v6 subnet size for DSL & leased line customers
jgreco at ns.sol.net
Fri Dec 21 21:35:11 UTC 2007
> Agreed. In fact, in any network large enough to matter, most modern
> hardware forwards L2 and L3 at the same speed, so, there's essentially
> no performance barrier.
Except we're primarily discussing what are almost certain to be small
networks here, so there's probably not even any significant concern
> OTOH, in many business netwoks I've seen, there is reason to segment
> things into administrative boundaries, boundaries that result from media
> conversion creating routed separation of segments, and, other topology
> meets physical limitation issues. I find these to be at least as common
> as the separation between Internal/External/DMZ.
Yes, and just how many of those business networks actually involve more
than a handful of networks with a DSL-class upstream connection?
Let's not get confused here. I don't ever see large enterprises hanging
off residential broadband Internet connections, and quite frankly, if they
try, I'm not that concerned about how easy it is for them to manage.
> > That /is/ a lack of imagination. ;-) Or, at least, reaching pretty
> > far.
> > The history of these sorts of devices has been, to date, one of
> > trying to
> > keep network configuration simple enough that an average user can use
> > them. That implies a default mode of bridging will be available.
> You are ignoring the reality of the difference between IPv4 and IPv6.
No, I'm not.
> With DHCP6 prefix delegation, creating a hierarchical routed topology
> becomes as simple (from the end user perspective) as the bridged
> topology today, and, requires a lot less thinking ability on the device.
> Especially when you consider the possibility of many such topologies
> evolving in a situation that could create a loop and the fact that most
> such existing devices implement bridging without spanning tree.
I look at the practical realities. Let's look at the big IPv6 picture.
It is unlikely that there will be wide acceptance of the ability to
create ad-hoc routed topologies in many environments; controlled-access
corporate environments certainly represent one such environment.
That implies that the capability to do bridging (or, if you prefer,
switching) will remain as a virtually mandatory option.
Creating a hierarchical routed topology certainly seems and sounds nice,
and in fact, I'm all in favor of it, but I don't actually expect that
it's going to be the default.
> I'm saying that bridges tend not to have access controls or at least not
> adequate access controls except in a few (l2 firewall oddities like
> Netscreen/PIX in Bridge mode) exceptional cases. The point here
> is that in IPv6, you aren't "making people route things",
> the routing
> topology will mostly handle itself automatically, although,
Oh, you are, you're just pretending you aren't. I see.
> may wish to intervene to design the security policy or at least have
> the ability to modify it from the default.
But that's pretty much something that we could and should want
regardless. Honestly, how hard would it be, today, to build a
little switch-widget that implemented access controls to various
ports? And if you do that, does it matter if it's happening on a
"router" or on a switch? (hint: answer is "it does not, really,
though it may blow the minds of traditionalists.")
> You are trying to apply strictly IPv4 thinking to IPv6, and, there are
> some reasons that a significant paradigm shift is required.
No, actually, I'm not really thinking IPv-anything. I'm thinking more
in terms of network blobs and how they interrelate.
I could just as easily say that you're applying traditionalist network
design paradigms to next-generation networks, when in fact that may not
be the right thing to do.
> We will agree to disagree on this. Enforcing security policy within
> a subnet is ugly at best and unreliable at worst. It makes
> harder. It makes security policy design more complex. It causes many
> many more problems than it solves in my opinion.
Your average home user isn't going to know about any of that. He's going
to have his Netgear (or pick your $fav vendor) smartthing that either
routes or switches at Layer 2 or Layer 3, depending.
Ultimately, what /he/ is going to want to do is to see a little interface
come up, that displays a little graphic view of his network, lets him
click on a device, and set security policy. He'll want to be able to
set "Vista PC" to access "Everything". He'll want to be able to set
"Home Media Server" to access "Local Only". He'll want to be able to
set "Vonage VoIP Adapter" to access "Specific Network Only." He isn't
going to know or care about your "security policy design," he isn't going
to be engaging in any serious "troubleshooting," and he's going to rely
on the logic in the device to determine if the policy is even enforceable
(which /can/ be determined). He isn't going to be concerned about, or
even want to be concerned about, L2 vs L3 or where the firewalling takes
place. He's going to expect his device to be smart enough to tell him
what he needs to do, and whether the underlying network is one thing or
another isn't a serious consideration.
You simply have to realize that L2 and L3 aren't as different as you seem
to think. You can actually consider them flip sides of a coin in many
> Actually, there is some guarantee that, in IPv6, you'll be able to do
> or, you will know that you could not. You will make a DHCP6 request
> for a prefix delegation, and, you will receive it or be told no.
So, as I said...
> Most likely, that is how most such v6 gateways will function.
/Possibly/. It would be much more likely to be that way if everyone
was issued large CIDR blocks, every router was willing to delegate a
prefix, and there was no call for bridging.
> I think that bridges are less likely to be the norm in IPv6.
I'm skeptical, but happy to be proven wrong someday.
> > If we have significant customer-side routing of IPv6, then there's
> > going
> > to need to be some way to manage that. I guess that's RIPv6/ng. :-)
> Nope... DHCPv6 prefix delegation and Router discovery.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG