I see there is a long thread on IPv6 address assignment going, and I apologize that I did not read all of it, but I still have some unanswered questions. I believe someone posted the ARIN recommendation that carriers assign out /64's and /56's, and in a few limited cases, /48. I can understand corporations getting more than a /64 for their needs, but certainly this does not mean residential ISP subscribers, right? I can understand the need for /64's because the next 64 bits are for the client address, but there seems to be this idea that one and only one node may use a whole /64. So in the case of Joe, the residential DSL subscriber who has 50,000 PCs, TiVo's, microwaves, and nanobots that all need unique routable IP addresses, what is to stop him from assigning them unique client ID's (last 64 bits) under the same /64? We can let Joe put in some switches, and if that isn't enough he should consider upgrading from his $35/month DSL or $10/month dial up anyway. My next question is that there is this idea that there will be no NAT in the IPv6 world. Some companies have old IPv4 only software, some companies have branch offices using the same software on different networks, and some like the added security NAT provides. There are also serious privacy concerns with having a MAC address within an IP address. Aside from opening the doors to websites to share information on specific users, lack of NAT also means the information they have is more detailed in households where separate residents use different computers. I can become an IPv4 stranger to websites once a week by deleting cookies, IPv6 means they can profile exactly what I do over periods of years from work, home, starbucks, it doesn't matter. I don't see NAT going away any time soon.
I believe someone posted the ARIN recommendation that carriers assign out /64's and /56's, and in a few limited cases, /48.
I can understand corporations getting more than a /64 for their needs, but certainly this does not mean residential ISP subscribers, right?
Then you misunderstand ARIN's recommendations. The basic IPv6 assignment size is /48. ARIN recommends assigning a /48 to all customers who cannot be guaranteed to only need a single subnet. It is possible that some ISPs offer a specialty service, say IPv6 connectivity to CCTV cameras, which only needs a single /64 but general purpose ISPs providing general Internet accesss to consumers and businesses should assign a /48. Some ISPs have very large numbers of consumer customers and feel that the large number of /48s they will need may be excessive, therefore ARIN also recommends that in the case of providing connectivity to a private residence, a /56 may be used. In order to support the use of a /56 assignment in this situation, ARIN has adjusted some parts of their policy to do with counting, so that they measure /56 assinments rather than /48 assignments. But a /48 assignment is still fully justified.
There are also serious privacy concerns with having a MAC address within an IP address. Aside from opening the doors to websites to share information on specific users, lack of NAT also means the information they have is more detailed in households where separate residents use different computers.
Aside from the fact that you can change your MAC at will, there is no need to use the MAC as the IPv6 node address. You can change your IPv6 node address every day if you wish.
I can become an IPv4 stranger to websites once a week by deleting cookies, IPv6 means they can profile exactly what I do over periods of years from work, home, starbucks, it doesn't matter. I don't see NAT going away any time soon.
This only works if your ISP assigns your IP address dynamically and your lease times out without renewal, i.e. you power down your gateway device long enough to get a new IP address. Same applies to IPv6. --Michael Dillon
Hi, Rick Astley schrieb:
I see there is a long thread on IPv6 address assignment going, and I apologize that I did not read all of it, but I still have some unanswered questions.
The basic problem is, there are no answers, that's why there is this and similar discussion every 6 months again and again. So the only sane answer to most of your questions is: think about it yourself and just do it to finally get out IPv6 to the world. YOU will have to live with the consequences some day in the future in the end ;-)
I believe someone posted the ARIN recommendation that carriers assign out /64's and /56's, and in a few limited cases, /48.
