North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: v6 subnet size for DSL & leased line customers
- From: Owen DeLong
- Date: Fri Dec 21 12:56:12 2007
On Dec 21, 2007, at 9:39 AM, Joe Greco wrote:
The primary reasons I see for separate networks on v6 would include
firewall policy (DMZ, separate departmental networks, etc)...
This is certainly one reason for such things.
Really, in most "small business" networks I've seen, it's by far the
main
one if we want to be honest about it. The use of multiple networks to
increase performance, for example, is something you can design around
differently, and modern hardware supports things like LAG without
having
to get into the realm of unimaginably expensive hardware. Even if
you do
end up putting a quad port ethernet into a server with v6, the sizes
of
the allocations we're discussing would allow you 64 completely
separate
"workgroups" with their own server at the /56 allocation size (64 *
4 =
256).
Agreed. In fact, in any network large enough to matter, most modern
hardware forwards L2 and L3 at the same speed, so, there's essentially
no performance barrier.
OTOH, in many business netwoks I've seen, there is reason to segment
things into administrative boundaries, boundaries that result from media
conversion creating routed separation of segments, and, other topology
meets physical limitation issues. I find these to be at least as common
as the separation between Internal/External/DMZ.
And I'm having some trouble envisioning a residential end user that
honestly has a need for 256 networks with sufficiently differently
policies. Or that a firewall device can't reasonably deal with
those
policies even on a single network, since you mainly need to protect
devices from external access.
Perhaps this is a lack of imagination.
Imagine that your ethernet->bluetooth gateway wants to treat the
bluetooth
and ethernet segments as separate routed segments.
That /is/ a lack of imagination. ;-) Or, at least, reaching pretty
far.
The history of these sorts of devices has been, to date, one of
trying to
keep network configuration simple enough that an average user can use
them. That implies a default mode of bridging will be available.
You are ignoring the reality of the difference between IPv4 and IPv6.
With DHCP6 prefix delegation, creating a hierarchical routed topology
becomes as simple (from the end user perspective) as the bridged
topology today, and, requires a lot less thinking ability on the device.
Especially when you consider the possibility of many such topologies
evolving in a situation that could create a loop and the fact that most
such existing devices implement bridging without spanning tree.
Now, imagine that some of your bluetooth connected devices have
reasons
to have some topology behind them... For example, you have a master
appliance control center which connects via Bluetooth to your
network,
but, uses a different household control bus network to talk to
various
appliances. For security reasons, you've decided not to have your
kitchen appliances be able to talk to your media devices (Who wants
a virus in some downloaded movie to be able to change the temperature
in your refrigerator?).
Yes, and? You're saying there are no access controls at the gateway
level? I'm not entirely sure that I care for the idea of making
people
route things at the IP level just so they can protect their fridge
from
their DVD.
I'm saying that bridges tend not to have access controls or at least not
adequate access controls except in a few (l2 firewall oddities like
Netscreen/PIX in Bridge mode) exceptional cases. The point here
is that in IPv6, you aren't "making people route things", the routing
topology will mostly handle itself automatically, although, people
may wish to intervene to design the security policy or at least have
the ability to modify it from the default.
You are trying to apply strictly IPv4 thinking to IPv6, and, there are
some reasons that a significant paradigm shift is required.
I keep coming to the conclusion that an end-user can be made to work
on
a /64, even though a /56 is probably a better choice. I can't find
the
rationale from the end-user's side to allocate a /48. I can maybe
see
it if you want to justify it from the provider's side, the cost of
dealing
with multiple prefix sizes.
I can easily envision the need for more than a /64 in the average
home
within short order.
You should probably correct that from "need" to "want." There is
nothing
preventing the deployment of all of the below on a single /64, it
would
simply mean that there would be a market for smart firewalling
switches
that could isolate devices by address or range, rather than having
smart
firewalling routers that could isolate devices by subnet.
We will agree to disagree on this. Enforcing security policy within
a subnet is ugly at best and unreliable at worst. It makes
troubleshooting
harder. It makes security policy design more complex. It causes many
many more problems than it solves in my opinion.
If nothing else, the average home will probably
want to be able to accommodate:
Guest network
Home wired network
Wireless network(s)
Bluetooth segment(s)
Media network
Appliance Control netowrk
Lighting Control network
etc.
However, I agree that in any vision I can come up with today, the
need
for more than 256 is beyond my current imagination.
Again, I think this comes down to a matter of how configuration is
going
to be handled. I suspect that we're not going to see a substantial
increase in sophistication on the part of end users. I /believe/ that
this will likely mean that device manufacturers will be building
devices
that don't rely on routing for IPv6, since if I go on down to my
employer's
network and plug in a bluetooth gateway, there's really no guarantee
that
I'm going to be able to get my employer's network to magically route a
network at my gateway, but it's pretty obvious that my device can
play the
role of a bridge.
Actually, there is some guarantee that, in IPv6, you'll be able to do
that,
or, you will know that you could not. You will make a DHCP6 request
for a prefix delegation, and, you will receive it or be told no.
Most likely, that is how most such v6 gateways will function.
I think that bridges are less likely to be the norm in IPv6.
If we have significant customer-side routing of IPv6, then there's
going
to need to be some way to manage that. I guess that's RIPv6/ng. :-)
Nope... DHCPv6 prefix delegation and Router discovery.
More likely-seeming to me, would be that a provider might be willing
to
provide a CPE device that had 4, 8, or even 16 jacks on it - a mini-
router
with a separate /64 on each port, less "magic" to be figured out by
the end
user.
Sure. And likely, the /64s on each port will be assigned via DHCPv6
from
the upstream segment.
This leaves the question of how much you want to trust your ISP's
CPE for
firewalling policy ... among other things.
LoL... Trust my ISPs CPE? Not if they control it.
I think it makes sense to assign as follows:
/64 for the average current home user.
/56 for any home user that wants more than one subnet
/48 for any home user that can show need.
I'd say skip the /64 and /48. Don't do the /64, as future-
proofing. A
/48 is just something I cannot see need for, given the number of
addresses
available as a /56, unless the "home user" is actually providing
connectivity to a bunch of his nearby friends and neighbors.
I have no objection to skipping the /64, but, I don't think you'll get
much
traction with that with most of the larger ISPs (think AOL, Comcast,
etc.)
as I think they will want to charge more for a topology-supporting
service
than a single subnet if current business models are an example of their
plans for the future.
Having fewer options is going to be easier for the ISP, I suspect.
Nope. Each ISP can choose to offer whatever subset of these options
they consider
easiest. Having fewer options for them to choose from isn't easier
for them, it's putting
them in a straight-jacket, which, from my experience as an active
participant in the
ARIN policy process is usually not appreciated by them.
Owen
|