity
Some of the "features" of IPv4 are actually glaring holes that some people have found a use for. Also, SEND is something that doesn't exist in IPv4 so your complaint doesn't apply here.
and the fact that that is important. People have deployed rather large environments that require these features, not having them is a step backwards and painful for the operators in question.
Please direct your feature request to your favorite vendors...
What this all boils down to is that if you want to deploy DHCPv6 you need to install software on a lot of systems and modify a lot of
'the largest deployed platform' already has this built-in, yes? (vista/xp)
Vista: yes, it seems. XP, no so much. Windows XP can't even do DNS lookups over IPv6, which basically means that you can't use an XP machine on an IPv6-only network.
If you're going to do all that, it's easier to simply configure this stuff manually. The only downside to that is that it's
you are crazy... seriously, have you walked around to 10k or 50k machines or attempted to get helpdesky people to do the same? have you considered that this all works fine in v4, is tied into my OSS backends and is a part of my business process? Getting some new software (firefox is a fine example) deployed to 50k workstations is an overnight event... SMS (or whatever the new MS equivalent is) rolls out the software update, there are many other options (tivoli, ca-unicenter, custom-foo) which will also do this work for you, getting proper and dynamic setup of IP info (my earlier example of resolvers) isn't quite as simple unless you use dhcp.
It is wih IPv6: you just connect the ethernet cable and the RAs take care of the rest. _You_ _really_ _don't_ _need_ _DHCP_ _for_ _IPv6_. If you need extreme control then manual configuration will give you that, which may be appropriate in some cases, such as servers.
just saying 'dhcpv6 isnt possible use autoconf' is never going to be acceptable.
Never said it isn't possible. But unlike with IPv4, where DHCP is the default answer unless you're really sure you need manual configuration, DHCPv6 isn't the default answer for IPv6.
That being said, please go to your vendors and tell them what you need. Preferably at a high level, so they can provide the functionality in the optimal way, rather than just revert back to the IPv4 way of doing things.
also be sure to let your standards body(s) know that some form of feature parity is relevant. I think often there is a missing message between operators and the other folks :( this clearly (to me atleast) seems like one of those areas.
Taken to its extreme "feature parity" means a search and replace of all IPv4 specs to make every instance of "32 bits" "128 bits" but not changing anything else. That's not what IPv6 is.
On Thu, 27 Dec 2007 22:57:59 +0100 Iljitsch van Beijnum <iljitsch@muada.com> wrote:
On 27 dec 2007, at 20:26, Christopher Morrow wrote:
<snip>
Taken to its extreme "feature parity" means a search and replace of all IPv4 specs to make every instance of "32 bits" "128 bits" but not changing anything else. That's not what IPv6 is.
Exactly. IPv6 is similar enough to IPv4 that it makes it easier to learn than if it were a completely new and unrelated protocol. It's different enough that you need to take each of the concepts and practices that you know and have used for IPv4 for many years and try to objectively evaluate whether they're still valid for IPv6. IPv6 has features that IPv4 has never had, but have existed in IPX and Appletalk since they were designed many years ago. If people have the time, learning about those protocols might help with more easily learning about IPv6. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
In a message written on Thu, Dec 27, 2007 at 10:57:59PM +0100, Iljitsch van Beijnum wrote:
It is wih IPv6: you just connect the ethernet cable and the RAs take care of the rest. _You_ _really_ _don't_ _need_ _DHCP_ _for_ _IPv6_. If you need extreme control then manual configuration will give you that, which may be appropriate in some cases, such as servers.
Really. I didn't know RA's could: - Configure NTP servers for me. - Tell me where to netboot from. - Enter dynamic DNS entries in the DNS tree for me. - Tell me my domain name. - Tell me the VLAN to use for IP Telephony. Those are things I use on a regular basis I'd really rather not manually configure. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
And, besides the list forwarded below, Designated printers, Preferred DNS Servers, and, maybe, more. Even in a large enterprise, the ratio of "routers" to DHCP servers makes control of many end system parameters via DHCP a management win compared to configuration of "routers" with this "non-network core" data. (In case I was to abstruse, It is cheaper to maintain end system parameters in a smaller number of DHCP servers than in a larger number of "routers".) This is completely separate from the fact that many experienced router engineers are smart enough configure routers with NTP server addresses in preference to DNS names, and likewise for many other parameters. The end system population has requirements which respond much more dynamically to business requirements than do router configurations, which respond mostly to wiring configurations which are, by comparison, static. The statement that DHCP is not needed for IPv6 packet routing may well be exactly accurate. The absence of good DHCP support in IPv6 has costly consequences for enterprise management, of which IP routing is a small part. You have seen this before from me: Consider the Customer/Business Management viewpoint, not just that of routing packets around between boxes. Pull your head out of your patch panel and look at all the business requirements. If you can show me a more cost effective way to distribute all the parameters mentioned here to all end systems, I'll support it. In the meantime, don't use religious arguments to prevent me from using whatever is appropriate to manage my business. I'll even use NAT boxes, if there is no equivalently affordable stateful firewall box! Cutler Begin forwarded message:
From: Leo Bicknell <bicknell@ufp.org> Date: December 27, 2007 7:33:08 PM EST To: North American Network Operators Group <nanog@merit.edu> Subject: Re: v6 subnet size for DSL & leased line customers
In a message written on Thu, Dec 27, 2007 at 10:57:59PM +0100, Iljitsch van Beijnum wrote:
It is wih IPv6: you just connect the ethernet cable and the RAs take care of the rest. _You_ _really_ _don't_ _need_ _DHCP_ _for_ _IPv6_. If you need extreme control then manual configuration will give you that, which may be appropriate in some cases, such as servers.
Really. I didn't know RA's could:
- Configure NTP servers for me. - Tell me where to netboot from. - Enter dynamic DNS entries in the DNS tree for me. - Tell me my domain name. - Tell me the VLAN to use for IP Telephony.
Those are things I use on a regular basis I'd really rather not manually configure.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
James R. Cutler james.cutler@consultant.com
I have a modest proposal for providing the functionality of DHCPv4 in IPv6 autoconf: How about using the mechanism in RFC 5075 to specify all of these variables as RA flags? And as long as the variables also get defined as DHCPv6 fields, perhaps we could plan on having prefix delegation include these options, which the requesting router could then turn around and include in the RAs sent out on the link toward the customer. Am I missing something? David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Thu, 12/27/07, James R. Cutler <james.cutler@consultant.com> wrote:
From: James R. Cutler <james.cutler@consultant.com> Subject: [DCHPv6] was Re: v6 subnet size for DSL & leased line customers To: "North American Network Operators Group" <nanog@merit.edu> Date: Thursday, December 27, 2007, 9:37 PM And, besides the list forwarded below, Designated printers, Preferred DNS Servers, and, maybe, more.
Even in a large enterprise, the ratio of "routers" to DHCP servers makes control of many end system parameters via DHCP a management win compared to configuration of "routers" with this "non-network core" data. (In case I was to abstruse, It is cheaper to maintain end system parameters in a smaller number of DHCP servers than in a larger number of "routers".)
This is completely separate from the fact that many experienced router engineers are smart enough configure routers with NTP server addresses in preference to DNS names, and likewise for many other parameters.
The end system population has requirements which respond much more dynamically to business requirements than do router configurations, which respond mostly to wiring configurations which are, by
comparison, static. The statement that DHCP is not needed for IPv6 packet routing may well be exactly accurate. The absence of good DHCP support in IPv6 has costly consequences for enterprise
management, of which IP routing is a small part.
You have seen this before from me: Consider the Customer/Business Management viewpoint, not just that of routing packets around between boxes. Pull your head out of your patch panel and look at all the business requirements. If you can show me a more cost effective way to distribute all the parameters mentioned here to all end systems, I'll support it. In the meantime, don't use religious arguments to prevent me from using whatever is appropriate to manage my business. I'll even use NAT boxes, if there is no equivalently affordable stateful firewall box!
Cutler
Begin forwarded message:
From: Leo Bicknell <bicknell@ufp.org> Date: December 27, 2007 7:33:08 PM EST To: North American Network Operators Group <nanog@merit.edu> Subject: Re: v6 subnet size for DSL & leased line customers
In a message written on Thu, Dec 27, 2007 at 10:57:59PM +0100, Iljitsch van Beijnum wrote:
It is wih IPv6: you just connect the ethernet cable and the RAs take care of the rest. _You_ _really_ _don't_ _need_ _DHCP_ _for_ _IPv6_. If you need extreme control then manual configuration will give you that, which may be appropriate in some cases, such as servers.
Really. I didn't know RA's could:
- Configure NTP servers for me. - Tell me where to netboot from. - Enter dynamic DNS entries in the DNS tree for me. - Tell me my domain name. - Tell me the VLAN to use for IP Telephony.
Those are things I use on a regular basis I'd really rather not manually configure.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
James R. Cutler james.cutler@consultant.com
____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Leo Bicknell <bicknell@ufp.org> writes:
In a message written on Thu, Dec 27, 2007 at 10:57:59PM +0100, Iljitsch van Beijnum wrote:
It is wih IPv6: you just connect the ethernet cable and the RAs take care of the rest. _You_ _really_ _don't_ _need_ _DHCP_ _for_ _IPv6_. If you need extreme control then manual configuration will give you that, which may be appropriate in some cases, such as servers.
Really. I didn't know RA's could:
- Configure NTP servers for me. - Tell me where to netboot from. - Enter dynamic DNS entries in the DNS tree for me. - Tell me my domain name. - Tell me the VLAN to use for IP Telephony.
Those are things I use on a regular basis I'd really rather not manually configure.
I'm running (native) IPv6 at home, and in the colo too. Most of my ssh sessions to personally owned machines go over v6. My laptops (with a single exception) are Macs. You may not be aware that the Mac is fairly smart about which interface it uses for connections - it will prefer the gigabit ethernet to the wireless when it sees link... it prefers wireless to dialup too. Basically, whenever you establish a new outgoing session it will use the "lowest cost" interface to do the deed. For IPv4, I have the same address manually assigned on the DHCP server to both the gigabit ethernet's MAC address and the wireless interface's MAC address. This means that when I plug into the gige, as I do for filesharing or backing some files up, the Mac uses the gigabit ethernet. When I unplug and carry the Mac to the conference room, *all existing upper layer sessions are preserved* - TCP and friends are blissfully unaware that a change has taken place; one gratuitous arp so the router knows where to send the packets and we're on our way again with nary a hiccup. I don't have an ssh session croak just because I connected or disconnected a cable. I'd really, really, really like to have DHCP6 on the Mac. Autoconfig is not sufficient for this task unless there is some kind of trick you can do to make the eui-64 come out the same for both interfaces (don't think so). Anyone from Apple reading this list? :-) ---Rob
On Dec 27, 2007, at 9:50 PM, Robert E. Seastrom wrote:
Leo Bicknell <bicknell@ufp.org> writes:
In a message written on Thu, Dec 27, 2007 at 10:57:59PM +0100, Iljitsch van Beijnum wrote:
It is wih IPv6: you just connect the ethernet cable and the RAs take care of the rest. _You_ _really_ _don't_ _need_ _DHCP_ _for_ _IPv6_. If you need extreme control then manual configuration will give you that, which may be appropriate in some cases, such as servers.
Really. I didn't know RA's could:
- Configure NTP servers for me. - Tell me where to netboot from. - Enter dynamic DNS entries in the DNS tree for me. - Tell me my domain name. - Tell me the VLAN to use for IP Telephony.