I'm not that active in the ARIN region myself, but the GENERAL consensus amongst the people who already run (production!) IPv6 networks for years now is - just hand out /48s to every customer, DO NOT THINK ABOUT IT! But i'm well aware of ARIN guideline like http://www.arin.net/policy/nrpm.html#six541: [...] The following guidelines may be useful (but they are only guidelines): * /64 when it is known that one and only one subnet is needed * /56 for small sites, those expected to need only a few subnets over the next 5 years. * /48 for larger sites [...] but notice the annotation "...but they are only guidelines". In general, if you're really really sure that there's only one device, you can use /128, if you're sure there is only one subnet needed, a /64 is fine, but in general, make your life easy by handing out /48s to everyone by default. But if you really want to think about it and make your life complicated - noone can stop you from assigning /56s if you think that's a better choice - for whatever reason you might come up with in your setup.
I can understand corporations getting more than a /64 for their needs, but certainly this does not mean residential ISP subscribers, right?
Why not?
I can understand the need for /64's because the next 64 bits are for the client address, but there seems to be this idea that one and only one node may use a whole /64. So in the case of Joe, the residential DSL subscriber who has 50,000 PCs, TiVo's, microwaves, and nanobots that all need unique routable IP addresses, what is to stop him from assigning them unique client ID's (last 64 bits) under the same /64? We can let Joe put in some switches, and if that isn't enough he should consider upgrading from his $35/month DSL or $10/month dial up anyway.
Well, that's the IPv4 business model which is basically saying "the more you pay, the more IP addresses you can get". This will most likely happen in the IPv6 world too, and there is nothing we can do about it. But if you think about that in a sane way, and you and the ISP you're working for are nice "netizens", you don't put a pricetag on IP-addresses. Especially not in the IPv6 world, since there is no shortness of addresses like there might be in the IPv4 world which might again support such a business model. ==> just hand out /48s even if 90% of your customers won't ever need it, addresses are not scarce here. Thinking about it too much might just be a bigger waste of time than this is a waste of address resources.
My next question is that there is this idea that there will be no NAT in the IPv6 world. Some companies have old IPv4 only software, some companies have branch offices using the same software on different networks, and some like the added security NAT provides.
Again, marketing gets the lifetime achievement award for making a bad thing like NAT, born out of the simple need for some solution for the we-dont-have-enough-IPv4-addresses-problem - into a "security and administrative easy and anonymity" .. well.. "thing". My only answer to this is: go out and educate the people. But this again often might not work in the real world.
There are also serious privacy concerns with having a MAC address within an IP address. Aside from opening the doors to websites to share information on specific users, lack of NAT also means the information they have is more detailed in households where separate residents use different computers. I can become an IPv4 stranger to websites once a week by deleting cookies, IPv6 means they can profile exactly what I do over periods of years from work, home, starbucks, it doesn't matter. I don't see NAT going away any time soon.
That's a myth, too, for example there is this privacy extension thing (RfC3041 i believe?) in almost every current IPv6-stack like Vista and so which doesn't use "MAC-addresses" and also constantly changes the address (which is a PITA for administrators again). In the end, you don't NEED any NAT for any sane reason. But i'm not saying it won't exist, i'm actually quite sure that there will be NAT for IPv6 in the end, right. It's just sad that even engineers and administrators are so lazy and just want to handle IPv6 like IPv4 even there are major differences. Bottom line: Think about the best practice yourself, read the whole thread if you still have to make up your mind. At the moment noone really can help you with definite answers. -- ======================================================================== = Sascha Lenz SLZ-RIPE slz@baycix.de = = Network Operations = = BayCIX GmbH, Landshut * PGP public Key on demand * = ========================================================================
I see there is a long thread on IPv6 address assignment going, and I apologize that I did not read all of it, but I still have some unanswered questions.
The answers to some of this are buried within it.
I believe someone posted the ARIN recommendation that carriers assign out /64's and /56's, and in a few limited cases, /48.
I can understand corporations getting more than a /64 for their needs, but certainly this does not mean residential ISP subscribers, right?
That answer, along with detailed information, is within that thread. In an ideal world, yes, it does mean resi subscribers. Some of us would like to see that very much, but are simultaneously expecting that something less optimal will happen.
I can understand the need for /64's because the next 64 bits are for the client address, but there seems to be this idea that one and only one node may use a whole /64.
