North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: v6 subnet size for DSL & leased line customers
- From: Owen DeLong
- Date: Fri Dec 21 12:56:12 2007
On Dec 21, 2007, at 9:39 AM, Joe Greco wrote:
The primary reasons I see for separate networks on v6 would include
firewall policy (DMZ, separate departmental networks, etc)...
This is certainly one reason for such things.
Really, in most "small business" networks I've seen, it's by far the
one if we want to be honest about it. The use of multiple networks to
increase performance, for example, is something you can design around
differently, and modern hardware supports things like LAG without
to get into the realm of unimaginably expensive hardware. Even if
end up putting a quad port ethernet into a server with v6, the sizes
the allocations we're discussing would allow you 64 completely
"workgroups" with their own server at the /56 allocation size (64 *
Agreed. In fact, in any network large enough to matter, most modern
hardware forwards L2 and L3 at the same speed, so, there's essentially
no performance barrier.
OTOH, in many business netwoks I've seen, there is reason to segment
things into administrative boundaries, boundaries that result from media
conversion creating routed separation of segments, and, other topology
meets physical limitation issues. I find these to be at least as common
as the separation between Internal/External/DMZ.
You are ignoring the reality of the difference between IPv4 and IPv6.
And I'm having some trouble envisioning a residential end user that
honestly has a need for 256 networks with sufficiently differently
policies. Or that a firewall device can't reasonably deal with
policies even on a single network, since you mainly need to protect
devices from external access.
Perhaps this is a lack of imagination.
Imagine that your ethernet->bluetooth gateway wants to treat the
and ethernet segments as separate routed segments.
That /is/ a lack of imagination. ;-) Or, at least, reaching pretty
The history of these sorts of devices has been, to date, one of
keep network configuration simple enough that an average user can use
them. That implies a default mode of bridging will be available.
With DHCP6 prefix delegation, creating a hierarchical routed topology
becomes as simple (from the end user perspective) as the bridged
topology today, and, requires a lot less thinking ability on the device.
Especially when you consider the possibility of many such topologies
evolving in a situation that could create a loop and the fact that most
such existing devices implement bridging without spanning tree.
Now, imagine that some of your bluetooth connected devices have
to have some topology behind them... For example, you have a master
appliance control center which connects via Bluetooth to your
but, uses a different household control bus network to talk to
appliances. For security reasons, you've decided not to have your
kitchen appliances be able to talk to your media devices (Who wants
a virus in some downloaded movie to be able to change the temperature
in your refrigerator?).
Yes, and? You're saying there are no access controls at the gateway
level? I'm not entirely sure that I care for the idea of making
route things at the IP level just so they can protect their fridge
I'm saying that bridges tend not to have access controls or at least not
adequate access controls except in a few (l2 firewall oddities like
Netscreen/PIX in Bridge mode) exceptional cases. The point here
is that in IPv6, you aren't "making people route things", the routing
topology will mostly handle itself automatically, although, people
may wish to intervene to design the security policy or at least have
the ability to modify it from the default.
You are trying to apply strictly IPv4 thinking to IPv6, and, there are
some reasons that a significant paradigm shift is required.
We will agree to disagree on this. Enforcing security policy within
I keep coming to the conclusion that an end-user can be made to work
a /64, even though a /56 is probably a better choice. I can't find
rationale from the end-user's side to allocate a /48. I can maybe
it if you want to justify it from the provider's side, the cost of
with multiple prefix sizes.
I can easily envision the need for more than a /64 in the average
within short order.
You should probably correct that from "need" to "want." There is
preventing the deployment of all of the below on a single /64, it
simply mean that there would be a market for smart firewalling
that could isolate devices by address or range, rather than having
firewalling routers that could isolate devices by subnet.
a subnet is ugly at best and unreliable at worst. It makes
harder. It makes security policy design more complex. It causes many
many more problems than it solves in my opinion.
Actually, there is some guarantee that, in IPv6, you'll be able to do
If nothing else, the average home will probably
want to be able to accommodate:
Home wired network
Appliance Control netowrk
Lighting Control network
However, I agree that in any vision I can come up with today, the
for more than 256 is beyond my current imagination.
Again, I think this comes down to a matter of how configuration is
to be handled. I suspect that we're not going to see a substantial
increase in sophistication on the part of end users. I /believe/ that
this will likely mean that device manufacturers will be building
that don't rely on routing for IPv6, since if I go on down to my
network and plug in a bluetooth gateway, there's really no guarantee
I'm going to be able to get my employer's network to magically route a
network at my gateway, but it's pretty obvious that my device can
role of a bridge.
or, you will know that you could not. You will make a DHCP6 request
for a prefix delegation, and, you will receive it or be told no.
Most likely, that is how most such v6 gateways will function.
I think that bridges are less likely to be the norm in IPv6.
If we have significant customer-side routing of IPv6, then there's
goingNope... DHCPv6 prefix delegation and Router discovery.
to need to be some way to manage that. I guess that's RIPv6/ng. :-)
More likely-seeming to me, would be that a provider might be willing
toSure. And likely, the /64s on each port will be assigned via DHCPv6
provide a CPE device that had 4, 8, or even 16 jacks on it - a mini-
with a separate /64 on each port, less "magic" to be figured out by
the upstream segment.
This leaves the question of how much you want to trust your ISP's
CPE forLoL... Trust my ISPs CPE? Not if they control it.
firewalling policy ... among other things.
I have no objection to skipping the /64, but, I don't think you'll get
I think it makes sense to assign as follows:
/64 for the average current home user.
/56 for any home user that wants more than one subnet
/48 for any home user that can show need.
I'd say skip the /64 and /48. Don't do the /64, as future-
/48 is just something I cannot see need for, given the number of
available as a /56, unless the "home user" is actually providing
connectivity to a bunch of his nearby friends and neighbors.
traction with that with most of the larger ISPs (think AOL, Comcast,
as I think they will want to charge more for a topology-supporting
than a single subnet if current business models are an example of their
plans for the future.
Having fewer options is going to be easier for the ISP, I suspect.Nope. Each ISP can choose to offer whatever subset of these options
easiest. Having fewer options for them to choose from isn't easier
for them, it's putting
them in a straight-jacket, which, from my experience as an active
participant in the
ARIN policy process is usually not appreciated by them.