IPv6 Subscriber Access Deployments

Owen DeLong owen at delong.com
Wed Sep 9 17:23:17 UTC 2015


The ACLs/Security policy can actually be fairly generic or automated, so I don’t see that as an issue.

The DHCP forwarder configuration is usually global, so the helper address statement demonstrates your lack of IPv6 understanding.

The /64 is pretty much nothing, but yeah, so what?

Owen

> On Sep 9, 2015, at 10:16 , Josh Moore <jmoore at atcnetworks.net> wrote:
> 
> It's not just the tag though... You have the /64 that has to be provisioned, the helper addresses for DHCP, ACLs/security policy, etc.
> 
> 
> 
> 
> Thanks,
> 
> Joshua Moore
> Network Engineer
> ATC Broadband
> 912.632.3161
> 
>> On Sep 9, 2015, at 1:14 PM, Owen DeLong <owen at delong.com> wrote:
>> 
>> VLAN tags aren’t global and 4096 is only a limitation on ethernet.
>> 
>> VPI/VCI is many more.
>> 
>> Yes, if you need more than 4096 customers on a single switch, you’ve got an issue, but there are many potential issues in that scenario beyond VLAN tagging (like customers choosing not to use routers and filling up your MAC tables).
>> 
>> Owen
>> 
>>> On Sep 8, 2015, at 12:40 , Josh Moore <jmoore at atcnetworks.net> wrote:
>>> 
>>> The question becomes manageability. Unique VLAN per customer is not always scalable. For example, only ~4000 VLAN tags. What happens when you have more than that many customers? Also, provisioning. Who is going to provision thousands of unique prefixes and VLANs, trunk them through relevant equipment and ensure they are secured as well?
>>> 
>>> We are talking very, very, small customers here. SOHO to say the most. /64 should be more than sufficient for their CPE router.
>>> 
>>> 
>>> 
>>> 
>>> Joshua Moore
>>> Network Engineer
>>> ATC Broadband
>>> 912.632.3161 - O | 912.218.3720 - M
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: Owen DeLong [mailto:owen at delong.com] 
>>> Sent: Tuesday, September 08, 2015 3:31 PM
>>> To: Josh Moore
>>> Cc: Valdis.Kletnieks at vt.edu; nanog at nanog.org
>>> Subject: Re: IPv6 Subscriber Access Deployments
>>> 
>>> Short answer to that is “DHCPv6-PD”
>>> 
>>> Longer answer:
>>> 
>>> Customer’s router should get an address on the external interface through one of SLAAC, DHCP-PD, Static Assignment, depending on how the ISP prefers to do this.
>>> 
>>> If the ISPs equipment supports IPv6 on shared VLANs with DHCP snooping and other security, you can implement it with a single /64 giving each router a unique address within that segment, but it’s not really ideal. This was mainly done in IPv4 to conserve addresses. Separate point to point VLANs are a cleaner solution and since there are enough addresses in IPv6 to do this, that is how most providers implement. I prefer using /64s (or at least assigning /64s) to these VLANs, but there are those who argue for /127, some equipment is broken and requires a /126, and yet others argue for other nonsensical prefixes.
>>> 
>>> Once the router has an external address communicating point to point with the ISP router, it should then send an DHCPv6-PD request asking for a prefix that it can manage. The ISPs DHCP server should then send back a /48 (or if you want to be silly, a /56 or a /60, and if you want to be insane, a /64).
>>> 
>>> The reality is that if you send a smaller prefix back, you risk having difficulty with your future ARIN applications as your Provider Allocation Unit is based on the smallest prefix you delegate to end-users. So if you, for example, assign /48 to business customers and /60 to residential customers, you’re going to have to justify why each of your business customers needed 4096 /60s when you claim that you need more IPv6 space.
>>> 
>>> OTOH, if you simply issue /48s to everyone, you can just go back and say “Each end site got a /48 and there are N end-sites” and you’re good, no questions asked about the size of any of those end-sites.
>>> 
>>> Owen
>>> 
>>>> On Sep 8, 2015, at 12:12 , Josh Moore <jmoore at atcnetworks.net> wrote:
>>>> 
>>>> We are talking a purely bridged environment. However, I have been wondering how in the world end-to-end IPv6 connectivity is supposed to work if a customer hooks up their own router. That is one of the points of IPv6...
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Joshua Moore
>>>> Network Engineer
>>>> ATC Broadband
>>>> 912.632.3161 - O | 912.218.3720 - M
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
>>>> Sent: Tuesday, September 08, 2015 3:08 PM
>>>> To: Josh Moore
>>>> Cc: nanog at nanog.org
>>>> Subject: Re: IPv6 Subscriber Access Deployments
>>>> 
>>>> On Tue, 08 Sep 2015 19:04:06 -0000, Josh Moore said:
>>>>> I'm reading that the recommended method for assigning IPv6 addresses to end-users is to do this via a dedicated VLAN and /64.
>>>> 
>>>> Important question - are you talking about the IPv6 address supplied to the CPE router itself, or a /48 or /56 delegated to the CPE router to allocate to subnets and devices behind it?
>>> 
>> 




More information about the NANOG mailing list