Those are things I use on a regular basis I'd really rather not manually configure.
I'm running (native) IPv6 at home, and in the colo too. Most of my ssh sessions to personally owned machines go over v6.
My laptops (with a single exception) are Macs. You may not be aware that the Mac is fairly smart about which interface it uses for connections - it will prefer the gigabit ethernet to the wireless when it sees link... it prefers wireless to dialup too. Basically, whenever you establish a new outgoing session it will use the "lowest cost" interface to do the deed.
For IPv4, I have the same address manually assigned on the DHCP server to both the gigabit ethernet's MAC address and the wireless interface's MAC address. This means that when I plug into the gige, as I do for filesharing or backing some files up, the Mac uses the gigabit ethernet. When I unplug and carry the Mac to the conference room, *all existing upper layer sessions are preserved* - TCP and friends are blissfully unaware that a change has taken place; one gratuitous arp so the router knows where to send the packets and we're on our way again with nary a hiccup. I don't have an ssh session croak just because I connected or disconnected a cable.
I'd really, really, really like to have DHCP6 on the Mac. Autoconfig is not sufficient for this task unless there is some kind of trick you can do to make the eui-64 come out the same for both interfaces (don't think so).
Anyone from Apple reading this list? :-)
Don't know, but I bet they read the MacnetworkProg list - they are present on all the Apple hosted lists I am on. See http://lists.apple.com/mailman/listinfo/macnetworkprog from http://lists.apple.com/mailman/listinfo Regards Marshall
---Rob
On Thu, 27 Dec 2007 21:50:01 -0500 "Robert E. Seastrom" <rs@seastrom.com> wrote:
Leo Bicknell <bicknell@ufp.org> writes:
<snip>
I'd really, really, really like to have DHCP6 on the Mac. Autoconfig is not sufficient for this task unless there is some kind of trick you can do to make the eui-64 come out the same for both interfaces (don't think so).
Don't know if Mac's can do bridging, but under Linux, all you'd need to do would be create bridge instance, assign the two or more interfaces to the bridge, and have DHCPv6 use the bridge virtual interface. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
Mark Smith <nanog@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org> writes:
On Thu, 27 Dec 2007 21:50:01 -0500 "Robert E. Seastrom" <rs@seastrom.com> wrote:
I'd really, really, really like to have DHCP6 on the Mac. Autoconfig is not sufficient for this task unless there is some kind of trick you can do to make the eui-64 come out the same for both interfaces (don't think so).
Don't know if Mac's can do bridging, but under Linux, all you'd need to do would be create bridge instance, assign the two or more interfaces to the bridge, and have DHCPv6 use the bridge virtual interface.
The problem is that there is no DHCPv6 for the Mac (well, I suppose I could try building it by hand and see how far I get). I'm pretty sure that Macs aren't set up to do a layer 2 bridge group between their interfaces, and moreover I think this is risky behavior in terms of creating a loop if something goes wrong on the laptop even if the host OS supports it. ---rob
Tony Li wrote:
On Dec 26, 2007, at 8:26 AM, Leo Bicknell wrote:
It's unlikely that it will matter. In practice, ICMP router discovery died a long time ago, thanks to neglect. Host vendors didn't adopt it, and it languished. The problem eventually got solved with HSRP and its clone, VRRP.
Its been available from microsoft since windows2000, and according to documentation, on by default. I am not quite sure this can be blamed on vendors as opposed to users. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry...
On Sat, 22 Dec 2007, Joel Jaeggli wrote:
Leave enough address space for pd to occur? We know that if I hand you the end-user a /64 that the first device that you connect to the network
What about the "wan" side of that connection? I want the customer to only source traffic from the /56 being assigned and I don't want ISP router to have any IPs in that space. Does IPv6 capable CPEs have the possibility to source packets from local network (received via pd) and only have FE80: IP for upstream routing which is never used as an SRC address for communication with the outside world (apart from upstream router)? If not, is this something that we should ask the CPE vendors for? It would be extremely nice for CoPP etc for ISP routers to have no IP in customer space, and CPEs to have no IP in ISP link-network space. Would make for very effective infrastructure ACLs. -- Mikael Abrahamsson email: swmike@swm.pp.se
There is a huge detent at /48, but there's a certain amount of guidance that can only be derived from operational experience. It's not clear to me why /56 would be unacceptable, particularly if you're delegating them to a device that already has a /64. Are one's customers attached via point-to-point links, or do they sit on shared broadcast domain where their cpe is receiving a /128 and requesting pd from the outset?
When someone plugs an apple airport into a segment of the corporate lan should it be be able to request pd under those circumstances as well? how is that case different than plugging it in on a residential connection?
These are issues providers can and should grapple with.
More likely, at least some of them are fairly naive questions. For example, /experience/ tells us that corporate LAN policies are often implemented without regard to what "we", as Internet engineers, would prefer, so I can guarantee you with a 100% certainty that there will be at least some networks, and more than likely many networks, where you will not be able to simply request a prefix delegation and have that work the way you'd like. There will always be some ISP who has delegated, or some end site who has received, a "far too close to being just large enough" allocation, and so even if we assume that every router vendor and IPv6 implementation from here to eternity has no knobs to disable prefix delegation, simple prefix exhaustion within an allocation will be a problem. All the screams of "but they should have been allocated more" will do nothing to change this. Further, if we consider, for a moment, a world where prefix delegation is the only method of adding something like an Apple Airport to an existing network, this is potentially encouraging the burning of /64's for the addition of a network with perhaps a single client. That's perfectly fine, /as long as/ networks are allocated sufficient resources. This merely means that from a fairly pessimistic viewpoint, IPv6 is actually a 64-bit address space for purposes of determining how much address space is required. So, from the point of view of someone manufacturing devices to attach to IPv6 networks, I have some options. I can: 1) Assume that DHCP PD is going to work, and that the end user will have a prefix to delegate, which might be valid or it might not. This leaves me in the position of having to figure out a backup strategy, because I do not want users returning my device to Best Buy because "it don't work." The backup strategy is bridging. 2) Assume that DHCP PD is not going to work, and make bridging the default strategy. DHCP PD can optionally be a configurable thing, or autodetect, or whatever, but it will not be mandatory. I am being facetious here, of course, since only one of those is really viable in the market. Anyone who thinks otherwise is welcome to explain to me what's going to happen in the case where there are no P's to D. I will leave the difference between corporate and residential as an exercise to the reader; suffice it to say that the answers are rather obvious in the same manner. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote:
There is a huge detent at /48, but there's a certain amount of guidance that can only be derived from operational experience. It's not clear to me why /56 would be unacceptable, particularly if you're delegating them to a device that already has a /64. Are one's customers attached via point-to-point links, or do they sit on shared broadcast domain where their cpe is receiving a /128 and requesting pd from the outset?
When someone plugs an apple airport into a segment of the corporate lan should it be be able to request pd under those circumstances as well? how is that case different than plugging it in on a residential connection?
These are issues providers can and should grapple with.
More likely, at least some of them are fairly naive questions.
For example, /experience/ tells us that corporate LAN policies are often implemented without regard to what "we", as Internet engineers, would prefer, so I can guarantee you with a 100% certainty that there will be at least some networks, and more than likely many networks, where you will not be able to simply request a prefix delegation and have that work the way you'd like. There will always be some ISP who has delegated, or some end site who has received, a "far too close to being just large enough" allocation, and so even if we assume that every router vendor and IPv6 implementation from here to eternity has no knobs to disable prefix delegation, simple prefix exhaustion within an allocation will be a problem. All the screams of "but they should have been allocated more" will do nothing to change this.
Further, if we consider, for a moment, a world where prefix delegation is the only method of adding something like an Apple Airport to an existing network, this is potentially encouraging the burning of /64's for the addition of a network with perhaps a single client. That's perfectly fine, /as long as/ networks are allocated sufficient resources. This merely means that from a fairly pessimistic viewpoint, IPv6 is actually a 64-bit address space for purposes of determining how much address space is required.
So, from the point of view of someone manufacturing devices to attach to IPv6 networks, I have some options.
I can:
1) Assume that DHCP PD is going to work, and that the end user will have a prefix to delegate, which might be valid or it might not. This leaves me in the position of having to figure out a backup strategy, because I do not want users returning my device to Best Buy because "it don't work." The backup strategy is bridging.
2) Assume that DHCP PD is not going to work, and make bridging the default strategy. DHCP PD can optionally be a configurable thing, or autodetect, or whatever, but it will not be mandatory.
I am being facetious here, of course, since only one of those is really viable in the market. Anyone who thinks otherwise is welcome to explain to me what's going to happen in the case where there are no P's to D.
It's likely that the device may choose to nat when they cannot obtain a prefix... pd might be desirable but if you can't then the alternative is easy. The current apple airport bridges v6 while natting ivp4 this is a perceived boundary problem in some circles and likely will be addressed in future software revision.
I will leave the difference between corporate and residential as an exercise to the reader; suffice it to say that the answers are rather obvious in the same manner.
... JG
It's likely that the device may choose to nat when they cannot obtain a prefix... pd might be desirable but if you can't then the alternative is easy.
I thought we were all trying to discourage NAT in IPv6. Clearly, NAT solves the problem ... while introducing 1000 new ones. :-/ ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote:
It's likely that the device may choose to nat when they cannot obtain a prefix... pd might be desirable but if you can't then the alternative is easy.
I thought we were all trying to discourage NAT in IPv6.
You/we are... Which is why you really need PD, and cpe needs to be able to hand out /64s on request to downstream devices. Not surprisingly that will drive subnetting in the home. presently, plugging in more gateway/router devices results in multiple layers of nat and huge amounts of unnecessary complexity in the home network.
Clearly, NAT solves the problem ... while introducing 1000 new ones. :-/
Sure, we don't have a reasonable mechanism for ipv4 devices to pull address space out of thin air. We do have one in ipv6. This is a problem that equipment makers (as much as randy hates them) will have to address. It doesn't take much imagination to figure out how they will address it given a lack of alternatives.
... JG
Joel Jaeggli wrote:
equipment makers (as much as randy hates them)
excuse?!?!? that is unjustified and uncalled for. vendors, like everyone else, will do what is in their best interests. as i am an operator, not a vendor, that is often not what is in my best interest, marketing literature aside. i believe it benefits the ops community to be honest when the two do not seem to coincide. randy
Randy Bush wrote:
Joel Jaeggli wrote:
equipment makers (as much as randy hates them)
excuse?!?!? that is unjustified and uncalled for.
vendors, like everyone else, will do what is in their best interests. as i am an operator, not a vendor, that is often not what is in my best interest, marketing literature aside. i believe it benefits the ops community to be honest when the two do not seem to coincide.
If the ops community doesn't provide enough addresses and a way to use them then the vendors will do the same thing they did in v4. It's not clear to me where their needs don't coincide in this case. there are three legs to the tripod network operator user equipment manufacturer They have (or should have) a mutual interest in: Transparent and automatic configuration of devices. The assignment of globally routable addresses to internet connected devices the user having some control over what crosses the boundry between their network and the operators.
randy
If the ops community doesn't provide enough addresses and a way to use them then the vendors will do the same thing they did in v4. It's not clear to me where their needs don't coincide in this case.
there are three legs to the tripod
network operator user equipment manufacturer
They have (or should have) a mutual interest in:
Transparent and automatic configuration of devices. The assignment of globally routable addresses to internet connected devices the user having some control over what crosses the boundry between their network and the operators.
