v6 subnet size for DSL & leased line customers

Joe Greco jgreco at ns.sol.net
Fri Dec 21 17:39:04 UTC 2007

> > The primary reasons I see for separate networks on v6 would include
> > firewall policy (DMZ, separate departmental networks, etc)...
> This is certainly one reason for such things.

Really, in most "small business" networks I've seen, it's by far the main
one if we want to be honest about it.  The use of multiple networks to
increase performance, for example, is something you can design around
differently, and modern hardware supports things like LAG without having
to get into the realm of unimaginably expensive hardware.  Even if you do
end up putting a quad port ethernet into a server with v6, the sizes of
the allocations we're discussing would allow you 64 completely separate
"workgroups" with their own server at the /56 allocation size (64 * 4 = 

> > And I'm having some trouble envisioning a residential end user that
> > honestly has a need for 256 networks with sufficiently differently
> > policies.  Or that a firewall device can't reasonably deal with those
> > policies even on a single network, since you mainly need to protect
> > devices from external access.
> Perhaps this is a lack of imagination.
> Imagine that your ethernet->bluetooth gateway wants to treat the  
> bluetooth
> and ethernet segments as separate routed segments.

That /is/ a lack of imagination.  ;-)  Or, at least, reaching pretty far.
The history of these sorts of devices has been, to date, one of trying to
keep network configuration simple enough that an average user can use
them.  That implies a default mode of bridging will be available.

> Now, imagine that some of your bluetooth connected devices have reasons
> to have some topology behind them... For example, you have a master
> appliance control center which connects via Bluetooth to your network,
> but, uses a different household control bus network to talk to various
> appliances.  For security reasons, you've decided not to have your
> kitchen appliances be able to talk to your media devices (Who wants
> a virus in some downloaded movie to be able to change the temperature
> in your refrigerator?).

Yes, and?  You're saying there are no access controls at the gateway
level?  I'm not entirely sure that I care for the idea of making people
route things at the IP level just so they can protect their fridge from
their DVD.

> > I keep coming to the conclusion that an end-user can be made to work  
> > on
> > a /64, even though a /56 is probably a better choice.  I can't find  
> > the
> > rationale from the end-user's side to allocate a /48.  I can maybe see
> > it if you want to justify it from the provider's side, the cost of  
> > dealing
> > with multiple prefix sizes.
> I can easily envision the need for more than a /64 in the average home
> within short order. 

You should probably correct that from "need" to "want."  There is nothing
preventing the deployment of all of the below on a single /64, it would
simply mean that there would be a market for smart firewalling switches
that could isolate devices by address or range, rather than having smart
firewalling routers that could isolate devices by subnet.

> If nothing else, the average home will probably
> want to be able to accommodate:
> 	Guest network
> 	Home wired network
> 	Wireless network(s)
> 	Bluetooth segment(s)
> 	Media network
> 	Appliance Control netowrk
> 	Lighting Control network
> 	etc.
> However, I agree that in any vision I can come up with today, the need
> for more than 256 is beyond my current imagination.

Again, I think this comes down to a matter of how configuration is going
to be handled.  I suspect that we're not going to see a substantial
increase in sophistication on the part of end users.  I /believe/ that
this will likely mean that device manufacturers will be building devices
that don't rely on routing for IPv6, since if I go on down to my employer's
network and plug in a bluetooth gateway, there's really no guarantee that
I'm going to be able to get my employer's network to magically route a
network at my gateway, but it's pretty obvious that my device can play the
role of a bridge.

If we have significant customer-side routing of IPv6, then there's going
to need to be some way to manage that.  I guess that's RIPv6/ng.  :-)

More likely-seeming to me, would be that a provider might be willing to
provide a CPE device that had 4, 8, or even 16 jacks on it - a mini-router
with a separate /64 on each port, less "magic" to be figured out by the end

This leaves the question of how much you want to trust your ISP's CPE for
firewalling policy ...  among other things.

> I think it makes sense to assign as follows:
> /64 for the average current home user.
> /56 for any home user that wants more than one subnet
> /48 for any home user that can show need.

I'd say skip the /64 and /48.  Don't do the /64, as future-proofing.  A
/48 is just something I cannot see need for, given the number of addresses
available as a /56, unless the "home user" is actually providing
connectivity to a bunch of his nearby friends and neighbors.

Having fewer options is going to be easier for the ISP, I suspect.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list