Assigning IPv6 /48's to CPE's?

Joe Greco jgreco at
Mon Dec 31 16:18:08 UTC 2007

> I see there is a long thread on IPv6 address assignment going, and I
> apologize that I did not read all of it, but I still have some unanswered
> questions.

The answers to some of this are buried within it.

> I believe someone posted the ARIN recommendation that carriers assign out
> /64's and /56's, and in a few limited cases, /48.
> I can understand corporations getting more than a /64 for their needs, but
> certainly this does not mean residential ISP subscribers, right?

That answer, along with detailed information, is within that thread.  In an
ideal world, yes, it does mean resi subscribers.  Some of us would like to
see that very much, but are simultaneously expecting that something less
optimal will happen.

> I can understand the need for /64's because the next 64 bits are for the
> client address, but there seems to be this idea that one and only one node
> may use a whole /64. 

Certainly, if the node is the only one on the subnet.

> So in the case of Joe, the residential DSL subscriber
> who has 50,000 PCs, TiVo's,  microwaves, and nanobots that all need unique
> routable IP addresses, what is to stop him from assigning them unique client
> ID's (last 64 bits) under the same /64? We can let Joe put in some switches,
> and if that isn't enough he should consider upgrading from his $35/month DSL
> or $10/month dial up anyway.

I don't think it was ever in doubt that people could stick lots of devices
on a single /64.  The question is more one of "under what circumstances
would a site want more than a /64."  

One is when you're crossing boundaries between network protocols (Ethernet
to HomeControlNet or whatever).  Repeat for Bluetooth or any other
alternative technology.

Many would prefer to see firewalling handled at the L3 boundary between
networks, which is an indication for multiple /64's.  While I certainly
agree that this is attractive, and ought to be possible in IPv6, the fact
is that it still represents a disruption of the broadcast domain, and
requires that all firewall-candidate traffic be routed.  This could have 
an impact to a site that deems a sudden firewall policy change necessary,
such as "my PC #3 just got infected, stop it from talking to local 
network but allow it to download virus updates."  I believe that there
could (and should) be a natural evolution towards deconstructing the 
requirements at which layer these sorts of policies are implemented.  I 
would very much like to see a layer 2/3 switch that is capable of 
implementing a firewall policy /for a port/, and having the onboard 
software be sufficiently intelligent that an end-user can deal with his 
firewalling switch as an abstract item, without having to understand 
the underlying network topology.  This could even be generalized into a
useful "general purpose networking" device, that could provide services 
such as VPN's.

However, I am certain that there will be situations in which DHCP PD does
not work, and so I expect that most protocol bridges will in fact be able
to support bridging from an already populated IPv6 /64.

> My next question is that there is this idea that there will be no NAT in the
> IPv6 world. Some companies have old IPv4 only software, some companies have
> branch offices using the same software on different networks, and some like
> the added security NAT provides.

What "added security" would that be, exactly?  Introducing a proper stateful
firewall would give you about the same security, without the penalties of
having to write proxyware for every new protocol that comes along.  There
/are/ some differences; a NAT gateway is less likely to fail to firewall in
a catastrophic manner, for example: if it isn't working, network
connectivity vaporizes.  A stateful firewall might go away and leave you
with your pants down.  However, that doesn't really make NAT a better

{P,N}AT is a technology that was designed to allow more than one computer 
to share {ports, addresses}.  This is fundamentally unnecessary in IPv6
because there are plenty of addresses available, and providers are expected
to hand them out like candy.

I would much prefer to see a different security model evolve, where even
residential class equipment gains the ability to do smart firewalling.
Some of that discussion is in the thread you skipped.

> There are also serious privacy concerns with having a MAC address within an
> IP address. Aside from opening the doors to websites to share information on
> specific users, lack of NAT also means the information they have is more
> detailed in households where separate residents use different computers. I
> can become an IPv4 stranger to websites once a week by deleting cookies,
> IPv6 means they can profile exactly what I do over periods of years from
> work, home, starbucks, it doesn't matter. I don't see NAT going away any
> time soon.

This seems to be an urban myth.  Your current average broadband customer
is leased an IP address that may stay active for years at a time.  To
imagine that most websites care about "a specific PC behind a NAT gateway"
as opposed to "the small set of users behind this IP address" is a minor
distinction at best - they can still track you, and since most households
only have a single computer, it's best to assume they can already deal with
the more difficult realities of multiple users on a single computer.

Given the ready availability of addresses, it may not be that long before
we start seeing the anti-NAT happen; a single PC that utilizes a vaguely
RFC3041-like strategy, but instead of allocating a single address at a
time, it may allocate a /pool/ of them from the local subnet, and use a
different IPv6 address for each outgoing request.  Think of it as
extending the port number field into the lower bits of the address field...
I'm sure someone has a name for this already, but I have no idea what it

Anyways, I suggest you run over and read

as it is useful foundation material to explain IPv6 strategies and how they
differ from IPv4.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list