Yes, well, that sounds fine, but I think that we've already hashed over at least some of the pressures on businesses in this thread. I've tried to focus on what's in the Subject:, and have mostly ignored other problems, which would include things such as cellular service, where I suspect that the service model is such that they'll want to find a way to allocate users a /128 ... There is, further, an effect which leads to "equipment mfr" being split into "netwk equipment mfr" and "cpe equipment mfr", because the CPE guys will be trying to build things that'll work for the end user, working around any brokenness, etc. The problem space is essentially polarized, between network operators who have their own interests, and users who have theirs. So, as /engineers/ for the network operators, the question is, what can we do to encourage/coerce/force the businesses on our side of the equation to allocate larger rather than smaller numbers of bits, or find other solutions? What could we do to encourage, or better yet, mandate, that an ISP end- user connection should be allocated a minimum of /56, even if it happens to be a cellular service? ( :-) ) What do we do about corporate environments, or any other environment where there may be pressure to control topology to avoid "DHCP PD" to devices added to the network on an ad-hoc basis? Is it actually an absolutely unquestionable state of affairs that the smallest autoconfigurable subnet is a /64? Because if not, there are options there ... but of course, that leads down a road where an ISP may not want to allocate as much as a /64 ... What parts of this can we tackle through RIR policy? RFC requirements? Best practice? Customer education? ( :-) ) Other ideas? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
vendors, like everyone else, will do what is in their best interests. as i am an operator, not a vendor, that is often not what is in my best interest, marketing literature aside. i believe it benefits the ops community to be honest when the two do not seem to coincide. If the ops community doesn't provide enough addresses and a way to use them then the vendors will do the same thing they did in v4.
i presume you mean nat v6/v6. this would be a real mess and i don't think anyone is contending it is desirable. but this discussion is ostensibly operators trying to understand what is actually appropriate and useful for a class of customers, i believe those of the consumer, soho, and similar scale. to summarize the positions i think i have heard o one /64 subnet per device, but the proponent gave no estimate of the number of devices o /48 o /56 o /64 the latter three all assuming that the allocation would be different if the site had actual need and justification. personally, i do not see an end site needing more than 256 subnets *by default*, though i can certainly believe a small minority of them need more and would use the escape clause. so, if we, for the moment, stick to the one /64 per subnet religion, than a /56 seems sufficient for the default allocation. personally, i have a hard time thinking that any but a teensie minority, who can use the escape clause, need more than 256. hence, i just don't buy the /48 position. personally, i agree that one subnet is likely to be insufficient in a large proportion of cases. so keeping to the /64 per subnet religion, a /64 per site is insufficient for the default. still personally, i think the one /64 subnet per device is analogous to one receptacle per mains breaker, i.e. not sensible.
there are three legs to the tripod network operator user equipment manufacturer They have (or should have) a mutual interest in: Transparent and automatic configuration of devices.
as you have seen from chris's excellent post [0] on this one, one size does not fit all. this is likely another worthwhile, but separate, discussion.
The assignment of globally routable addresses to internet connected devices
i suspect that there are folk out there who equate nat with security. i suspect we both think them misguided.
The user having some control over what crosses the boundry between their network and the operators.
yup randy --- [0] - <http://www.merit.edu/mail.archives/nanog/msg04887.html>
Randy Bush wrote:
vendors, like everyone else, will do what is in their best interests. as i am an operator, not a vendor, that is often not what is in my best interest, marketing literature aside. i believe it benefits the ops community to be honest when the two do not seem to coincide. If the ops community doesn't provide enough addresses and a way to use them then the vendors will do the same thing they did in v4.
i presume you mean nat v6/v6. this would be a real mess and i don't think anyone is contending it is desirable. but this discussion is ostensibly operators trying to understand what is actually appropriate and useful for a class of customers, i believe those of the consumer, soho, and similar scale.
to summarize the positions i think i have heard o one /64 subnet per device, but the proponent gave no estimate of the number of devices o /48 o /56 o /64
It plausible that if one were to assign a single /64 and reserve a 56 to delegate per customer that you could number about 16 million customers per /32 with a few hundred thousand /64s remaining for infrastrucuture. size of an agregate for a pop might be /48 (~250 customers) to /40 (65k customers) to /36 (1 million customers) A large retail isp might under those circumstances be able to get away with order of /28 to /30 in total.
the latter three all assuming that the allocation would be different if the site had actual need and justification.
personally, i do not see an end site needing more than 256 subnets *by default*, though i can certainly believe a small minority of them need more and would use the escape clause. so, if we, for the moment, stick to the one /64 per subnet religion, than a /56 seems sufficient for the default allocation.
personally, i have a hard time thinking that any but a teensie minority, who can use the escape clause, need more than 256. hence, i just don't buy the /48 position.
It plausible that if one were to assign a single /64 and reserve a 56 to delegate per customer
as a provider, where is the win in this for me? the space is 'lost', i.e. committed, and i increase provisioning hassles, though maybe mildly if i am skillful. if/when the rirs sober up about ipv6 justification, i will have a hard time showing an hd ratio without a lot of zeros to the immediate right of the decimal point. or would you suggest that i recover the committed space if unused? under what conditions? after how long? and, when i recover, do i allocate the second (or 42nd) /64 to a new customer, leaving them a smaller cushion than the first user of that /56 received? no easy answers. but yes, giving them a /56 off the bat feels a bit reminiscent of giving them a /24 in ipv4. randy
Joe Greco wrote:
I'd say skip the /64 and /48. Don't do the /64, as future-proofing. A /48 is just something I cannot see need for, given the number of addresses available as a /56, unless the "home user" is actually providing connectivity to a bunch of his nearby friends and neighbors.
Having fewer options is going to be easier for the ISP, I suspect.
Not just the ISP, but the home user, and the designers of the devices for the home. As you point out, device configuration in the home needs to be as simple as possible. It would be nice if designers of new networked home devices (particularly those that that would like to use media types which might not be readily bridged to other common media types) could have some reasonable assurance up front that they have the option of an IPv6 subnet in the home to use. This would then be one less thing to try and automatically discover, ask the user to configure information about, develop a workaround for, etc. Less options is a very good thing here, and rampant /64s could well paint the device manufacturers into a corner on what tools IPv6 gives them to take advantage of. - Mark
... JG
On Dec 22, 2007 1:45 AM, Mark Townsley <townsley@cisco.com> wrote:
Joe Greco wrote:
I'd say skip the /64 and /48. Don't do the /64, as future-proofing. A /48 is just something I cannot see need for, given the number of addresses available as a /56, unless the "home user" is actually providing connectivity to a bunch of his nearby friends and neighbors.
Having fewer options is going to be easier for the ISP, I suspect.
Not just the ISP, but the home user, and the designers of the devices for the home. As you point out, device configuration in the home needs to be as simple as possible. It would be nice if designers of new networked home devices (particularly those that that would like to use media types which might not be readily bridged to other common media types) could have some reasonable assurance up front that they have the option of an IPv6 subnet in the home to use. This would then be one less thing to try and automatically discover, ask the user to configure information about, develop a workaround for, etc. Less options is a very good thing here, and rampant /64s could well paint the device manufacturers into a corner on what tools IPv6 gives them to take advantage of.
can you expound some on the last part of this? the 'rampant /64's..' part? Since auto-conf pretty much requires the LAN to be /64 sized and if you believe more than 1 subnet would be of use to the end-user/residence then there are only a few options left, eh? It seems that the ppp-o-e sorts of connections could pass out this information and make the lives of equipment/user easier, what sort of options were you envisioning? (or what were you hoping to avoid?) I ask because I'm fairly certain the operator and standards-body folks both would be curious about a vendor's (or vendor-ish-person's view) view on this issue, I just don't think a rational answer is forthcoming from the 'user' community on this quite yet :( -Chris
On Fri, 21 Dec 2007 08:31:07 -0800 Owen DeLong <owen@delong.com> wrote:
The primary reasons I see for separate networks on v6 would include firewall policy (DMZ, separate departmental networks, etc)...
This is certainly one reason for such things.
And I'm having some trouble envisioning a residential end user that honestly has a need for 256 networks with sufficiently differently policies. Or that a firewall device can't reasonably deal with those policies even on a single network, since you mainly need to protect devices from external access.
Perhaps this is a lack of imagination.
Imagine that your ethernet->bluetooth gateway wants to treat the bluetooth and ethernet segments as separate routed segments.
<snip> I think this is also showing a bit of a lack of imagination:
I think it makes sense to assign as follows:
/64 for the average current home user. /56 for any home user that wants more than one subnet /48 for any home user that can show need.
Well, it doesn't really make sense to me - I think it's far more conservative than it has to be. Even spending time on considering and evaluating the checkboxes for the last two options is time that could be better spent on something else, and probably costs more than the IPv6 address space (and associated costs) saved by being conservative with the allocations. I'd be interested to know *why* that makes sense to you - the justifications. I'd also be interested to know what you'd *want* if you were asked how you'd like to structure IPv6 addressing, if you didn't have any history of having to be conservative with IPv4 addressing. IOW, imagine IPv4 didn't exist, and therefore your thinking about IPv6 isn't influenced by your history with IPv4. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
On Fri, 21 Dec 2007 08:48:35 -0600 (CST) Joe Greco <jgreco@ns.sol.net> wrote:
I keep coming to the conclusion that an end-user can be made to work on a /64, even though a /56 is probably a better choice.
A /56 is definitely better. Of course, I used to have 4 LANs just in my house (wired, wireless, VPN to employer, "teen-net" to which certain users were consigned for violation of the house AUP...). I suspect there are others on this list with more than that, today. Sure, we're power users. We're also talking about technology that's been around for a while. If all of my lights were controlled over the net, I'd probably want a separate subnet for that, for access control. I might want a separate subnet for environmental controls, because access problems there can result in physical damage. I really need to set up a VPN for remote access to the house. To quote a line from a science fiction book I'm fond of, "no artificial shortages!" --Steve Bellovin, http://www.cs.columbia.edu/~smb
Given that a "subnet" in the current model consists of a network that is capable of swallowing the entire v4 Internet, and still being virtually empty, it should be clear that *number of devices* will never be a serious issue for any network, business or residential. You'll always be able to get as many devices as you'd like connected to the Internet with v6. This may ignore some /current/ practical issues that devices such as switches may impose, but that doesn't make it any less true.
