v6 subnet size for DSL & leased line customers

Fri Dec 21 17:53:28 UTC 2007

On Dec 21, 2007, at 9:39 AM, Joe Greco wrote:

>>> The primary reasons I see for separate networks on v6 would include
>>> firewall policy (DMZ, separate departmental networks, etc)...
>>
>> This is certainly one reason for such things.
>
> Really, in most "small business" networks I've seen, it's by far the  
> main
> one if we want to be honest about it.  The use of multiple networks to
> increase performance, for example, is something you can design around
> differently, and modern hardware supports things like LAG without  
> having
> to get into the realm of unimaginably expensive hardware.  Even if  
> you do
> end up putting a quad port ethernet into a server with v6, the sizes  
> of
> the allocations we're discussing would allow you 64 completely  
> separate
> "workgroups" with their own server at the /56 allocation size (64 *  
> 4 =
> 256).
>
Agreed.  In fact, in any network large enough to matter, most modern
hardware forwards L2 and L3 at the same speed, so, there's essentially
no performance barrier.

OTOH, in many business netwoks I've seen, there is reason to segment
things into administrative boundaries, boundaries that result from media
conversion creating routed separation of segments, and, other topology
meets physical limitation issues.  I find these to be at least as common
as the separation between Internal/External/DMZ.

>>> And I'm having some trouble envisioning a residential end user that
>>> honestly has a need for 256 networks with sufficiently differently
>>> policies.  Or that a firewall device can't reasonably deal with  
>>> those
>>> policies even on a single network, since you mainly need to protect
>>> devices from external access.
>>
>> Perhaps this is a lack of imagination.
>>
>> Imagine that your ethernet->bluetooth gateway wants to treat the
>> bluetooth
>> and ethernet segments as separate routed segments.
>
> That /is/ a lack of imagination.  ;-)  Or, at least, reaching pretty  
> far.
> The history of these sorts of devices has been, to date, one of  
> trying to
> keep network configuration simple enough that an average user can use
> them.  That implies a default mode of bridging will be available.
>
You are ignoring the reality of the difference between IPv4 and IPv6.

With DHCP6 prefix delegation, creating a hierarchical routed topology
becomes as simple (from the end user perspective) as the bridged
topology today, and, requires a lot less thinking ability on the device.
Especially when you consider the possibility of many such topologies
evolving in a situation that could create a loop and the fact that most
such existing devices implement bridging without spanning tree.

>> Now, imagine that some of your bluetooth connected devices have  
>> reasons
>> to have some topology behind them... For example, you have a master
>> appliance control center which connects via Bluetooth to your  
>> network,
>> but, uses a different household control bus network to talk to  
>> various
>> appliances.  For security reasons, you've decided not to have your
>> kitchen appliances be able to talk to your media devices (Who wants
>> a virus in some downloaded movie to be able to change the temperature
>> in your refrigerator?).
>
> Yes, and?  You're saying there are no access controls at the gateway
> level?  I'm not entirely sure that I care for the idea of making  
> people
> route things at the IP level just so they can protect their fridge  
> from
> their DVD.
>
I'm saying that bridges tend not to have access controls or at least not
adequate access controls except in a few (l2 firewall oddities like
Netscreen/PIX in Bridge mode) exceptional cases.  The point here
is that in IPv6, you aren't "making people route things", the routing
topology will mostly handle itself automatically, although, people
may wish to intervene to design the security policy or at least have
the ability to modify it from the default.

You are trying to apply strictly IPv4 thinking to IPv6, and, there are
some reasons that a significant paradigm shift is required.

>>> I keep coming to the conclusion that an end-user can be made to work
>>> on
>>> a /64, even though a /56 is probably a better choice.  I can't find
>>> the
>>> rationale from the end-user's side to allocate a /48.  I can maybe  
>>> see
>>> it if you want to justify it from the provider's side, the cost of
>>> dealing
>>> with multiple prefix sizes.
>>
>> I can easily envision the need for more than a /64 in the average  
>> home
>> within short order.
>
> You should probably correct that from "need" to "want."  There is  
> nothing
> preventing the deployment of all of the below on a single /64, it  
> would
> simply mean that there would be a market for smart firewalling  
> switches
> that could isolate devices by address or range, rather than having  
> smart
> firewalling routers that could isolate devices by subnet.
>
We will agree to disagree on this.  Enforcing security policy within
a subnet is ugly at best and unreliable at worst. It makes  
troubleshooting
harder.  It makes security policy design more complex.  It causes many
many more problems than it solves in my opinion.

>> If nothing else, the average home will probably
>> want to be able to accommodate:
>> 	Guest network
>> 	Home wired network
>> 	Wireless network(s)
>> 	Bluetooth segment(s)
>> 	Media network
>> 	Appliance Control netowrk
>> 	Lighting Control network
>> 	etc.
>>
>> However, I agree that in any vision I can come up with today, the  
>> need
>> for more than 256 is beyond my current imagination.
>
> Again, I think this comes down to a matter of how configuration is  
> going
> to be handled.  I suspect that we're not going to see a substantial
> increase in sophistication on the part of end users.  I /believe/ that
> this will likely mean that device manufacturers will be building  
> devices
> that don't rely on routing for IPv6, since if I go on down to my  
> employer's
> network and plug in a bluetooth gateway, there's really no guarantee  
> that
> I'm going to be able to get my employer's network to magically route a
> network at my gateway, but it's pretty obvious that my device can  
> play the
> role of a bridge.
>
Actually, there is some guarantee that, in IPv6, you'll be able to do  
that,
or, you will know that you could not.  You will make a DHCP6 request
for a prefix delegation, and, you will receive it or be told no.

Most likely, that is how most such v6 gateways will function.

I think that bridges are less likely to be the norm in IPv6.

> If we have significant customer-side routing of IPv6, then there's  
> going
> to need to be some way to manage that.  I guess that's RIPv6/ng.  :-)
>
Nope... DHCPv6 prefix delegation and Router discovery.

> More likely-seeming to me, would be that a provider might be willing  
> to
> provide a CPE device that had 4, 8, or even 16 jacks on it - a mini- 
> router
> with a separate /64 on each port, less "magic" to be figured out by  
> the end
> user.
>
Sure.  And likely, the /64s on each port will be assigned via DHCPv6  
from
the upstream segment.

> This leaves the question of how much you want to trust your ISP's  
> CPE for
> firewalling policy ...  among other things.
>
LoL... Trust my ISPs CPE?  Not if they control it.

>> I think it makes sense to assign as follows:
>>
>> /64 for the average current home user.
>> /56 for any home user that wants more than one subnet
>> /48 for any home user that can show need.
>
> I'd say skip the /64 and /48.  Don't do the /64, as future- 
> proofing.  A
> /48 is just something I cannot see need for, given the number of  
> addresses
> available as a /56, unless the "home user" is actually providing
> connectivity to a bunch of his nearby friends and neighbors.
>
I have no objection to skipping the /64, but, I don't think you'll get  
much
traction with that with most of the larger ISPs (think AOL, Comcast,  
etc.)
as I think they will want to charge more for a topology-supporting  
service
than a single subnet if current business models are an example of their
plans for the future.

> Having fewer options is going to be easier for the ISP, I suspect.
>
Nope.  Each ISP can choose to offer whatever subset of these options  
they consider
easiest.  Having fewer options for them to choose from isn't easier  
for them, it's putting
them in a straight-jacket, which, from my experience as an active  
participant in the
ARIN policy process is usually not appreciated by them.

Owen