Certainly, if the node is the only one on the subnet.
So in the case of Joe, the residential DSL subscriber who has 50,000 PCs, TiVo's, microwaves, and nanobots that all need unique routable IP addresses, what is to stop him from assigning them unique client ID's (last 64 bits) under the same /64? We can let Joe put in some switches, and if that isn't enough he should consider upgrading from his $35/month DSL or $10/month dial up anyway.
I don't think it was ever in doubt that people could stick lots of devices on a single /64. The question is more one of "under what circumstances would a site want more than a /64." One is when you're crossing boundaries between network protocols (Ethernet to HomeControlNet or whatever). Repeat for Bluetooth or any other alternative technology. Many would prefer to see firewalling handled at the L3 boundary between networks, which is an indication for multiple /64's. While I certainly agree that this is attractive, and ought to be possible in IPv6, the fact is that it still represents a disruption of the broadcast domain, and requires that all firewall-candidate traffic be routed. This could have an impact to a site that deems a sudden firewall policy change necessary, such as "my PC #3 just got infected, stop it from talking to local network but allow it to download virus updates." I believe that there could (and should) be a natural evolution towards deconstructing the requirements at which layer these sorts of policies are implemented. I would very much like to see a layer 2/3 switch that is capable of implementing a firewall policy /for a port/, and having the onboard software be sufficiently intelligent that an end-user can deal with his firewalling switch as an abstract item, without having to understand the underlying network topology. This could even be generalized into a useful "general purpose networking" device, that could provide services such as VPN's. However, I am certain that there will be situations in which DHCP PD does not work, and so I expect that most protocol bridges will in fact be able to support bridging from an already populated IPv6 /64.
My next question is that there is this idea that there will be no NAT in the IPv6 world. Some companies have old IPv4 only software, some companies have branch offices using the same software on different networks, and some like the added security NAT provides.
What "added security" would that be, exactly? Introducing a proper stateful firewall would give you about the same security, without the penalties of having to write proxyware for every new protocol that comes along. There /are/ some differences; a NAT gateway is less likely to fail to firewall in a catastrophic manner, for example: if it isn't working, network connectivity vaporizes. A stateful firewall might go away and leave you with your pants down. However, that doesn't really make NAT a better technology... {P,N}AT is a technology that was designed to allow more than one computer to share {ports, addresses}. This is fundamentally unnecessary in IPv6 because there are plenty of addresses available, and providers are expected to hand them out like candy. I would much prefer to see a different security model evolve, where even residential class equipment gains the ability to do smart firewalling. Some of that discussion is in the thread you skipped.
There are also serious privacy concerns with having a MAC address within an IP address. Aside from opening the doors to websites to share information on specific users, lack of NAT also means the information they have is more detailed in households where separate residents use different computers. I can become an IPv4 stranger to websites once a week by deleting cookies, IPv6 means they can profile exactly what I do over periods of years from work, home, starbucks, it doesn't matter. I don't see NAT going away any time soon.
This seems to be an urban myth. Your current average broadband customer is leased an IP address that may stay active for years at a time. To imagine that most websites care about "a specific PC behind a NAT gateway" as opposed to "the small set of users behind this IP address" is a minor distinction at best - they can still track you, and since most households only have a single computer, it's best to assume they can already deal with the more difficult realities of multiple users on a single computer. Given the ready availability of addresses, it may not be that long before we start seeing the anti-NAT happen; a single PC that utilizes a vaguely RFC3041-like strategy, but instead of allocating a single address at a time, it may allocate a /pool/ of them from the local subnet, and use a different IPv6 address for each outgoing request. Think of it as extending the port number field into the lower bits of the address field... I'm sure someone has a name for this already, but I have no idea what it is. Anyways, I suggest you run over and read http://www.6net.org/publications/standards/draft-vandevelde-v6ops-nap-01.txt as it is useful foundation material to explain IPv6 strategies and how they differ from IPv4. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
So after reading this thread for a while, it's starting to make sense that all subnets need to be /64. So it's best to think of IPv6 like IPX, but with a 64 bit network address. I'm curious where the 64 bits reserved for interface comes from though. Haven't seen the history behind that discussed really. Ethernet MACs being 48 bits would seem like a natural choice, leaving 80 bits for network addressing. This waste of space seems vaguely familiar to handing out Class A netblocks 20+ years ago. "We'll never run out"... Maybe it's just me though. Chuck -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Joe Greco Sent: Monday, December 31, 2007 11:18 AM To: Rick Astley Cc: nanog@merit.edu Subject: Re: Assigning IPv6 /48's to CPE's?