This is the part about V6 I haven't really gotten my head around. It really seems like it takes the position (possibly due to WG-delay) that everything we've learned to do with V4 is done and not-needed. For example... Within one's own network (or subnet if you will) we can absorb all the concepts of V4 today and have lots of space available. For example... for the DMZ of a business... Why not give them 6 bits (/122?) are we anticipating topology differences UPSTREAM from the customers that can take advantage of subnet differences between /64 and /56 ? Do we really believe that in our "home" topology where everything has a unique address that my refrigerator won't be able to route to my movie player? And if it can, and if I need a firewall between my in-home networks why does it need to be at /64 boundaries... can I subnet my /64 into a huge number of /116s? I know some IPV6 boxen won't support DHCP and other things at such small network sizes, but I haven't figured out a use for as much space as we are providing even joe-home-user.... or why there is some nobility to making boxes that are less flexible that the IPv4 boxen we have today... between the /48 and /128 boundaries (inclusive)... shouldn't IPv6 be just IPv4 with more space? My previous understanding was the idea that everyone would get an IP4 universe (or several) to theoretically number everything they could ever conceive of, AND have enough left over to handle things like thousands of interfaces with thousands of simultaneous permanent and semi-permanent conversations going on --even separated by large TTLs (> years) without any concern for numbering/renumbering within their assigned block. I am aware of the idea of renumbering the left portion of the IP space in an IPv6 world... For example... My car manufacturer could give every car in his universe a unique IP within a network. As an owner of that car, I just need to create a tunnel from my IP space provided by my provider to my car's unique IP (the manufacturer's network won't accept packets for my car NOT from my IP space). So now I can create a webpage from my home that shows all the silly things I do with my car... and its unique and permanent to the rest of the world -- even as I change cars. When I'm "on-the-job" as a physical package courier, my car might even gain another IP with another access model tunneled over to it. So, I can see a place where LOTS of devices have LOTS of addresses all in different contexts/topologies based on your access model. What I don't understand is why an end user connection today that justifies a /30 needs a /64.. or multiple ones. What at the ISP changes between a /30 and a /56 that we are going to do for that user to support his "multiple random networks of convenience?" Thanks for any help with my understanding, DJ
On Fri, Dec 21, 2007 at 01:33:15PM -0500, Deepak Jain wrote:
For example... Within one's own network (or subnet if you will) we can absorb all the concepts of V4 today and have lots of space available. For example... for the DMZ of a business... Why not give them 6 bits (/122?) are we anticipating topology differences UPSTREAM from the customers that can take advantage of subnet differences between /64 and /56 ?
I am confused on this point as well. IPv6 documents seem to assume that because auto-discovery on a LAN uses a /64, you always have to use a /64 global-scope subnet. I don't see any technical issues that require this though. ICMPv6 is capable of passing info on prefixes of any length - prefix length is a plain old 8bit field. In fact, until I read the ARIN documents to receive an assignment at work, I assumed this would be how people would operate. So what's the concern? Give all end users a /64 and let them subnet that as they see fit. If DHCPv6 would take care of it automatically with shorter prefixes, that's fine - I doubt it cares if it's doling out info for a /56, /64, or /96. Not like anything on the public internet is going to care a lick either. -- Ross Vandegrift ross@kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
On Dec 22, 2007 12:23 PM, Ross Vandegrift <ross@kallisti.us> wrote:
On Fri, Dec 21, 2007 at 01:33:15PM -0500, Deepak Jain wrote:
For example... Within one's own network (or subnet if you will) we can absorb all the concepts of V4 today and have lots of space available. For example... for the DMZ of a business... Why not give them 6 bits (/122?) are we anticipating topology differences UPSTREAM from the customers that can take advantage of subnet differences between /64 and /56 ?
I am confused on this point as well. IPv6 documents seem to assume that because auto-discovery on a LAN uses a /64, you always have to use a /64 global-scope subnet. I don't see any technical issues that require this though. ICMPv6 is capable of passing info on prefixes of any length - prefix length is a plain old 8bit field.
Uhm, so sure the spec might be able to do something different than /64 but most equipment I've used only does auto-conf if the prefix is a /64 :( Somewhere along the path to ipng we got reverted to classful addressing again :( -Chris
On Sat, 22 Dec 2007 12:53:52 -0800 "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Dec 22, 2007 12:23 PM, Ross Vandegrift <ross@kallisti.us> wrote:
On Fri, Dec 21, 2007 at 01:33:15PM -0500, Deepak Jain wrote:
For example... Within one's own network (or subnet if you will) we can absorb all the concepts of V4 today and have lots of space available. For example... for the DMZ of a business... Why not give them 6 bits (/122?) are we anticipating topology differences UPSTREAM from the customers that can take advantage of subnet differences between /64 and /56 ?
I am confused on this point as well. IPv6 documents seem to assume that because auto-discovery on a LAN uses a /64, you always have to use a /64 global-scope subnet. I don't see any technical issues that require this though. ICMPv6 is capable of passing info on prefixes of any length - prefix length is a plain old 8bit field.
Uhm, so sure the spec might be able to do something different than /64 but most equipment I've used only does auto-conf if the prefix is a /64 :( Somewhere along the path to ipng we got reverted to classful addressing again :(
Not really. Classful IPv4 defined both an addressing structure *and* an agorithm to match destinations against the route table entries (i.e. classful forwarding won't match on a default route if the router knows at least one prefix within a classful network). IPv6 uses the longest match rule regardless of any addressing structure, and only uses structure for a few portions of the total IPv6 address space, for the operation of things like DHCPv6 and address autoconfiguration. A change in IPv6 addressing structure won't involve a change in the route table matching algorithm. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
Christopher Morrow wrote:
On Dec 22, 2007 12:23 PM, Ross Vandegrift <ross@kallisti.us> wrote:
For example... Within one's own network (or subnet if you will) we can absorb all the concepts of V4 today and have lots of space available. For example... for the DMZ of a business... Why not give them 6 bits (/122?) are we anticipating topology differences UPSTREAM from the customers that can take advantage of subnet differences between /64 and /56 ? I am confused on this point as well. IPv6 documents seem to assume
On Fri, Dec 21, 2007 at 01:33:15PM -0500, Deepak Jain wrote: that because auto-discovery on a LAN uses a /64, you always have to use a /64 global-scope subnet. I don't see any technical issues that require this though. ICMPv6 is capable of passing info on prefixes of any length - prefix length is a plain old 8bit field.
Uhm, so sure the spec might be able to do something different than /64 but most equipment I've used only does auto-conf if the prefix is a /64 :( Somewhere along the path to ipng we got reverted to classful addressing again :(
I think this is the point I was trying to make. Just because we have "so many bits" now... why does the equipment/software need to get "stupider" again? Are we going to have an IPv6 CIDR initiative again (15 years from now) to recover all of that wasted space from "early" allocations).. Merry Christmas, and junk. Deepak
On 22 dec 2007, at 21:23, Ross Vandegrift wrote:
IPv6 documents seem to assume that because auto-discovery on a LAN uses a /64, you always have to use a /64 global-scope subnet. I don't see any technical issues that require this though. ICMPv6 is capable of passing info on prefixes of any length - prefix length is a plain old 8bit field.
In fact, until I read the ARIN documents to receive an assignment at work, I assumed this would be how people would operate. So what's the concern? Give all end users a /64 and let them subnet that as they see fit. If DHCPv6 would take care of it automatically with shorter prefixes, that's fine
First of all, there's RFC 3513: For all unicast addresses, except those that start with binary value 000, Interface IDs are required to be 64 bits long and to be constructed in Modified EUI-64 format. Second, we currently have two mechanisms to configure IPv6 hosts with an address: router advertisements and DHCPv6. The former has been implemented in ALL IPv6 stacks but doesn't work if your subnet isn't a /64. The latter is (I think) available on the client side in Windows Vista. There are a few DHCPv6 server implementations, but the ones I tested 2 years ago wouldn't do address assignment. (You still need the router advertisements to learn your default gateway and prefix length as DHCPv6 can't tell you those.) So although many people want to stick to the DHCP model they know from IPv4, that's extremely hard to do with IPv6 the way things currently are.
On Sun, 23 Dec 2007, Iljitsch van Beijnum wrote:
On 22 dec 2007, at 21:23, Ross Vandegrift wrote:
IPv6 documents seem to assume that because auto-discovery on a LAN uses a /64, you always have to use a /64 global-scope subnet. I don't see any technical issues that require this though. ICMPv6 is capable of passing info on prefixes of any length - prefix length is a plain old 8bit field.
In fact, until I read the ARIN documents to receive an assignment at work, I assumed this would be how people would operate. So what's the concern? Give all end users a /64 and let them subnet that as they see fit. If DHCPv6 would take care of it automatically with shorter prefixes, that's fine
First of all, there's RFC 3513:
For all unicast addresses, except those that start with binary value 000, Interface IDs are required to be 64 bits long and to be constructed in Modified EUI-64 format.
Second, we currently have two mechanisms to configure IPv6 hosts with an address: router advertisements and DHCPv6. The former has been implemented in ALL IPv6 stacks but doesn't work if your subnet isn't a /64. The latter is (I think) available on the client side in Windows Vista. There are a few DHCPv6 server implementations, but the ones I tested 2 years ago wouldn't do address assignment. (You still need the router advertisements to learn your default gateway and prefix length as DHCPv6 can't tell you those.) So although many people want to stick to the DHCP model they know from IPv4, that's extremely hard to do with IPv6 the way things currently are.
Actually we tested DHCv6 implementation 2-3 years ago. http://www.6net.org/publications/deliverables/D3.2.3v3.pdf The dibbler seemed to be rather complete DHCPv6 implementation. I think default gateway and prefix length distribution via DHCPv6 will be quite problematical any many situation. There plenty of organisation who has a dedicated team/person for network management (routers, switches etc.), while another team/person for system management (dhcp, servers etc.). So configuring DHCPv6 requires cooperation which takes time, but users are complaining.... Best Regards, Janos Mohacsi
Mohacsi Janos wrote:
There plenty of organisation who has a dedicated team/person for network management (routers, switches etc.), while another team/person for system management (dhcp, servers etc.). So configuring DHCPv6 requires cooperation which takes time, but users are complaining....
<well intentioned troll> so, what problems are there with dhcpv6 that differ from those we have experienced with dchpv4? what would be good to know before trying to deploy it? do organizations you know prefer autoconf or dhcpv6? and why? randy
On Sun, 23 Dec 2007, Randy Bush wrote:
Mohacsi Janos wrote:
There plenty of organisation who has a dedicated team/person for network management (routers, switches etc.), while another team/person for system management (dhcp, servers etc.). So configuring DHCPv6 requires cooperation which takes time, but users are complaining....
<well intentioned troll>
so, what problems are there with dhcpv6 that differ from those we have experienced with dchpv4? what would be good to know before trying to deploy it?
do organizations you know prefer autoconf or dhcpv6? and why?
Actually we are using stateless form of DHCPv6 to announce DNS servers with autoconf + static address comfiguration for servers. This is satisfactory for a small organisation like us (less than 40 persons). We are testing DHCPv6 also. For a larger organisation (>1000 computer) I will ask my colleagues about their DHCPv6 experiences.... Best Regards, Janos Mohacsi
On Sun, Dec 23, 2007 at 12:24:32AM +0100, Iljitsch van Beijnum wrote:
First of all, there's RFC 3513:
For all unicast addresses, except those that start with binary value 000, Interface IDs are required to be 64 bits long and to be constructed in Modified EUI-64 format.
Ahhh, thanks - that is the only thing I have ever seen that gives any reason for the /64 prefix. Sadly, the document contains no compelling technical reasons for it - looks like it's done just so things are easy when generating interface IDs from ethernet addresses.
Second, we currently have two mechanisms to configure IPv6 hosts with an address: router advertisements and DHCPv6. The former has been implemented in ALL IPv6 stacks but doesn't work if your subnet isn't a /64.
But the protocols don't imply or require this. All of the messages used in stateless autoconfig will behave as expected with longer prefix lengths. So it seems that because the interface identifier has to be 64-bits, stateless autoconfig is unnecessarily crippled. For kicks I just tried RAs with a /96 prefix. Linux 2.6 checks and enforces the requirement from RFC3513, though it'd be trivial to change. But I'm guessing other vendors enforce this as well. -- Ross Vandegrift ross@kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
On Sun, 23 Dec 2007 12:54:34 -0500 Ross Vandegrift <ross@kallisti.us> wrote:
On Sun, Dec 23, 2007 at 12:24:32AM +0100, Iljitsch van Beijnum wrote:
First of all, there's RFC 3513:
For all unicast addresses, except those that start with binary value 000, Interface IDs are required to be 64 bits long and to be constructed in Modified EUI-64 format.
