Like so many things IPv6, many of the wifi vendors seem to lack decent support for IPv6 clients. I'm not sure why I thought the situation was better than it seems to be, I guess I'm just an optimist. Anyway, what wifi vendors provide the best support for IPv6? I don't really care too much about management, but to deploy wifi in a service provider environment with IPv6, it would seem that you'd want at least: RA Guard DHCPv6 Shield (unless you just do SLAAC, I guess) IPv6 Source Address Guard Am I missing anything critical? -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
MLD Snooping and IPv6 ACLs are a must. Check to make sure that the solution allows for many (for your network's definition of many) IPv6 addresses per host. You'll have at least three per host between link local, global, and one or more privacy addresses. I've been providing native dual stack on my Cisco controller based wireless network for a few years now. IPv6 support was brought up a notch with the 7.2 code release. RA Guard was the obvious big features that was added, but I also appreciated the addition of ND caching to keep that chatter down. http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae5... I've also used some Ruckus gear on an IPv6 network and it seemed to have all the right knobs and pass all the right IPv6 packets. Though this was on my home network so I can't speek to their IPv6 scalability (no reason to doubt it, just wanted to be clear). Feel free to ping me on or off list about either if you have more specific questions. -Luke On Mon, Feb 11, 2013 at 9:23 PM, Brandon Ross <bross@pobox.com> wrote:
Like so many things IPv6, many of the wifi vendors seem to lack decent support for IPv6 clients. I'm not sure why I thought the situation was better than it seems to be, I guess I'm just an optimist.
Anyway, what wifi vendors provide the best support for IPv6? I don't really care too much about management, but to deploy wifi in a service provider environment with IPv6, it would seem that you'd want at least:
RA Guard DHCPv6 Shield (unless you just do SLAAC, I guess) IPv6 Source Address Guard
Am I missing anything critical?
-- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
-- =-=-=-=-=-=-=-=-=-=-=-= Luke Jenkins Network Engineer Weber State University
On Tue, 12 Feb 2013, Luke Jenkins wrote:
MLD Snooping and IPv6 ACLs are a must.
MLD Snooping only seems important to me if you are actually going to do multicast outside of the local broadcast domain, which I can't imagine doing in most service provider environments. Am I missing a reason for it or a use case otherwise?
Check to make sure that the solution allows for many (for your network's definition of many) IPv6 addresses per host. You'll have at least three per host between link local, global, and one or more privacy addresses.
It would seem to me that either a wifi vendor would support source address shield for IPv6, which MUST include multiple addresses, or it would just pass everything without paying attention to source addresses. Is there a vendor that does not do one or the other? If so, please name names.
I've been providing native dual stack on my Cisco controller based wireless network for a few years now. IPv6 support was brought up a notch with the 7.2 code release. RA Guard was the obvious big features that was added, but I also appreciated the addition of ND caching to keep that chatter down. http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae5...
Nice. Can you confirm if they've added DHCPv6 shield too? Source address shield for IPv6?
I've also used some Ruckus gear on an IPv6 network and it seemed to have all the right knobs and pass all the right IPv6 packets. Though this was on my home network so I can't speek to their IPv6 scalability (no reason to doubt it, just wanted to be clear).
Thanks, that's a useful data point. -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
On Tue, 2013-02-12 at 13:49 -0500, Brandon Ross wrote:
MLD Snooping and IPv6 ACLs are a must.
MLD Snooping only seems important to me if you are actually going to do multicast outside of the local broadcast domain
MLD snooping allows the switch to send multicast traffic only to those listeners wanting to receive it. Witout MLD snooping, the switch floods multicast to all ports. May be a security issue, is definitely a traffic issue, though in a small network, it may make no difference. For example, multicast is used by ND, the IPv6 equivalent of ARP. MLD snooping means only a few hosts (typically only one, in fact) in the subnet see any given ND request. Without MLD snooping, every port in the subnet sees it. Or DHCPv6 - without MLD snooping, every port sees all client traffic for all DHCP requests; with MLD snooping only the routers/relays in the subnet see it. "See" with MLD snooping means "see it at all", not "see and ignore it" as in the broadcast world. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
On Wed, 13 Feb 2013, Karl Auer wrote:
For example, multicast is used by ND, the IPv6 equivalent of ARP. MLD snooping means only a few hosts (typically only one, in fact) in the subnet see any given ND request. Without MLD snooping, every port in the subnet sees it. Or DHCPv6 - without MLD snooping, every port sees all client traffic for all DHCP requests; with MLD snooping only the routers/relays in the subnet see it. "See" with MLD snooping means "see it at all", not "see and ignore it" as in the broadcast world.