I see there is a long thread on IPv6 address assignment going, and I apologize that I did not read all of it, but I still have some unanswered questions.
The answers to some of this are buried within it.
I believe someone posted the ARIN recommendation that carriers assign out /64's and /56's, and in a few limited cases, /48.
I can understand corporations getting more than a /64 for their needs, but certainly this does not mean residential ISP subscribers, right?
I can understand the need for /64's because the next 64 bits are for
That answer, along with detailed information, is within that thread. In an ideal world, yes, it does mean resi subscribers. Some of us would like to see that very much, but are simultaneously expecting that something less optimal will happen. the
client address, but there seems to be this idea that one and only one node may use a whole /64.
Certainly, if the node is the only one on the subnet.
So in the case of Joe, the residential DSL subscriber who has 50,000 PCs, TiVo's, microwaves, and nanobots that all need unique routable IP addresses, what is to stop him from assigning them unique client ID's (last 64 bits) under the same /64? We can let Joe put in some switches, and if that isn't enough he should consider upgrading from his $35/month DSL or $10/month dial up anyway.
My next question is that there is this idea that there will be no NAT in the IPv6 world. Some companies have old IPv4 only software, some companies have branch offices using the same software on different networks, and some
I don't think it was ever in doubt that people could stick lots of devices on a single /64. The question is more one of "under what circumstances would a site want more than a /64." One is when you're crossing boundaries between network protocols (Ethernet to HomeControlNet or whatever). Repeat for Bluetooth or any other alternative technology. Many would prefer to see firewalling handled at the L3 boundary between networks, which is an indication for multiple /64's. While I certainly agree that this is attractive, and ought to be possible in IPv6, the fact is that it still represents a disruption of the broadcast domain, and requires that all firewall-candidate traffic be routed. This could have an impact to a site that deems a sudden firewall policy change necessary, such as "my PC #3 just got infected, stop it from talking to local network but allow it to download virus updates." I believe that there could (and should) be a natural evolution towards deconstructing the requirements at which layer these sorts of policies are implemented. I would very much like to see a layer 2/3 switch that is capable of implementing a firewall policy /for a port/, and having the onboard software be sufficiently intelligent that an end-user can deal with his firewalling switch as an abstract item, without having to understand the underlying network topology. This could even be generalized into a useful "general purpose networking" device, that could provide services such as VPN's. However, I am certain that there will be situations in which DHCP PD does not work, and so I expect that most protocol bridges will in fact be able to support bridging from an already populated IPv6 /64. like
the added security NAT provides.
What "added security" would that be, exactly? Introducing a proper stateful firewall would give you about the same security, without the penalties of having to write proxyware for every new protocol that comes along. There /are/ some differences; a NAT gateway is less likely to fail to firewall in a catastrophic manner, for example: if it isn't working, network connectivity vaporizes. A stateful firewall might go away and leave you with your pants down. However, that doesn't really make NAT a better technology... {P,N}AT is a technology that was designed to allow more than one computer to share {ports, addresses}. This is fundamentally unnecessary in IPv6 because there are plenty of addresses available, and providers are expected to hand them out like candy. I would much prefer to see a different security model evolve, where even residential class equipment gains the ability to do smart firewalling. Some of that discussion is in the thread you skipped.