Ahhh, thanks - that is the only thing I have ever seen that gives any reason for the /64 prefix. Sadly, the document contains no compelling technical reasons for it - looks like it's done just so things are easy when generating interface IDs from ethernet addresses.
If operational simplicity of fixed length node addressing is a technical reason, then I think it is a compelling one. If you've ever done any reasonable amount of work with Novell's IPX (or other fixed length node addressing layer 3 protocols (mainly all of them except IPv4!)) you'll know what I mean. I think Ethernet is also another example of the benefits of spending/"wasting" address space on operational convenience - who needs 46/47 bits for unicast addressing on a single layer 2 network!? If I recall correctly from bits and pieces I've read about early Ethernet, the very first versions of Ethernet only had 16 bit node addressing. They then decided to spend/"waste" bits on addressing to get operational convenience - "plug and play" layer 2 networking. If IPv6 can have the same operational simplicity as Ethernet, and addressing bits can afford to be spent on it, then I think those bits are well worth spending. The /64 for all subnets idea is probably an example of "worse is better" principle. It's not ideal for everything, but because it's general enough, it works with everything, and is simpler and a *single* solution to everything, and that's what makes it better. Regarding where the /64 boundary came from, from what I understand, the following Internet Drafts are it's origin: "8+8 - An Alternate Addressing Architecture for IPv6" http://arneill-py.sacramento.ca.us/ipv6mh/draft-odell-8+8-00.txt "GSE - An Alternate Addressing Architecture for IPv6" http://arneill-py.sacramento.ca.us/ipv6mh/draft-ipng-gseaddr-00.txt
Second, we currently have two mechanisms to configure IPv6 hosts with an address: router advertisements and DHCPv6. The former has been implemented in ALL IPv6 stacks but doesn't work if your subnet isn't a /64.
But the protocols don't imply or require this. All of the messages used in stateless autoconfig will behave as expected with longer prefix lengths. So it seems that because the interface identifier has to be 64-bits, stateless autoconfig is unnecessarily crippled.
For kicks I just tried RAs with a /96 prefix. Linux 2.6 checks and enforces the requirement from RFC3513, though it'd be trivial to change. But I'm guessing other vendors enforce this as well.
-- Ross Vandegrift ross@kallisti.us
"The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
-- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
If operational simplicity of fixed length node addressing is a technical reason, then I think it is a compelling one. If you've ever done any reasonable amount of work with Novell's IPX (or other fixed length node addressing layer 3 protocols (mainly all of them except IPv4!)) you'll know what I mean.
I think Ethernet is also another example of the benefits of spending/"wasting" address space on operational convenience - who needs 46/47 bits for unicast addressing on a single layer 2 network!? If I recall correctly from bits and pieces I've read about early Ethernet, the very first versions of Ethernet only had 16 bit node addressing. They then decided to spend/"waste" bits on addressing to get operational convenience - "plug and play" layer 2 networking.
The difference is that it doesn't "cost" anything. There are no RIR fees, there is no justification. You don't pay for, or have to justify, your Ethernet MAC addresses. With IPv6, there are certain pressures being placed on ISP's not to be completely wasteful. This will compel ISP's to at least consider the issues, and it will most likely force users to buy into technologies that allow them to do what they want. And inside a /64, you have sufficient space that there's probably nothing you can't do. :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sun, 23 Dec 2007 17:26:12 -0600 (CST) Joe Greco <jgreco@ns.sol.net> wrote:
If operational simplicity of fixed length node addressing is a technical reason, then I think it is a compelling one. If you've ever done any reasonable amount of work with Novell's IPX (or other fixed length node addressing layer 3 protocols (mainly all of them except IPv4!)) you'll know what I mean.
I think Ethernet is also another example of the benefits of spending/"wasting" address space on operational convenience - who needs 46/47 bits for unicast addressing on a single layer 2 network!? If I recall correctly from bits and pieces I've read about early Ethernet, the very first versions of Ethernet only had 16 bit node addressing. They then decided to spend/"waste" bits on addressing to get operational convenience - "plug and play" layer 2 networking.
The difference is that it doesn't "cost" anything. There are no RIR fees, there is no justification. You don't pay for, or have to justify, your Ethernet MAC addresses.
With IPv6, there are certain pressures being placed on ISP's not to be completely wasteful.
I don't think there is that difference at all. MAC address allocations are paid for by the Ethernet chipset/card vendor, and I'm pretty sure they have to justify their usage before they're allowed to buy another block. I understand they're US$1250 an OUI, so something must have happened to prevent somebody buying them all up to hoard them, creating artificial scarcity, and then charging a market sensitive price for them, rather than the flat rate they cost now. That's not really any different to an ISP paying RIR fees, and then indirectly passing those costs onto their customers.
This will compel ISP's to at least consider the issues, and it will most likely force users to buy into technologies that allow them to do what they want. And inside a /64, you have sufficient space that there's probably nothing you can't do. :-)
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
-- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
I think Ethernet is also another example of the benefits of spending/"wasting" address space on operational convenience - who needs 46/47 bits for unicast addressing on a single layer 2 network!? If I recall correctly from bits and pieces I've read about early Ethernet, the very first versions of Ethernet only had 16 bit node addressing. They then decided to spend/"waste" bits on addressing to get operational convenience - "plug and play" layer 2 networking.
The difference is that it doesn't "cost" anything. There are no RIR fees, there is no justification. You don't pay for, or have to justify, your Ethernet MAC addresses.
With IPv6, there are certain pressures being placed on ISP's not to be completely wasteful.
I don't think there is that difference at all. MAC address allocations are paid for by the Ethernet chipset/card vendor, and I'm pretty sure they have to justify their usage before they're allowed to buy another block. I understand they're US$1250 an OUI, so something must have happened to prevent somebody buying them all up to hoard them, creating artificial scarcity, and then charging a market sensitive price for them, rather than the flat rate they cost now. That's not really any different to an ISP paying RIR fees, and then indirectly passing those costs onto their customers.
MAC address allocations are paid for by the Ethernet chipset/card vendor. They're not paid for by an ISP, or by any other Ethernet end-user, except as a pass-through, and therefore it's considered a fixed cost. There are no RIR fees, and there is no justification. You buy a gizmo with this RJ45 and you get a unique MAC. This is simple and straightforward. If you buy one device, you get one MAC. If you buy a hundred devices, you get one hundred MAC's. Not 101, not 99. This wouldn't seem to map well at all onto the IPv6 situation we're discussing. With an IPv6 prefix, it is all about the prefix size. Since a larger allocation may cost an ISP more than a smaller allocation, an ISP may decide that they need to charge a customer who is allocated a /48 more than a customer who is allocated a /64. I don't pay anyone anything for the use of the MAC address I got on this free ethernet card someone gave me, yet it is clearly and unambiguously mine (and only mine) to use. Does that clarify things a bit? If you are proposing that RIR's cease the practice of charging different amounts for different allocation sizes, please feel free to shepherd that through the approvals process, and then I will certainly agree that there is no longer a meaningful cost differential for the purposes of this discussion. Otherwise, let's not pretend that they're the same thing, since they're clearly not. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sun, 23 Dec 2007 19:27:55 -0600 (CST) Joe Greco <jgreco@ns.sol.net> wrote:
I think Ethernet is also another example of the benefits of spending/"wasting" address space on operational convenience - who needs 46/47 bits for unicast addressing on a single layer 2 network!? If I recall correctly from bits and pieces I've read about early Ethernet, the very first versions of Ethernet only had 16 bit node addressing. They then decided to spend/"waste" bits on addressing to get operational convenience - "plug and play" layer 2 networking.
The difference is that it doesn't "cost" anything. There are no RIR fees, there is no justification. You don't pay for, or have to justify, your Ethernet MAC addresses.
With IPv6, there are certain pressures being placed on ISP's not to be completely wasteful.
I don't think there is that difference at all. MAC address allocations are paid for by the Ethernet chipset/card vendor, and I'm pretty sure they have to justify their usage before they're allowed to buy another block. I understand they're US$1250 an OUI, so something must have happened to prevent somebody buying them all up to hoard them, creating artificial scarcity, and then charging a market sensitive price for them, rather than the flat rate they cost now. That's not really any different to an ISP paying RIR fees, and then indirectly passing those costs onto their customers.
MAC address allocations are paid for by the Ethernet chipset/card vendor.
They're not paid for by an ISP, or by any other Ethernet end-user, except as a pass-through, and therefore it's considered a fixed cost. There are no RIR fees, and there is no justification. You buy a gizmo with this RJ45 and you get a unique MAC. This is simple and straightforward. If you buy one device, you get one MAC. If you buy a hundred devices, you get one hundred MAC's. Not 101, not 99. This wouldn't seem to map well at all onto the IPv6 situation we're discussing.
How many ISP customers pay RIR fees? Near enough to none, if not none. I never have when I've been an ISP customer. Why are you pretending they do? I think your taking an end-user perspective when discussing ethernet but an RIR fee paying ISP position when discussing IPv6 subnet allocations. That's not a valid argument, because you've changed your viewpoint on the situation to suit your position. Anyway, the point I was purely making was that if you can afford to spend the bits, because you have them (as you do in Ethernet by design, as you do in IPv6 by design, but as you *don't* in IPv4 by design), you can spend them on operational convenience for both the RIR paying entity *and* the end-user/customer. Unnecessary complexity is *unnecessary*, and your customers won't like paying for it if they discover you've chosen to create it either on purpose or through naivety.
With an IPv6 prefix, it is all about the prefix size. Since a larger allocation may cost an ISP more than a smaller allocation, an ISP may decide that they need to charge a customer who is allocated a /48 more than a customer who is allocated a /64.
I don't pay anyone anything for the use of the MAC address I got on this free ethernet card someone gave me, yet it is clearly and unambiguously mine (and only mine) to use. Does that clarify things a bit?
If you are proposing that RIR's cease the practice of charging different amounts for different allocation sizes, please feel free to shepherd that through the approvals process, and then I will certainly agree that there is no longer a meaningful cost differential for the purposes of this discussion. Otherwise, let's not pretend that they're the same thing, since they're clearly not.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
-- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
MAC address allocations are paid for by the Ethernet chipset/card vendor.
They're not paid for by an ISP, or by any other Ethernet end-user, except as a pass-through, and therefore it's considered a fixed cost. There are no RIR fees, and there is no justification. You buy a gizmo with this RJ45 and you get a unique MAC. This is simple and straightforward. If you buy one device, you get one MAC. If you buy a hundred devices, you get one hundred MAC's. Not 101, not 99. This wouldn't seem to map well at all onto the IPv6 situation we're discussing.
How many ISP customers pay RIR fees? Near enough to none, if not none.
Who said anything about ISP customers paying RIR fees? Although they certainly do, indirectly.
I never have when I've been an ISP customer.
(Must be one of those legacy ISP's?)
Why are you pretending they do?
I don't recall bringing them into the discussion, BUT...
I think your taking an end-user perspective when discussing ethernet but an RIR fee paying ISP position when discussing IPv6 subnet allocations. That's not a valid argument, because you've changed your viewpoint on the situation to suit your position.
Oddly enough, I'm one of those rare people who've worked with both ISP's and OEM's that have been assigned MAC's. You can think as you wish, and you're wrong.
Anyway, the point I was purely making was that if you can afford to spend the bits, because you have them (as you do in Ethernet by design, as you do in IPv6 by design, but as you *don't* in IPv4 by design), you can spend them on operational convenience for both the RIR paying entity *and* the end-user/customer. Unnecessary complexity is *unnecessary*, and your customers won't like paying for it if they discover you've chosen to create it either on purpose or through naivety.
