Re: IPv6 fc00::/7 — Unique local addresses

Ray Soucy rps at maine.edu
Thu Oct 21 13:19:14 CDT 2010


One thing to keep in mind is that your IPv6 router and IP router can
be completely different devices.  There is no need to forklift your
firewall or current setup if you can easily add an IPv6 router to the
network.

Using multiple ISPs is still something that is a bit tricky.  A lot of
people have gotten used to the Dual-WAN Firewall appliance boxes that
accept connections from two ISPs and handle the failover, depending on
NAT to maintain the functionality of the Internal network.

Larger organizations can arrange to have IPv6 transit and announce a
single prefix over BGP.  Most providers won't want to see this setup
for an SMB so they're out of luck.

One thing that has changed, though, is Metro Ethernet offerings have
gotten a lot better.  I would say the most painless way to go would be
to use one ISP for L3, and two ME providers to give diverse L2 paths
to that L3 ISP.  It means dealing with more companies, and moving
failover to L2, but it's pretty rare that the cause of a connection
problem is at the ISP these days (it's more often a bad connection
between you and the ISP), so just having redundancy at L2 might be
enough.

Sadly, that model doesn't really exist in the US right now, and it
might take quite a bit of work convincing providers to coordinate to
make it all work.

The other option, which was the intent of IPv6 when being designed
(but that was 10 years ago or so) was that every PC would have a
separate address from each ISP.  In this situation you could depend on
ULA (local addressing) for access to all internal services so that if
one of the global prefixes goes away it doesn't impact internal
operation, but it does require a device to kind of coordinate that-
such a device doesn't exist yet, and there are some issues with
getting PCs to handle address selection correctly.  I suspect if this
does happen (and it could, it's not a horrible model) it will take a
few more years before it's "easy".  It's too bad they axed the site
local scope for this kind of environment.

For now, I would recommend just going with a single IPv6 provider
since I have yet to encounter IPv6-only content that is mission
critical.  That will at least give you access to the IPv6 internet
now, but give the IPv6 market time to come around to meet the needs of
SMB and wanting redundancy in IPv6 access.

I'm not aware of any appliance that does a good job at IPv6, yet...

If it were me I would build up a Linux box as a IPv6 firewall, router,
etc.  It's really too bad that there isn't such an appliance yet.  You
could just use a Cisco ISR (like an 1841) as your IPv6 on a stick
router, but the problem is that you really want to keep in mind that
once you give out global addresses to hosts they're not behind your
NAT firewall for IPv6.  So you'll want to implement some sort of
stateful firewall for IPv6, or enable host-based IPv6 firewalls.

We've decided to disable SLAAC (State-Less Address Auto-Configuration)
on almost all our IPv6 networks and use DHCPv6 exclusively.  This
allows us to only respond with DHCPv6 to the hosts we want to get an
IPv6 address instead of enabling it network-wide and crossing your
fingers.  The disadvantage here is that DHCPv6 client support is still
limited (OS X has none for example).   The argument is that IPv6 isn't
mission critical yet, so we're waiting to see if vendors will come
around and include DHCPv6 client support in the future.

Another thing you want to do is block rogue RA.  RA-Guard is the
feature name, but nobody has a working implementation yet.  If you
have switches that can do port-based access-lists with IPv6 you can
create ingress filters to block out incoming RA on a per-port basis
which is what we have done.

It works rather well.

On Thu, Oct 21, 2010 at 12:29 PM, Allen Smith <lazlor at lotaris.org> wrote:
> Hi All,
>
> I've inherited a small network with a couple of Internet connections through
> different providers, I'll call them Slow and Fast.
>
> We use RFC 1918 space internally and have a pair of external firewalls that
> handle NAT and such.
>
> Due to internal policy (read money), some users default to the Slow
> connection and some default to Fast. Using probes and policy routing, a
> failure of one of the ISPs is generally transparent, outside of the usual
> session resets for things like ssh or remote control sessions).
>
> Looking forward to the next 12 months, we may have clients that are living
> in IPv6 space. Our ISPs are happy to give us IPv6 allocations and our
> network gear vendors either have GA IPv6 code now or will soon.
>
> We have been somewhat spoiled by our firewall/NAT boxes, the stuff just
> works for our needs and the combination of NAT and policy routing keeps
> people on the circuits they are paying for. Am trying to decide how I would
> implement this kind of policy in the new world of globally
> trackable^H^H^H^H^H^H^H routable IPs for my desktops. Solutions seem to be:
>
> 1) Purchase some BGP capable routers, grab PI space. Here I can obv choose
> outbound path, but we are typical in that our inbound to outbound is 6 or 7
> to 1.
>
> 2) Assign PA space from the ISPs to the appropriate devices. What do I do
> when I loose a provider?
>
> 3) Make loud noises to my firewall vendor to include equivalent NAT/ISP
> failover functionality (even 6to6 NAT would be fine).
>
> Anyway, another sample of 1, but I do work for a managed services provider
> and see many small orgs facing similary choices. I personally am happy to
> use globally routable addresses and will work through the privacy and
> perceived security implications of NAT/nonat, I just want the same ease of
> use and flexibility I have today in a SMB environment.
>
> Cheers,
> -Allen
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/




More information about the NANOG mailing list