Oh really? Exactly when during the ND process does a device send an MLD message that can be snooped? -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
On Tue, 2013-02-12 at 15:40 -0500, Brandon Ross wrote:
On Wed, 13 Feb 2013, Karl Auer wrote:
For example, multicast is used by ND, the IPv6 equivalent of ARP. MLD Oh really? Exactly when during the ND process does a device send an MLD message that can be snooped?
ND just uses multicast, so MLD messages are not really part of ND itself. But during the setup of any interface with an IPv6 address, MLD traffic will move and can be snooped on. The switch then knows what listeners are where, so when for example an NS is sent to the solicited node multicast address of a target during ND, the switch can send it only to those hosts it knows are listeners on that group. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
On Wed, 13 Feb 2013, Karl Auer wrote:
The switch then knows what listeners are where, so when for example an NS is sent to the solicited node multicast address of a target during ND, the switch can send it only to those hosts it knows are listeners on that group.
Okay, so then to answer my own question from earlier, the answer is actually that an MLD is sent when an interface configures a new address to join the appropriate solicited node multicast group. It seems that, then, MLD snooping is valuable as it will prevent DAD and other ND traffic from using bandwidth towards hosts not in that group. Other than solicited node multicast, is MLD used anywhere else in a network that does not have layer 3 multicast enabled on a router? -- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
On Tue, 2013-02-12 at 16:29 -0500, Brandon Ross wrote:
It seems that, then, MLD snooping is valuable as it will prevent DAD and other ND traffic from using bandwidth towards hosts not in that group.
It will prevent *all* multicast traffic from using bandwidth towards hosts not in the multicast groups involved. ND, DAD etc are just specific cases.
Other than solicited node multicast, is MLD used anywhere else in a network that does not have layer 3 multicast enabled on a router?
MLD is used for all multicast - so a DHCPv6 packet, for example, will only go to any relays and servers in the subnet. *Any* multicast will be limited to its listeners. The only multicast that will go to all nodes will be multicast sent to the "all link-local nodes" address - and even that will not go to non-IPv6 nodes. MLD snooping happens on switches - you will get the benefit even if in an isolated network (no router at all). Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://www.biplane.com.au/blog GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
On Feb 12, 2013, at 7:32 PM, Karl Auer <kauer@biplane.com.au> wrote:
On Tue, 2013-02-12 at 16:29 -0500, Brandon Ross wrote:
It seems that, then, MLD snooping is valuable as it will prevent DAD and other ND traffic from using bandwidth towards hosts not in that group.
It will prevent *all* multicast traffic from using bandwidth towards hosts not in the multicast groups involved. ND, DAD etc are just specific cases.
Other than solicited node multicast, is MLD used anywhere else in a network that does not have layer 3 multicast enabled on a router?
MLD is used for all multicast - so a DHCPv6 packet, for example, will only go to any relays and servers in the subnet. *Any* multicast will be limited to its listeners. The only multicast that will go to all nodes will be multicast sent to the "all link-local nodes" address - and even that will not go to non-IPv6 nodes.
MLD snooping happens on switches - you will get the benefit even if in an isolated network (no router at all).
In a wifi environment, however, this has additional complexity. A multicast packet originating within the WAP or from the wired side of the WAP and destined for more than one wireless host should be sent to be heard by all hosts so it is only transmitted once. Otherwise it ties up excessive air time. In this regard, a WAP is more like a hub than a switch. A multicast packet originating from a wifi host, OTOH, must be repeated by the WAP so that all subscribed hosts can hear it. Owen
Rather old document from 2010: Cisco + IPv6 over CAPWAP protocol: http://d2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKEWN-2010.pdf
Access point support from many vendors seems okay. But another vendor gap on IPv6 is WiFi AAA, policy servers, and tunnel servers from vendors like Ericsson and ALU. I hope to see richer IPv6 support for these aspects of WiFi (helpful for those operating lots of outdoor WiFi systems for example). Jason On 2/11/13 11:23 PM, "Brandon Ross" <bross@pobox.com> wrote:
Like so many things IPv6, many of the wifi vendors seem to lack decent support for IPv6 clients. I'm not sure why I thought the situation was better than it seems to be, I guess I'm just an optimist.
Anyway, what wifi vendors provide the best support for IPv6? I don't really care too much about management, but to deploy wifi in a service provider environment with IPv6, it would seem that you'd want at least:
RA Guard DHCPv6 Shield (unless you just do SLAAC, I guess) IPv6 Source Address Guard
Am I missing anything critical?
-- Brandon Ross Yahoo & AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://doodle.com/bross Skype: brandonross
participants (6)
-
Brandon Ross
-
excelsio@gmx.com
-
Karl Auer
-
Livingood, Jason
-
Luke Jenkins
-
Owen DeLong