Okay, here, let me make it reaaaaaaallllllyyyyy simple. If I am going out and buying an Ethernet card today, the mfr will pay $.NN for my MAC address, a cost that is built into the retail cost of the card. It will never be more or less than $.NN, because the number of MAC addresses assigned to my card is 1. Always 1. Always $.NN. If I am going out and buying IPv6 service today, the ISP will pay a variable amount for my address space. The exact amount is a function of their own delegation size (you can meander on over to ARIN yourself) and the size they've delegated to you; and so, FOR PURPOSES OF ILLUSTRATION, consider this. If your ISP has been delegated a /48 (admittedly unlikely, but possible) for $1,250/year, and they assign you a /56, their cost to provide that space is ~$5. They can have 256 such customers. If your ISP has been delegated a /48 (admittedly unlikely, but possible) for $1,250/year, and they assign you a /48, their cost to provide that space is ~$1,250. They can have 1 such customer. If your ISP has been delegated a /41, for $1,250/year, and they assign you a /48, their cost to provide that space is ~$10. They can have 128 such customers. There is a significant variation in pricing as the parameters are changed. You do not just magically have free bits in IPv6 by design; the ISP is paying for those bits. There will be factors MUCH more real than whether or not customers "like paying for it if they discover you've chosen to create [complexity]," because quite frankly, residential end users do not typically have a clue, and so even if you do tick off 1% who have a clue, you're still fine. Now, seriously, just who do you think is paying for the space? And if $competitor down the road is charging rock bottom prices for Internet access, how much money does the ISP really want to throw at extra address space? (Do you want me to discuss naivety now?) And just /how/ is this in any way similar to Ethernet MAC addresses, again? Maybe I'm just too slow and can't see how "fixed cost" == "variable cost." I won't accept any further hand-waving as an answer, so to continue, please provide solid examples, as I've done. Perhaps more on-topic, how many IP addresses can dance on the head of a /64? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote: [..]
Okay, here, let me make it reaaaaaaallllllyyyyy simple.
Yes, indeed lets make it reaaaaaaallllllyyyyy simple for you:
If your ISP has been delegated a /48 (admittedly unlikely, but possible) for $1,250/year, and they assign you a /56, their cost to provide that space is ~$5. They can have 256 such customers.
Fortunately ISP's get their space per /32 and up based on how much they can justify, which is the amount of customers they have. As such for a /32 single /48 is only (x / 65k) = like 20 cents or so? And if you are running your business properly you will have more clients and the price will only go down and down and down. Really (or should I write "reaaaaaaallllllyyyyy" to add force?) if you as an ISP are unable to pay the RIR fees for that little bit of address space, then you definitely have bigger problems as you won't be able to pay the other bills either. How high are your transit&equipment bills again, and how are you exactly charging your customers? ah, not by bandwidth usage, very logical! As an enduser I would love to pay the little fee for IP space that the LIR (ISP in ARIN land) pays to the RIR and then simply pay for the bandwidth that I am using + a little margin so that they ISP also earns some bucks and can do writeoffs on equipment and personnel. For some magic reasons though(*), it seems to be completely ludacrist to do it this way, even though it would make the bill very clear and it would charge the right amount for the right things and not some arbitrary number for some other arbitrary things and then later complaining that people use too much bandwidth because they use bittorrent and other such things. For the cable folks: make upstream bandwidth more pricey per class than downstream, problem of heavy-uploaders solved as they get charged. Greets, Jeroen (* = then again I don't have an mba or something like that so I prolly miss out an all kinds of important factors why people have to make it so complex)
Hi Jeroen, On 24/12/2007, at 6:07 PM, Jeroen Massar wrote:
Joe Greco wrote: [..]
Okay, here, let me make it reaaaaaaallllllyyyyy simple.
Yes, indeed lets make it reaaaaaaallllllyyyyy simple for you:
If your ISP has been delegated a /48 (admittedly unlikely, but possible) for $1,250/year, and they assign you a /56, their cost to provide that space is ~$5. They can have 256 such customers.
<cut>
How high are your transit&equipment bills again, and how are you exactly charging your customers? ah, not by bandwidth usage, very logical!
Not my bandwidth usage? Ha. Ha. Haha. Ha. Fortunately a /32 allocation was free from APNIC with our existing membership tier. Regards, Trent Australia
Joe Greco wrote: [..]
Okay, here, let me make it reaaaaaaallllllyyyyy simple.
Yes, indeed lets make it reaaaaaaallllllyyyyy simple for you:
If your ISP has been delegated a /48 (admittedly unlikely, but possible= ) for $1,250/year, and they assign you a /56, their cost to provide that space is ~$5. They can have 256 such customers.
Fortunately ISP's get their space per /32 and up based on how much they can justify, which is the amount of customers they have.
As such for a /32 single /48 is only (x / 65k) =3D like 20 cents or so? And if you are running your business properly you will have more clients and the price will only go down and down and down.
Really (or should I write "reaaaaaaallllllyyyyy" to add force?) if you as an ISP are unable to pay the RIR fees for that little bit of address space, then you definitely have bigger problems as you won't be able to pay the other bills either.
There's a difference between "unable to pay the RIR fees" and "do not deem any business value in spending the money." Engineers typically feel that businesses should be ready and willing to spend more money for reasons that the average business person won't care about. Pretend I'm your CFO. Explain the value proposition to me. Here's the (slightly abbreviated) conversation. "Well, you say we need to spend more money every year on address space. Right now we're paying $2,250/year for our /32, and we're able to serve 65 thousand customers. You want us to start paying $4,500/year, but Bob tells me that we're wasting a lot of our current space, and if we were to begin allocating less space to customers [aside: /56 vs /48], that we could actually serve sixteen million users for the same cash. Is there a compelling reason that we didn't do that from the outset?" This discussion is getting really silly; the fact of the matter is that this /is/ going to happen. To pretend that it isn't is simply naive.
How high are your transit&equipment bills again, and how are you exactly charging your customers? ah, not by bandwidth usage, very logical!
Perhaps end-user ISP's don't charge by bandwidth usage...
As an enduser I would love to pay the little fee for IP space that the LIR (ISP in ARIN land) pays to the RIR and then simply pay for the bandwidth that I am using + a little margin so that they ISP also earns some bucks and can do writeoffs on equipment and personnel.
Sure, but that's mostly fantasyland. The average ISP is going to want to monetize the variables. You want more bandwidth, you pay more. You want more IP's, you pay more. This is one of the reasons some of us are concerned about how IPv6 will /actually/ be deployed ... quite frankly, I would bet that it's a whole lot more likely that an end-user gets assigned a /64 than a /48 as the basic class of service, and charge for additional bits. If we are lucky, we might be able to s/64/56/. I mean, yeah, it'd be great if we could mandate /48 ... but I just can't see it as likely to happen.
For some magic reasons though(*), it seems to be completely ludacrist to do it this way, even though it would make the bill very clear and it would charge the right amount for the right things and not some arbitrary number for some other arbitrary things and then later complaining that people use too much bandwidth because they use bittorrent and other such things. For the cable folks: make upstream bandwidth more pricey per class than downstream, problem of heavy-uploaders solved as they get charged.
Sure, but that's how the real world works. The input from engineering folks is only one small variable in the overall scheme of things. It is a /mistake/ to assume that cost-recovery must be done on a direct basis. There's a huge amount of business value in being able to say "unlimited(*) Internet service for $30/mo!" The current offerings in many places should outline this clearly. So, the point is, as engineers, let's not be completely naive. Yes, we /want/ end-users to receive a /56, maybe even a /48, but as an engineer, I'm going to assume something more pessimistic. If I'm a device designer, I can safely do that, because if I don't assume that a PD is going to be available and plan accordingly, then my device is going to work in both cases, while the device someone who has relied on PD is going to break when it isn't available. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
"Well, you say we need to spend more money every year on address space. Right now we're paying $2,250/year for our /32, and we're able to serve 65 thousand customers. You want us to start paying $4,500/year, but Bob tells me that we're wasting a lot of our current space, and if we were to begin allocating less space to customers [aside: /56 vs /48], that we could actually serve sixteen million users for the same cash. Is there a compelling reason that we didn't do that from the outset?"
Right... Let's look at this in detail: /48 per customer == 65,536 customers at $2,250 == $0.03433/customer /56 per customer == 16,777,216 customers at $2,250 == $0.00013/customer So, total savings per customer is $0.0342/customer _IF_ you have 16,777,216 customers. On the other hand, sir, for those customers who need more than 256 subnets, we're running the risk of having to assign them multiple noncontiguous prefixes. Although the cost of doing so is not readily apparent, each router has a limit to the number of prefixes that can be contained in the routing table. The cost of upgrading all of our routers later probably far exceeds the $0.03 per customer that we would save. Really, in general, I think that the place to look for per-customer savings opportunities would be in places where we have a potential recovery greater than $0.03 per customer.
This discussion is getting really silly; the fact of the matter is that this /is/ going to happen. To pretend that it isn't is simply naive.
How high are your transit&equipment bills again, and how are you exactly charging your customers? ah, not by bandwidth usage, very logical!
Perhaps end-user ISP's don't charge by bandwidth usage...
True, but, they don't, generally, charge by the address, either. Usually, they charge by the month. If you can't cover $0.03/year/ customer for address space in your monthly fees, then, raise your monthly fee by $0.05. I'm betting your customers won't care.
As an enduser I would love to pay the little fee for IP space that the LIR (ISP in ARIN land) pays to the RIR and then simply pay for the bandwidth that I am using + a little margin so that they ISP also earns some bucks and can do writeoffs on equipment and personnel.
Sure, but that's mostly fantasyland. The average ISP is going to want to monetize the variables. You want more bandwidth, you pay more. You want more IP's, you pay more. This is one of the reasons some of us are concerned about how IPv6 will /actually/ be deployed ... quite frankly, I would bet that it's a whole lot more likely that an end-user gets assigned a /64 than a /48 as the basic class of service, and charge for additional bits. If we are lucky, we might be able to s/64/56/.
I mean, yeah, it'd be great if we could mandate /48 ... but I just can't see it as likely to happen.
I'm betting that competition will drive the boundary left without additional fees. After all, if you're only willing to dole out /64s and your competitor is handing out /56 for the same price, then all the customers that want multiple subnets are going to go to your competitor. The ones that want /48s will find a competitor that offers that. That's how the real world works. I remember having to repeatedly involve senior management in rejecting requests for /24s from customers who could not justify them because our sales people at Exodus kept promising them. The sales people continuously suggested that our competitors were offering everyone /24s and that they had to do that to win the deals. OTOH, "Raw bandwidth communications" seems to want to charge bandwidth utilization not actually based on the bandwidth utilized, but, the number of IP addresses routed. They are not my ISP for that reason. Different providers have different business models. Consumers will find the provider with the business model that best fits their needs. That's the way it works in the real world.
So, the point is, as engineers, let's not be completely naive. Yes, we /want/ end-users to receive a /56, maybe even a /48, but as an engineer, I'm going to assume something more pessimistic. If I'm a device designer, I can safely do that, because if I don't assume that a PD is going to be available and plan accordingly, then my device is going to work in both cases, while the device someone who has relied on PD is going to break when it isn't available.
