New Office, New Network. Questions.

Tue Jul 12 12:30:11 UTC 2016

Here are my replies on this e-mail. Sorry for the late replies!

> On Sun, 10 Jul 2016 21:53:52 +0300, Nikolai Petrov said:
> 
>> 1. Currently we do not have IPv6 in our network but I have seen the ISP is
>> giving us a "/56 Block" which from what I understand is a couple hundred "/64
>> Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we
> 
> You can have other sized subnets, but 64 is very handy if you intend to use
> SLAAC auto-configure. There's also the danger of running into broken equipment
> that doesn't understand other sized subnets (similar to very old IPv4 gear that
> understood a /24, but exploded if told about a /23 or /25).

I really like SLAAC and its design and I would very much like to use it. Therefore we will be using /64 IP Ranges.
Is there any way to limit the amount of devices in a subnet to avoid problems and attacks? I don't think the equipment will work with 2^64 devices in a single subnet.. 

> 
>> have 32 addresses, four of which I will use for NAT and the remaining needed
>> for online services and servers. In IPv6 we have a lot of addresses but I am
>> not sure whether I should give an address of the ISP to every device. I found
> 
> Assign a /64 to everyplace that you would assign a subnet in IPv4. Give each
> device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever
> gets the job done in your situation. Don't worry about NAT anymore, you have
> enough addresses.
> 
>> that there is an organization that can help avoid collisions in private IPs:
>> https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a
>> registry, but I am thinking of registering the ranges there and then use these
>> subnets and NAT them to the IPv6 address of the router.
> 
> Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel
> free to give every single device a global address. (You'll still want a
> stateful firewall someplace, but it doesn't have to do NAT, it just has to keep
> track of legitimate versus malicious traffic).

So why are these addresses there? For installations not connected to the Internet?

> 
> And don't freak out if a device has more than one address. As I'm writing this
> from the sofa in my living room, my laptop wireless has:
> 
> ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.1.150 netmask 255.255.255.224 broadcast 192.168.1.159
> inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x0<global>
> inet6 2601:5c0:c100:6431:c01:a589:19a4:236e prefixlen 64 scopeid 0x0<global>
> inet6 2601:5c0:c100:6431::d67 prefixlen 128 scopeid 0x0<global>
> inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf prefixlen 64 scopeid 0x0<global>
> inet6 fe80::cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x20<link>
> inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9 prefixlen 64 scopeid 0x0<global>
> ether c8:d7:19:37:0c:02 txqueuelen 1000 (Ethernet)
> 
> (One DHCPv6 - ::d67. One SLAAC - the one with ff:fe in it. And 4 different
> RFC3041 privacy addresses that it's chunked out over the weekend. It works
> just fine that way - and it's *designed* to do so. (Of course, in a corporate
> environment, you may want to turn the privacy addresses off, and only use
> one of DHCPv6/SLAAC - I do it this way because it tests for broken software...)

Thanks for letting me know ahead of time. I have looked up about the privacy addresses and we don't need them as you say. Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I use the DHCPv4 to give out DNSv6 addresses?

> 
> Oh, and don't block ICMPv6. :)

I was never a fan of blocking ICMP except the redirects in some cases..

> 
>> something strange. The WAN port of our router gets a /64 IPv6 address which is
>> not in our IPv6. Should I use this for NAT or one of "our" addresses?
> 
> You use it for the IP address of the provider-facing interface of your router.
> Assign the "inside" interface(s) addresses on the appropriate /64 subnet that
> they will be on.

Oh, so this is like BGP.. In my previous company we had BGP connections and we used an IPv4 /30 for these connections which was not within our IP range. I thought they would give us a /126 and not a full /64 so I did not think that was it..

Thanks!