There are also serious privacy concerns with having a MAC address within an IP address. Aside from opening the doors to websites to share information on specific users, lack of NAT also means the information they have is more detailed in households where separate residents use different computers. I can become an IPv4 stranger to websites once a week by deleting cookies, IPv6 means they can profile exactly what I do over periods of years from work, home, starbucks, it doesn't matter. I don't see NAT going away any time soon.
This seems to be an urban myth. Your current average broadband customer is leased an IP address that may stay active for years at a time. To imagine that most websites care about "a specific PC behind a NAT gateway" as opposed to "the small set of users behind this IP address" is a minor distinction at best - they can still track you, and since most households only have a single computer, it's best to assume they can already deal with the more difficult realities of multiple users on a single computer. Given the ready availability of addresses, it may not be that long before we start seeing the anti-NAT happen; a single PC that utilizes a vaguely RFC3041-like strategy, but instead of allocating a single address at a time, it may allocate a /pool/ of them from the local subnet, and use a different IPv6 address for each outgoing request. Think of it as extending the port number field into the lower bits of the address field... I'm sure someone has a name for this already, but I have no idea what it is. Anyways, I suggest you run over and read http://www.6net.org/publications/standards/draft-vandevelde-v6ops-nap-01 .txt as it is useful foundation material to explain IPv6 strategies and how they differ from IPv4. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Dec 31, 2007 3:26 PM, Church, Charles <cchurc05@harris.com> wrote:
like a natural choice, leaving 80 bits for network addressing. This waste of space seems vaguely familiar to handing out Class A netblocks 20+ years ago. "We'll never run out"... Maybe it's just me though.
The comparison is mistaken. Not without a major fundamental change in the way ip addresses are used (ridiculous waste of addresses by end-sites causing them to require numerous subnets and request additional /48s) IPv6 provides ample room for growth at end sites, and giving out /32s or so to ISPs and telling them to hand out /48s and /56s seems reasonably conservative. 64-bits maximum length network address. It's not much a waste for every end-user to get a /56 Think of it as IPv4, but instead of everyone having gotten a Class A, every end site got on average 0.00000006 of an IPv4 /32 (host address), no matter how large their site. 1 IPv4 Class A is approximately 0.39% of available IPv4 space 1.67*10^7/(4.29*10^9) 1 IPv6 /48 is approximately 0.00000000000000000000827% of available IPv6 space. You need a calculator for that second one :) But assignable space in V6 could be exhausted without end-site IPs running out. The place where major problems could be run into is deciding how big a block your ISPs and LIRs get, or if the registries are entertaining the concept of PI space for v6.. how large those blocks are. Does a small ISP ever get such a small block that they may run out of /48s to assign? Does a large ISP ever get such a large block, the RIRs may run out of ISP blocks to assign? Both situations would be extremely undesirable. In the former case, they need multiple blocks, but RIR policy for v6 might not provide a way for them to get that.... the utilization of additional allocations also add undesirable complexity to networks, which is very bad: design of IPv6 is supposed to avoid such things. In the latter case... IPv6 IP addresses have not been 'exhausted', but now, there can now be no new ISPs or PI allocations; everything having been assigned to some major provider who has not given out very many of their /48s yet, or who is giving out /56s and hording the rest of the address space, never to be assigned..... -- -J
1 IPv4 Class A is approximately 0.39% of available IPv4 space 1.67*10^7/(4.29*10^9)
Uh.... hu? It's worse than that... at least a bit. Disallowing 0/8, 10/8 and 127/8, you wind up with 125 Class A address prefixes, and assuming that each of these can be used all the way up to the theoretical 16,777,216 addresses, then we have 2,097,152,000 addresses there. For the non-math folks, that's ~= to 2.1*10^9. If we then further count Class B's as all prefixes from 128.0/16 to 191.255/16, excluding the first, last, 169.254/16, and 172.16/12, there are 16,349 Class B's, with a theoretical 65,536 usable addresses in each, then we have 1,071,448,064 addresses there. If we then further count Class C's as all prefixes from 192.0.0.0/24 to 223.255.255.0/24, and there are a few blocks in there that ought to be excluded, but who cares, that's 2,031,616 networks of 256 addresses, or 520,093,696 addresses there. I don't realistically believe that D or E are usable general-purpose address classes within the expected remaining lifetime of the protocol. So, we have: 1 ClassA= 16,777,216 All IPv4= 3,688,693,760 So it's closer to .5%, theoretical. It's even more interesting if you look at it after excluding allocated-but-not-announced space. I'm personally glad that all those Class C's aren't announced individually.. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Jan 1, 2008 12:46 PM, James Hess <mysidia@gmail.com> wrote:
The place where major problems could be run into is deciding how big a block your ISPs and LIRs get, or if the registries are entertaining the concept of PI space for v6.. how large
too late NRO policy comparison chart: http://www.nro.net/documents/nro45.html#3-4-3 Specifically APNIC and ARIN have /48 end-user assignments (PI) policies in place, RIPE is still discussing this policy as of the last meeting (if I recall correctly).