Assuming that PD is available is naive. However, assuming it is not is equally naive. The device must be able to function in both circumstances if possible, or, should handle the case where it can't function in a graceful and informative manner. Owen
Right... Let's look at this in detail:
/48 per customer == 65,536 customers at $2,250 == $0.03433/customer /56 per customer == 16,777,216 customers at $2,250 == $0.00013/customer
So, total savings per customer is $0.0342/customer _IF_ you have 16,777,216 customers. On the other hand, sir, for those customers who need more than 256 subnets, we're running the risk of having to assign them multiple noncontiguous prefixes.
Okay, here's a problem. You keep making these statements which bear no resemblance to the real world. If I "need more than 256 subnets", and I approach my ISP to ask for such, there are at least two obvious answers which are incredibly more likely than any risk of "assign[ing] them[me] multiple noncontiguous prefixes." Answer 1: "We don't provide more space on your Cableco Cable Modem Service. If you would like, we do offer Cableco Business Class Service." Answer 2: "We can assign you a larger prefix, however, you'll need to power cycle the cable modem and your addresses will change." Remember, this is residential broadband. Saying /no/ is fairly common (in the same way that I can't get custom PTR DNS for a static IP address on a resi connection with many service providers.)
Although the cost of doing so is not readily apparent, each router has a limit to the number of prefixes that can be contained in the routing table.
Yeah, well, I'm not impressed. As an operator community, we've been so good about getting our own affairs in order there.
The cost of upgrading all of our routers later probably far exceeds the $0.03 per customer that we would save. Really, in general, I think that the place to look for per-customer savings opportunities would be in places where we have a potential recovery greater than $0.03 per customer.
How about /not/ upgrading all of your routers and keeping the "$0.03 per customer"?
This discussion is getting really silly; the fact of the matter is that this /is/ going to happen. To pretend that it isn't is simply naive.
How high are your transit&equipment bills again, and how are you exactly charging your customers? ah, not by bandwidth usage, very logical!
Perhaps end-user ISP's don't charge by bandwidth usage...
True, but, they don't, generally, charge by the address, either. Usually, they charge by the month. If you can't cover $0.03/year/ customer for address space in your monthly fees, then, raise your monthly fee by $0.05. I'm betting your customers won't care.
Customers at the low end of the spectrum do in fact care, and my guess would be that they'd rather save the nickel than get extra address space that only 1 in 1,000 of them might ever get around to using.
As an enduser I would love to pay the little fee for IP space that the LIR (ISP in ARIN land) pays to the RIR and then simply pay for the bandwidth that I am using + a little margin so that they ISP also earns some bucks and can do writeoffs on equipment and personnel.
Sure, but that's mostly fantasyland. The average ISP is going to want to monetize the variables. You want more bandwidth, you pay more. You want more IP's, you pay more. This is one of the reasons some of us are concerned about how IPv6 will /actually/ be deployed ... quite frankly, I would bet that it's a whole lot more likely that an end-user gets assigned a /64 than a /48 as the basic class of service, and charge for additional bits. If we are lucky, we might be able to s/64/56/.
I mean, yeah, it'd be great if we could mandate /48 ... but I just can't see it as likely to happen.
I'm betting that competition will drive the boundary left without additional fees. After all, if you're only willing to dole out /64s and your competitor is handing out /56 for the same price, then all the customers that want multiple subnets are going to go to your competitor. The ones that want /48s will find a competitor that offers that.
Ah! That's good. Now we're making some progress. The first question most businesses have when they're spending money is "how much is it." Not "how much is it on a per-customer basis." If I go and ask for a new $2000 server so that I can put up some neat new thing, such as a reverse-traceroute webserver, the idea is that I should need to justify why it can't be done on an existing webserver. Maybe it can, but maybe it can't (let's say because it'll connect out to our routers and the security risk warrants a separate server). The fact that it might only cost a penny per month per customer is irrelevant to the higher-level analysis. In the same way, if an ISP can avoid spending money, there are almost certainly some who will do so. Since the average customer is likely to be more than adequately served by 256 subnets for the foreseeable future, there will undoubtedly be some that allocate /56's (or even /64's). Market pressures, the actual needs of consumers, and whether or not it actually winds up as cheaper to support a single address space size on backroom systems will all work to shape what actually happens.
So, the point is, as engineers, let's not be completely naive. Yes, we /want/ end-users to receive a /56, maybe even a /48, but as an engineer, I'm going to assume something more pessimistic. If I'm a device designer, I can safely do that, because if I don't assume that a PD is going to be available and plan accordingly, then my device is going to work in both cases, while the device someone who has relied on PD is going to break when it isn't available.
Assuming that PD is available is naive. However, assuming it is not is equally naive.
No, it's not equally naive. The bridging scenario is likely to work in all cases, therefore, assuming bridging as a least common denominator is actually pretty "smart" - even though I would prefer to see a full implementation that works in all cases. Assume the worst, hope for the best. If that's "naive", well, then it's all a lost cause. You can call it "coldly cynical" all you'd like, though. ;-)
The device must be able to function in both circumstances if possible, or, should handle the case where it can't function in a graceful and informative manner.
That much is certain. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Wow, is this what you folks do at Christmas ? -- Leigh Joe Greco wrote:
Right... Let's look at this in detail:
/48 per customer == 65,536 customers at $2,250 == $0.03433/customer /56 per customer == 16,777,216 customers at $2,250 == $0.00013/customer
So, total savings per customer is $0.0342/customer _IF_ you have 16,777,216 customers. On the other hand, sir, for those customers who need more than 256 subnets, we're running the risk of having to assign them multiple noncontiguous prefixes.
Okay, here's a problem. You keep making these statements which bear no resemblance to the real world.
If I "need more than 256 subnets", and I approach my ISP to ask for such, there are at least two obvious answers which are incredibly more likely than any risk of "assign[ing] them[me] multiple noncontiguous prefixes."
Answer 1: "We don't provide more space on your Cableco Cable Modem Service. If you would like, we do offer Cableco Business Class Service."
Answer 2: "We can assign you a larger prefix, however, you'll need to power cycle the cable modem and your addresses will change."
Remember, this is residential broadband. Saying /no/ is fairly common (in the same way that I can't get custom PTR DNS for a static IP address on a resi connection with many service providers.)
Although the cost of doing so is not readily apparent, each router has a limit to the number of prefixes that can be contained in the routing table.
Yeah, well, I'm not impressed. As an operator community, we've been so good about getting our own affairs in order there.
The cost of upgrading all of our routers later probably far exceeds the $0.03 per customer that we would save. Really, in general, I think that the place to look for per-customer savings opportunities would be in places where we have a potential recovery greater than $0.03 per customer.
How about /not/ upgrading all of your routers and keeping the "$0.03 per customer"?
This discussion is getting really silly; the fact of the matter is that this /is/ going to happen. To pretend that it isn't is simply naive.
How high are your transit&equipment bills again, and how are you exactly charging your customers? ah, not by bandwidth usage, very logical!
Perhaps end-user ISP's don't charge by bandwidth usage...
True, but, they don't, generally, charge by the address, either. Usually, they charge by the month. If you can't cover $0.03/year/ customer for address space in your monthly fees, then, raise your monthly fee by $0.05. I'm betting your customers won't care.
Customers at the low end of the spectrum do in fact care, and my guess would be that they'd rather save the nickel than get extra address space that only 1 in 1,000 of them might ever get around to using.
As an enduser I would love to pay the little fee for IP space that the LIR (ISP in ARIN land) pays to the RIR and then simply pay for the bandwidth that I am using + a little margin so that they ISP also earns some bucks and can do writeoffs on equipment and personnel.
Sure, but that's mostly fantasyland. The average ISP is going to want to monetize the variables. You want more bandwidth, you pay more. You want more IP's, you pay more. This is one of the reasons some of us are concerned about how IPv6 will /actually/ be deployed ... quite frankly, I would bet that it's a whole lot more likely that an end-user gets assigned a /64 than a /48 as the basic class of service, and charge for additional bits. If we are lucky, we might be able to s/64/56/.
I mean, yeah, it'd be great if we could mandate /48 ... but I just can't see it as likely to happen.
I'm betting that competition will drive the boundary left without additional fees. After all, if you're only willing to dole out /64s and your competitor is handing out /56 for the same price, then all the customers that want multiple subnets are going to go to your competitor. The ones that want /48s will find a competitor that offers that.
Ah! That's good. Now we're making some progress.
The first question most businesses have when they're spending money is "how much is it." Not "how much is it on a per-customer basis." If I go and ask for a new $2000 server so that I can put up some neat new thing, such as a reverse-traceroute webserver, the idea is that I should need to justify why it can't be done on an existing webserver. Maybe it can, but maybe it can't (let's say because it'll connect out to our routers and the security risk warrants a separate server). The fact that it might only cost a penny per month per customer is irrelevant to the higher-level analysis.
In the same way, if an ISP can avoid spending money, there are almost certainly some who will do so. Since the average customer is likely to be more than adequately served by 256 subnets for the foreseeable future, there will undoubtedly be some that allocate /56's (or even /64's). Market pressures, the actual needs of consumers, and whether or not it actually winds up as cheaper to support a single address space size on backroom systems will all work to shape what actually happens.
So, the point is, as engineers, let's not be completely naive. Yes, we /want/ end-users to receive a /56, maybe even a /48, but as an engineer, I'm going to assume something more pessimistic. If I'm a device designer, I can safely do that, because if I don't assume that a PD is going to be available and plan accordingly, then my device is going to work in both cases, while the device someone who has relied on PD is going to break when it isn't available.
Assuming that PD is available is naive. However, assuming it is not is equally naive.
No, it's not equally naive. The bridging scenario is likely to work in all cases, therefore, assuming bridging as a least common denominator is actually pretty "smart" - even though I would prefer to see a full implementation that works in all cases. Assume the worst, hope for the best. If that's "naive", well, then it's all a lost cause. You can call it "coldly cynical" all you'd like, though. ;-)
The device must be able to function in both circumstances if possible, or, should handle the case where it can't function in a graceful and informative manner.
That much is certain.
... JG
Leigh Porter wrote:
Wow, is this what you folks do at Christmas ?
Clearly you yourself are affectionate about this thing called Christmas, if you are so affectionate about it, then why are you making silly comments which do not contribute at all to the topic at hand? Must be very boring that Christmas of yours. On a more operational topic: even during Christmas (that Coca Cola induced commercialism party that gets attributed to some religion), people are using the Internet, and stuff breaks on the Internet, as such there will always be people who have to work on days like this. Greets, Jeroen
On Mon, 24 Dec 2007, Jeroen Massar wrote:
For some magic reasons though(*), it seems to be completely ludacrist to do it this way, even though it would make the bill very clear and it would charge the right amount for the right things and not some arbitrary number for some other arbitrary things
(* = then again I don't have an mba or something like that so I prolly miss out an all kinds of important factors why people have to make it so complex)
I don't have an MBA either. However I will note that many european airlines itemise their bills such that external costs (like taxes, shared-resource fees, etc) are seperated out. This practice seems particularly popular with low-cost airlines, as it allows them to advertise rock-bottom fares, where that fare is just the cost they have control of. So there seems to be real-world precedent for your proposal, in one of the tightest-margin and most cost-sensitive industries around. Prettige kerstdagen! regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A Fortune: If you look good and dress well, you don't need a purpose in life. -- Robert Pante, fashion consultant
On Dec 21, 2007 6:48 AM, Joe Greco <jgreco@ns.sol.net> wrote:
And I'm having some trouble envisioning a residential end user that honestly has a need for 256 networks with sufficiently differently policies. Or that a firewall device can't reasonably deal with those policies even on a single network, since you mainly need to protect devices from external access.
