Re: New Office, New Network. Questions.
Here are my replies on this e-mail. Sorry for the late replies!
On Sun, 10 Jul 2016 21:53:52 +0300, Nikolai Petrov said:
1. Currently we do not have IPv6 in our network but I have seen the ISP is giving us a "/56 Block" which from what I understand is a couple hundred "/64 Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we
You can have other sized subnets, but 64 is very handy if you intend to use SLAAC auto-configure. There's also the danger of running into broken equipment that doesn't understand other sized subnets (similar to very old IPv4 gear that understood a /24, but exploded if told about a /23 or /25).
I really like SLAAC and its design and I would very much like to use it. Therefore we will be using /64 IP Ranges. Is there any way to limit the amount of devices in a subnet to avoid problems and attacks? I don't think the equipment will work with 2^64 devices in a single subnet..
have 32 addresses, four of which I will use for NAT and the remaining needed for online services and servers. In IPv6 we have a lot of addresses but I am not sure whether I should give an address of the ISP to every device. I found
Assign a /64 to everyplace that you would assign a subnet in IPv4. Give each device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever gets the job done in your situation. Don't worry about NAT anymore, you have enough addresses.
that there is an organization that can help avoid collisions in private IPs: https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a registry, but I am thinking of registering the ranges there and then use these subnets and NAT them to the IPv6 address of the router.
Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel free to give every single device a global address. (You'll still want a stateful firewall someplace, but it doesn't have to do NAT, it just has to keep track of legitimate versus malicious traffic).
So why are these addresses there? For installations not connected to the Internet?
And don't freak out if a device has more than one address. As I'm writing this from the sofa in my living room, my laptop wireless has:
ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.150 netmask 255.255.255.224 broadcast 192.168.1.159 inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431:c01:a589:19a4:236e prefixlen 64 scopeid 0x0<global> inet6 2601:5c0:c100:6431::d67 prefixlen 128 scopeid 0x0<global> inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf prefixlen 64 scopeid 0x0<global> inet6 fe80::cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x20<link> inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9 prefixlen 64 scopeid 0x0<global> ether c8:d7:19:37:0c:02 txqueuelen 1000 (Ethernet)
(One DHCPv6 - ::d67. One SLAAC - the one with ff:fe in it. And 4 different RFC3041 privacy addresses that it's chunked out over the weekend. It works just fine that way - and it's *designed* to do so. (Of course, in a corporate environment, you may want to turn the privacy addresses off, and only use one of DHCPv6/SLAAC - I do it this way because it tests for broken software...)
Thanks for letting me know ahead of time. I have looked up about the privacy addresses and we don't need them as you say. Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I use the DHCPv4 to give out DNSv6 addresses?
Oh, and don't block ICMPv6. :)
I was never a fan of blocking ICMP except the redirects in some cases..
something strange. The WAN port of our router gets a /64 IPv6 address which is not in our IPv6. Should I use this for NAT or one of "our" addresses?
You use it for the IP address of the provider-facing interface of your router. Assign the "inside" interface(s) addresses on the appropriate /64 subnet that they will be on.
Oh, so this is like BGP.. In my previous company we had BGP connections and we used an IPv4 /30 for these connections which was not within our IP range. I thought they would give us a /126 and not a full /64 so I did not think that was it.. Thanks!
On Tue, 12 Jul 2016 15:30:11 +0300, Nikolai Petrov said:
Is there any way to limit the amount of devices in a subnet to avoid problems and attacks? I don't think the equipment will work with 2^64 devices in a single subnet..
Sure. Just don't connect that many devices to one subnet, just the same as you do in IPv4. No need to drop them all into one subnet. You got a /56, so you can make 256 /64s out of it. Carve it up whatever way your cabling says to do it. Maybe one subnet for your external router to all your in-building switches, then each switch has a subnet for one floor/office suite/whatever and 1 interface on your organization-wide fabric. Maybe something else - but in general you'll be using a subnet everyplace you'd use one in IPv4.
So why are these addresses there? For installations not connected to the Internet?
Exactly. It's an attempt to avoid the current mess during corporate acquisitions where they find out that both companies used 10.16.12.0/24 for different things.
Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility?
My laptop works just fine at both home and work just using SLAAC - I hit both mostly to make sure that if I'm travelling and hit someplace where the routers don't do SLAAC, I'll still configure. And as I noted, I do it at least partially to stress-test for stuff like network logging tools, to make sure they don't fall over if they see an address that isn't either SLAAC or DHCPv6, and so on...
Can I use the DHCPv4 to give out DNSv6 addresses?
No. You'll need to use either SLAAC or DHCPv6 for that.
"Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I use the DHCPv4 to give out DNSv6 addresses?" Unless you plan om having IPv6 only hosts, there is no advantage in providing IPv6 DNS servers. Just stay with IPv4 for your DNS resolver in the DHCPv4 config. Notice that your IPv4 DNs resolver is perfectly capable of providing AAAA IPv6 replies. Using DHCPv6 in a corporate environment makes it easier to track which machine has an IP address as you can lookup the info in the DHCP lease database. Also some prefers the nice short addresses that you get from DHCP compared to SLAAC. My network has both enabled, so my tablet has the following two addresses: SLAAC: 2a00:7660:5c6:0:74cd:d48c:8230:a44f DHCP: 2a00:7660:5c6::701 The later is easier to type if you have to add rules to your firewall etc. Regards Baldur
To provide some additional clarity and detail: 1. No, you can’t to the best of my knowledge hand out any IPv6 parameters via IPv4, nor should you really want to. 2. You can hand out IPv6 DNS resolver information from either or both of SLAAC and DHCPv6. For SLAAC, you’ll need routers that support RFC 6106. Juniper finally added this in 14.1. Cisco added it in 15.4(1)T, 15.3(2)S More information here: https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_system... To the best of my knowledge, DNS is a configuration option in all DHCPv6 implementations. 3. I disagree with Baldur about not bothering with IPv6 DNS resolvers. Given that the long term goal is to get back to single-stack networking, but with the single stack being IPv6, each and every vestigial IPv4 dependency you leave lying around is just another thing you need to clean up at some point in the future. Since it’s so completely easy to enable dual-stack (or even better IPv6-only) resolving when you first deploy IPv6 to your end-systems, why not just do that? Owen
On Jul 13, 2016, at 15:53 , Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
"Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I use the DHCPv4 to give out DNSv6 addresses?"
Unless you plan om having IPv6 only hosts, there is no advantage in providing IPv6 DNS servers. Just stay with IPv4 for your DNS resolver in the DHCPv4 config. Notice that your IPv4 DNs resolver is perfectly capable of providing AAAA IPv6 replies.
Using DHCPv6 in a corporate environment makes it easier to track which machine has an IP address as you can lookup the info in the DHCP lease database. Also some prefers the nice short addresses that you get from DHCP compared to SLAAC.
My network has both enabled, so my tablet has the following two addresses:
SLAAC: 2a00:7660:5c6:0:74cd:d48c:8230:a44f DHCP: 2a00:7660:5c6::701
The later is easier to type if you have to add rules to your firewall etc.
Regards
Baldur
participants (4)
-
Baldur Norddahl
-
Nikolai Petrov
-
Owen DeLong
-
Valdis.Kletnieks@vt.edu