IPv6 Subscriber Access Deployments

• Previous message (by thread): IPv6 Subscriber Access Deployments
• Next message (by thread): IPv6 Subscriber Access Deployments
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That makes sense now understanding how CPE equipment has evolved into segmenting layer 2 services like that. /48 it is.

Most GPON networks are composed of large layer 2 rings. No way to break that up without adding additional equipment and that can get costly. With IPv4 we got around the need to configure discrete VLANs/subnets by putting all customers in the same VLAN and turning on the DHCP snooping/source-guard features. My remaining question is why isn't this desired with IPv6? What security concerns are there with turning up SLAAC / DHCPv6 within the same /64 for everyone that are different from IPv4?




Joshua Moore
Network Engineer
ATC Broadband
912.632.3161 - O | 912.218.3720 - M



-----Original Message-----
From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
Sent: Tuesday, September 08, 2015 3:55 PM
To: Josh Moore
Cc: Owen DeLong; nanog at nanog.org
Subject: Re: IPv6 Subscriber Access Deployments

On Tue, 08 Sep 2015 19:40:44 -0000, Josh Moore said:

> The question becomes manageability. Unique VLAN per customer is not 
> always scalable. For example, only ~4000 VLAN tags. What happens when 
> you have more than that many customers?

If you're hanging 4K customers off the same switch, you probably have bigger issues than running out of VLAN tags...

> We are talking very, very, small customers here. SOHO to say the most.
> /64 should be more than sufficient for their CPE router.

A Linksys WNDR3800 running CeroWRT (and probably OpenWRT by now) will prefer to create multiple /64's - one for the 4 wired ports, one for private access on the 2.4G radio, one for guest access on the 2.4, and another private/guest pair on the 5G radio. So there is CPE gear out there now that can blow through 5 /64s by default, and more if you enable VLANs.

A /56 allocated via DHCPv6-PD would be a *minimum*.  And prefixes are cheap, so you may as well hand them a /48, just in case they have a second WNDR3800 at the other end of the building for coverage - because that one will then ask the upstream one for a -PD allocation.  So if you give the CPE a /48, it can keep a /56 for itself, and hand the downstream a /56, and they can each allocate /64s as needed.

And remember - prefixes are cheap and plentiful, so don't bother with /52 or /60, just split on 8-bit boundaries to make life easier for yourself...

• Previous message (by thread): IPv6 Subscriber Access Deployments
• Next message (by thread): IPv6 Subscriber Access Deployments
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]