I'd agree that 256 at home seems high to me, today... I do have 10 vlans at home but I could be considered an outlier. I'm not sure that in the future 10 would even been considered small, maybe things split on room levels, or appliance types or 'needs vendor support' or some other set of arbitrary policy points. I agree with you below though that a /48 seems very large for a residence :) -Chris
* Joe Greco:
Right now, we might say "wow, 256 subnets for a single end-user... hogwash!" and in years to come, "wow, only 256 subnets... what were we thinking!?"
Well, what's the likelihood of the "only 256 subnets" problem?
There's a tendency to move away from (simulated) shared media networks. "One host per subnet" might become the norm.
Once upon a time, Florian Weimer <fw@deneb.enyo.de> said:
Right now, we might say "wow, 256 subnets for a single end-user... hogwash!" and in years to come, "wow, only 256 subnets... what were we thinking!?"
Well, what's the likelihood of the "only 256 subnets" problem?
There's a tendency to move away from (simulated) shared media networks. "One host per subnet" might become the norm.
So each host will end up with a /64? How exactly are end-users expected to manage this? Having a subnet for the kitchen appliances and a subnet for the home theater, both of which can talk to the subnet for the home computer(s), but not to each other, will be far beyond the abilities of the average home user. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
-- On Sun, 12/23/07, Chris Adams <cmadams@hiwaay.net> wrote:
From: Chris Adams <cmadams@hiwaay.net> Subject: Re: v6 subnet size for DSL & leased line customers To: nanog@merit.edu Date: Sunday, December 23, 2007, 2:21 PM Once upon a time, Florian Weimer <fw@deneb.enyo.de> said:
Right now, we might say "wow, 256 subnets for a single end-user... hogwash!" and in years to come, "wow, only 256 subnets... what were we thinking!?"
Well, what's the likelihood of the "only 256 subnets" problem?
There's a tendency to move away from (simulated) shared media networks. "One host per subnet" might become the norm.
So each host will end up with a /64?
How exactly are end-users expected to manage this? Having a subnet for the kitchen appliances and a subnet for the home theater, both of which can talk to the subnet for the home computer(s), but not to each other, will be far beyond the abilities of the average home user.
As I see it, one of the big benefits IPv4 provided was logical addresssing in an easy-to-understand and easy-to-aggregate manner, with small layer-2 networks divided by routers. What we've gone to with IPv6 is a gigantic layer-2 network (the flat autoconfiguration space). I think we got here when "site-local" went away - we've effectively redefined link-local to mean "site-local," while using globally unique addressing. Personally, I don't relish the idea of millions of hosts participating in spanning-tree, so I'd rather see us move back toward the direction of using layer-3 addresses to break up layer-2 islands. How about this for a modest proposal for a capability: Allow autoconfigured generation of IPv6 interface addresses to use this format: (one byte VLAN ID) (48 bit MAC address) instead of: (24 bit half-mac) (FFFE) (24 bit half-MAC) This would allow a CPE router to serve as the gateway for up to 64K VLANs, and wouldn't waste a byte in the middle of the address space. How about it? David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
I think we got here when "site-local" went away - we've effectively redefined link-local to mean "site-local," while using globally unique addressing.
site-local was replaced with ULA. Have you got your ULA yet? :-) ULA gives you /48's. 6to4 gives you /48's. Your customers already have /48's whether they know it or not (and some do). Mark
Once upon a time, Florian Weimer <fw@deneb.enyo.de> said:
Right now, we might say "wow, 256 subnets for a single end-user... hogwash!" and in years to come, "wow, only 256 subnets... what were we thinking!?"
Well, what's the likelihood of the "only 256 subnets" problem?
There's a tendency to move away from (simulated) shared media networks. "One host per subnet" might become the norm.
So each host will end up with a /64?
That's a risk. It is more like "each host might end up with a /64." Now, the thing here is, there's nothing wrong with one host per subnet. There's just something wrong with blowing a /64 per subnet in an environment where you have one host per subnet, and a limited amount of bits above /64 (you essentially have /unlimited/ addresses within the /64, but an ISP may be paying for space, etc). Now, understand, I /like/ the idea of /64 networks in general, but I do have concerns about where the principle breaks down. If we're agreed to contemplate IPv6 as being a 64-bit address space, and then allocating space on that basis, I would suggest that some significant similarities to IPv4 appear. In particular, a NAT gateway for IPv4 translates fairly well into a subnet-on-a-/64 in IPv6. That is interesting, but it may not actually reduce the confusion as to how to proceed.
How exactly are end-users expected to manage this? Having a subnet for the kitchen appliances and a subnet for the home theater, both of which can talk to the subnet for the home computer(s), but not to each other, will be far beyond the abilities of the average home user.
Well, this gets back to what I was saying before. At a certain point, Joe Sixpack might become sophisticated enough to have an electrician come in and run an ethernet cable from the jack on the fridge to his home router. He might also be sophisticated enough to pay $ElectronicsStore installation dep't to run an ethernet cable from the jack on the home theater equipment to the home router. I believe that this may in fact have come to pass ... Now the question is, "what should happen next." The L3 option is that the home router presents a separate /64 on each port, and offers some firewalling capabilities. I hinted before that I might not be thrilled with this, due to ISP commonly controlling CPE, but that can be addressed by making the router separate. There's a trivial L2 option as well. You can simply devise a L2 switch that implements filtering policies. Despite all the cries of "that's not how we do it in v4!" and "we can't change the paradigm," the reality is that this /could/ be perfectly fine. As a matter of fact, for Joe Sixpack, it almost certainly /is/ fine. Joe Sixpack's policy is going to read just like what you wrote above. "subnet for appliances," "subnet for computer," "subnet for theater," with the appliances and theater only being able to talk to computer. He's not going to care if it's an actual subnet or just a logical blob. This is easy to do at L2 or L3. We're more /used/ to doing it at L3, but it's certainly workable at L2, and the interface to do so doesn't necessarily even need to look any different, because Joe Sixpack does not care about the underlying network topology and strategy. I would absolutely like to see DHCP PD be usable for environments where multiple prefixes are available and allowed, but I believe we're going to also be needing to look at bridging. There's /going/ to be some crummy ISP somewhere that only allocates end users a /64, or there's /going/ to be a business with a network that will refuse DHCP PD, and as a result there /will/ be a market for devices that have the ability to cope. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sun, 23 Dec 2007 19:46:26 +0100 Florian Weimer <fw@deneb.enyo.de> wrote:
* Joe Greco:
Right now, we might say "wow, 256 subnets for a single end-user... hogwash!" and in years to come, "wow, only 256 subnets... what were we thinking!?"
Well, what's the likelihood of the "only 256 subnets" problem?
There's a tendency to move away from (simulated) shared media networks. "One host per subnet" might become the norm.
Or possibly maybe Peter M. Gleitz's and Steven M. Bellovin's idea of "Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host" http://www.cs.columbia.edu/~smb/papers/tarp/tarp.html A /64 per host is probably not necessary, however if an end-site has a /48, that's 65K hosts so it wouldn't likely be much of a problem for most sites ... certainly not my house currently or in the forseeable future or my current employer, or most employers I've worked for in the past. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
On Mon, 24 Dec 2007 09:58:44 +0900 Randy Bush <randy@psg.com> wrote:
There's a tendency to move away from (simulated) shared media networks. "One host per subnet" might become the norm.
and, with multiple addresses per interface, the home user surely _might_ need a /32.
What prompted you to suggest that? Trolling maybe?
might does not make right
Neither does being ridiculous.
randy
-- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
Scott Weeks wrote:
Disclaimer: I'm still very much an IPv6 wussie... :-)
--------------------------------------------- But even in 2000 the policy was and still is: /128 for really a single device /64 if you know for sure that only one single subnet will ever be allocated. /48 for every other case (smart bet, should be used per default) ----------------------------------------------
I work on a network with 100K+ DSL folks and 200+ leased line customers, plus some other stuff. The leased line customers are increasing dramatically. I should plan for a /64 for every DSL customer and a /48 for every leased line customer I expect over the next 5-7 years?
scott
Same disclaimer as above. But perhaps thats a benefit, allowing the landscape forest view instead of the tree one. Seems like everything good and desirable in ipv6 was backported to ipv4, including router advertisements (which nobody uses, since DHCP [yes dhcp can/could be made redundant] is far far preferred, even by SOHO vendors). All except the 4 x bitspace. If it hasnt been backported after all this time, its likely either undoable or unusable. Since its quite likely that a minimum 50 year lifetime for ipv4 looks to be in the cards, judging by bitspace, ipv6 should be engineered for 200 (or 50 to the 4th which makes 125000). One would suppose that the way to do this is to do as much as is neccessary to comfortably move the world onto it AND NO MORE. We are not prophets. We dont even know how many prefixes the average router will be able to handle in 10 years (considering that a maxed out pc-as-a-router can handle millions more than the nice expensive 7600), let alone 50. So the first thing we do is: Make it as big for ISP's as ipv4 was for end users, by assigning /32 prefixes, minus all the special purpose carvings. To make things simple, a 4 byte AS should come with a /32. Brilliant. We have forward ported ipv4 scalability onto ipv6. For what? So that end users can have nanotech networks? It goes without saying that I will want my nanotech network(s) firewalled (and natted for good measure). Autoconfiguration doesnt require 64 bits. We have autoconfig for ipv4, it appears to only need 16. As stated, we dont want people to be taking their /64's with them as they change ISP's, so imbuing all this uniqueness and matching it with their global id's and telephone numbers is just asking for trouble. Unless the whole world becomes an ISP. Presto, address shortage unless massive depopulation occurs over the next couple hundred years. We should not pretend to be building an allocation structure that will not simultaneously satisify uniqueness, portability and scalability for the next hundred years or so when we clearly are not. Whats the current state with PI in ipv6? How often will it change? We could have reserved 90% of the first 32 bits, use the next 32 bits to assign to ISP's /64 bits, and allow the ISP's to assign an internet worth of customer their own internet. Tiered routing? Geo-location routing? All easily made available with another bit or two from the first /32. Oh and the whole protocol is still useless, since proper connectivity to the ipv4 network without an ipv4 stack seems to be somewhat non standard. Obviously, nobody rolling out ipv6 due to address shortage is going to tolerate that, and interop strategies will be used, standard or not. Expect the interop strategy to be the one with the lowest network resistance. Thats nat. IPv6 is a textbook second system syndrome. We could have all been on it already without the dozens of super-freighters attached to the 128bit tugboat. Joe
participants (34)
-
Chris Adams
-
Christopher Morrow
-
Christopher Morrow
-
David Barak
-
Deepak Jain
-
Florian Weimer
-
Iljitsch van Beijnum
-
James R. Cutler
-
Jamie Bowden
-
Jeroen Massar
-
Joe Greco
-
Joe Maimon
-
Joel Jaeggli
-
Kevin Loch
-
Kevin Oberman
-
Leigh Porter
-
Leo Bicknell
-
Mark Andrews
-
Mark Smith
-
Mark Townsley
-
Marshall Eubanks
-
Mikael Abrahamsson
-
Mohacsi Janos
-
Owen DeLong
-
Paul Jakma
-
Randy Bush
-
Robert E. Seastrom
-
Ross Vandegrift
-
Scott Weeks
-
Stephen Sprunk
-
Steven M. Bellovin
-
sthaug@nethelp.no
-
Tony Li
-
Trent Lloyd