those blocks are. Does a small ISP ever get such a small block that they may run out of /48s to assign?
Sure, if they mis-plan or over-sell or acquire a competitor... there are many scenarios that could include this sort of event.
Does a large ISP ever get such a large block, the RIRs may run out of ISP blocks to assign?
At one point DISA/DoD was looking to get a /10 from <SOME RIR> ... I don't that went anywhere, or is still under discussion. That'd certainly make a dent in the available space though, eh?
to networks, which is very bad: design of IPv6 is supposed to avoid such things.
The initial design requirements/assumptions you mean, most of which don't apply to today's world?
In the latter case... IPv6 IP addresses have not been 'exhausted', but now, there can now be no new ISPs or PI allocations; everything having been assigned to some major provider who has not given out very many of their /48s yet,
or who is giving out /56s and hording the rest of the address space, never to be assigned.....
ah, just like in ipv4 come mid-2010 ? wither ipv8? -Chris
On Jan 2, 2008 12:35 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Jan 1, 2008 12:46 PM, James Hess <mysidia@gmail.com> wrote:
The place where major problems could be run into is deciding how big a block your ISPs and LIRs get, or if the registries are entertaining the concept of PI space for v6.. how large
too late NRO policy comparison chart:
someone pointed out that the APNIC policy doc at: http://www.apnic.net/policy/ipv6-address-policy.html doesn't reflect the end-user PI assignment policy wording that appears to be in the NRO link, perhaps someone from APNIC could clarify the current state of affairs for us? They also pointed out that I missed Afrinic in my listing... NRO thinks that afrinic also does /48 end-user assignments... fyi.
Specifically APNIC and ARIN have /48 end-user assignments (PI) policies in place, RIPE is still discussing this policy as of the last meeting (if I recall correctly).
someone pointed out that the APNIC policy doc at:
http://www.apnic.net/policy/ipv6-address-policy.html
doesn't reflect the end-user PI assignment policy wording that appears to be in the NRO link, perhaps someone from APNIC could clarify the current state of affairs for us?
that document is pretty clear, i think. assign what is right for you and the customer. hd is calculated in /56 virtuals. if they need more than /48, discuss upstream. randy
Some of the comments here have cleared things up a bit. I suspect we will see NAT doing some 4to6 and 6to4 through migration, but there is little reason to use NAT in place of stateful firewall in the v6 to v6 world. I think RFC3041 (Privacy Extensions) and RFC4864 (Local Network Protection) answer my question about MAC address privacy. I have to do some research on this, but does anyone know if Vista's IP stack is RFC3041 compliant today? (I believe OSX is but I don't know if it is enabled by default) On to IP address allocation again: So I was thinking of /64 as "one subnet" consisting of multiple nodes, when in practice a /64 is more like one node. This does open up some interesting possibilities like using multiple IP addresses within a /64 on a single machine. You could do things on the client side like separating applications into different "security zones" with individual IP addresses, or giving individual users on the system their own IP addresses so you can do user/zone specific firewall policies. You could have the OS allocate an IP to a local peripheral like a printer that is shared with the local network to prevent creating a potential vulnerability on one of the IP addresses applications are using to connect to the Internet. This is cool, but it also means that the /64 is the new /32, and /56 is the new /24. So in cases where it is anticipated that the client will (or eventually will) have more than ~255 devices, a /48 is recommended. So now it is starting to become clear why people are handing out /48's to end users.
