|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Assigning IPv6 /48's to CPE's?
So after reading this thread for a while, it's starting to make sense that all subnets need to be /64. So it's best to think of IPv6 like IPX, but with a 64 bit network address. I'm curious where the 64 bits reserved for interface comes from though. Haven't seen the history behind that discussed really. Ethernet MACs being 48 bits would seem like a natural choice, leaving 80 bits for network addressing. This waste of space seems vaguely familiar to handing out Class A netblocks 20+ years ago. "We'll never run out"... Maybe it's just me though. Chuck -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joe Greco Sent: Monday, December 31, 2007 11:18 AM To: Rick Astley Cc: [email protected] Subject: Re: Assigning IPv6 /48's to CPE's? > I see there is a long thread on IPv6 address assignment going, and I > apologize that I did not read all of it, but I still have some unanswered > questions. The answers to some of this are buried within it. > I believe someone posted the ARIN recommendation that carriers assign out > /64's and /56's, and in a few limited cases, /48. > > I can understand corporations getting more than a /64 for their needs, but > certainly this does not mean residential ISP subscribers, right? That answer, along with detailed information, is within that thread. In an ideal world, yes, it does mean resi subscribers. Some of us would like to see that very much, but are simultaneously expecting that something less optimal will happen. > I can understand the need for /64's because the next 64 bits are for the > client address, but there seems to be this idea that one and only one node > may use a whole /64. Certainly, if the node is the only one on the subnet. > So in the case of Joe, the residential DSL subscriber > who has 50,000 PCs, TiVo's, microwaves, and nanobots that all need unique > routable IP addresses, what is to stop him from assigning them unique client > ID's (last 64 bits) under the same /64? We can let Joe put in some switches, > and if that isn't enough he should consider upgrading from his $35/month DSL > or $10/month dial up anyway. I don't think it was ever in doubt that people could stick lots of devices on a single /64. The question is more one of "under what circumstances would a site want more than a /64." One is when you're crossing boundaries between network protocols (Ethernet to HomeControlNet or whatever). Repeat for Bluetooth or any other alternative technology. Many would prefer to see firewalling handled at the L3 boundary between networks, which is an indication for multiple /64's. While I certainly agree that this is attractive, and ought to be possible in IPv6, the fact is that it still represents a disruption of the broadcast domain, and requires that all firewall-candidate traffic be routed. This could have an impact to a site that deems a sudden firewall policy change necessary, such as "my PC #3 just got infected, stop it from talking to local network but allow it to download virus updates." I believe that there could (and should) be a natural evolution towards deconstructing the requirements at which layer these sorts of policies are implemented. I would very much like to see a layer 2/3 switch that is capable of implementing a firewall policy /for a port/, and having the onboard software be sufficiently intelligent that an end-user can deal with his firewalling switch as an abstract item, without having to understand the underlying network topology. This could even be generalized into a useful "general purpose networking" device, that could provide services such as VPN's. However, I am certain that there will be situations in which DHCP PD does not work, and so I expect that most protocol bridges will in fact be able to support bridging from an already populated IPv6 /64. > My next question is that there is this idea that there will be no NAT in the > IPv6 world. Some companies have old IPv4 only software, some companies have > branch offices using the same software on different networks, and some like > the added security NAT provides. What "added security" would that be, exactly? Introducing a proper stateful firewall would give you about the same security, without the penalties of having to write proxyware for every new protocol that comes along. There /are/ some differences; a NAT gateway is less likely to fail to firewall in a catastrophic manner, for example: if it isn't working, network connectivity vaporizes. A stateful firewall might go away and leave you with your pants down. However, that doesn't really make NAT a better technology... {P,N}AT is a technology that was designed to allow more than one computer to share {ports, addresses}. This is fundamentally unnecessary in IPv6 because there are plenty of addresses available, and providers are expected to hand them out like candy. I would much prefer to see a different security model evolve, where even residential class equipment gains the ability to do smart firewalling. Some of that discussion is in the thread you skipped. > There are also serious privacy concerns with having a MAC address within an > IP address. Aside from opening the doors to websites to share information on > specific users, lack of NAT also means the information they have is more > detailed in households where separate residents use different computers. I > can become an IPv4 stranger to websites once a week by deleting cookies, > IPv6 means they can profile exactly what I do over periods of years from > work, home, starbucks, it doesn't matter. I don't see NAT going away any > time soon. This seems to be an urban myth. Your current average broadband customer is leased an IP address that may stay active for years at a time. To imagine that most websites care about "a specific PC behind a NAT gateway" as opposed to "the small set of users behind this IP address" is a minor distinction at best - they can still track you, and since most households only have a single computer, it's best to assume they can already deal with the more difficult realities of multiple users on a single computer. Given the ready availability of addresses, it may not be that long before we start seeing the anti-NAT happen; a single PC that utilizes a vaguely RFC3041-like strategy, but instead of allocating a single address at a time, it may allocate a /pool/ of them from the local subnet, and use a different IPv6 address for each outgoing request. Think of it as extending the port number field into the lower bits of the address field... I'm sure someone has a name for this already, but I have no idea what it is. Anyways, I suggest you run over and read http://www.6net.org/publications/standards/draft-vandevelde-v6ops-nap-01 .txt as it is useful foundation material to explain IPv6 strategies and how they differ from IPv4. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
|