On Wed, 2 Jan 2008, Rick Astley wrote:
Some of the comments here have cleared things up a bit.
I suspect we will see NAT doing some 4to6 and 6to4 through migration, but there is little reason to use NAT in place of stateful firewall in the v6 to v6 world.
I think RFC3041 (Privacy Extensions) and RFC4864 (Local Network Protection) answer my question about MAC address privacy. I have to do some research on this, but does anyone know if Vista's IP stack is RFC3041 compliant today? (I believe OSX is but I don't know if it is enabled by default)
On by default in Windows, off by default in Linux (net.ipv6.conf.all.use_tempaddr), OSX and BSD (net.inet6.ip6.use_tempaddr)
On to IP address allocation again:
So I was thinking of /64 as "one subnet" consisting of multiple nodes, when in practice a /64 is more like one node.
This does open up some interesting possibilities like using multiple IP addresses within a /64 on a single machine. You could do things on the client side like separating applications into different "security zones" with individual IP addresses, or giving individual users on the system their own IP addresses so you can do user/zone specific firewall policies.
In my opinion /64 is very likely not a one-node configuration. Potentially you can put every computer under the world into /64. I agree the functional/operational separation is easy with /64. Earlier in IPv4 you had to think about the subnet sizes: here you have /64 and you can put as many computer as you like in that subnet! Introduction of IPv6 support in your network allows rethinking the subnetting, and address allocation to accomodate better your current need. Best Regards, Janos
On Mon, 31 Dec 2007 10:18:08 -0600 (CST) Joe Greco <jgreco@ns.sol.net> wrote:
I see there is a long thread on IPv6 address assignment going, and I apologize that I did not read all of it, but I still have some unanswered questions.
<snip>
Anyways, I suggest you run over and read
http://www.6net.org/publications/standards/draft-vandevelde-v6ops-nap-01.txt
That ended up, after a number of revisions, being published as RFC4864 - "Local Network Protection for IPv6".
as it is useful foundation material to explain IPv6 strategies and how they differ from IPv4.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
-- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"
On Dec 31, 2007 3:25 AM, Rick Astley <jnanog@gmail.com> wrote:
I can understand corporations getting more than a /64 for their needs, but certainly this does not mean residential ISP subscribers, right?
Rick, The standing recommendations are: * /32 for ISPs unless they can justify more * /48 for subscribers unless they can justify more * /64 when you know for certain that one and only one subnet will ever be required * /128 when you know for certain you're dealing with a single device * Sparse allocation so whichever size you choose you can usually increase it by simply changing the prefix length. Some folks also suggest: * /56 for small customers (residential DSL and similar "always on" services) But the real answers to your question are: 1. Be flexible. A /64 is four billion times less valuable than a single IPv4 address. If the customer tells you he wants a /56 or even a /48, just give it to him. At the /48 level, the customer is vastly more valuable than the addresses. 2. The world won't end if you assign /64's to traditional dynamic IP address residential customers and replace them with a /56 or /48 on request. 3. The world won't end if you assign one of your 16 million /56's to each customer up front. 4. No one has enough operational experience with IPv6 to know what the right answer will turn out to be here, so do what makes you happy and plan to adjust it later. Regards, Bill Herrin -- William D. Herrin herrin@dirtside.com bill@herrin.us 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (11)
-
Christopher Morrow
-
Church, Charles
-
James Hess
-
Joe Greco
-
Mark Smith
-
michael.dillon@bt.com
-
Mohacsi Janos
-
Randy Bush
-
Rick Astley
-
Sascha Lenz
-
William Herrin