Assigning IPv6 /48's to CPE's?

Church, Charles cchurc05 at
Mon Dec 31 21:26:51 UTC 2007

So after reading this thread for a while, it's starting to make sense
that all subnets need to be /64.  So it's best to think of IPv6 like
IPX, but with a 64 bit network address.  I'm curious where the 64 bits
reserved for interface comes from though.  Haven't seen the history
behind that discussed really.  Ethernet MACs being 48 bits would seem
like a natural choice, leaving 80 bits for network addressing.  This
waste of space seems vaguely familiar to handing out Class A netblocks
20+ years ago.  "We'll never run out"...  Maybe it's just me though.


-----Original Message-----
From: owner-nanog at [mailto:owner-nanog at] On Behalf Of
Joe Greco
Sent: Monday, December 31, 2007 11:18 AM
To: Rick Astley
Cc: nanog at
Subject: Re: Assigning IPv6 /48's to CPE's?

> I see there is a long thread on IPv6 address assignment going, and I
> apologize that I did not read all of it, but I still have some
> questions.

The answers to some of this are buried within it.

> I believe someone posted the ARIN recommendation that carriers assign
> /64's and /56's, and in a few limited cases, /48.
> I can understand corporations getting more than a /64 for their needs,
> certainly this does not mean residential ISP subscribers, right?

That answer, along with detailed information, is within that thread.  In
ideal world, yes, it does mean resi subscribers.  Some of us would like
see that very much, but are simultaneously expecting that something less
optimal will happen.

> I can understand the need for /64's because the next 64 bits are for
> client address, but there seems to be this idea that one and only one
> may use a whole /64. 

Certainly, if the node is the only one on the subnet.

> So in the case of Joe, the residential DSL subscriber
> who has 50,000 PCs, TiVo's,  microwaves, and nanobots that all need
> routable IP addresses, what is to stop him from assigning them unique
> ID's (last 64 bits) under the same /64? We can let Joe put in some
> and if that isn't enough he should consider upgrading from his
$35/month DSL
> or $10/month dial up anyway.

I don't think it was ever in doubt that people could stick lots of
on a single /64.  The question is more one of "under what circumstances
would a site want more than a /64."  

One is when you're crossing boundaries between network protocols
to HomeControlNet or whatever).  Repeat for Bluetooth or any other
alternative technology.

Many would prefer to see firewalling handled at the L3 boundary between
networks, which is an indication for multiple /64's.  While I certainly
agree that this is attractive, and ought to be possible in IPv6, the
is that it still represents a disruption of the broadcast domain, and
requires that all firewall-candidate traffic be routed.  This could have

an impact to a site that deems a sudden firewall policy change
such as "my PC #3 just got infected, stop it from talking to local 
network but allow it to download virus updates."  I believe that there
could (and should) be a natural evolution towards deconstructing the 
requirements at which layer these sorts of policies are implemented.  I 
would very much like to see a layer 2/3 switch that is capable of 
implementing a firewall policy /for a port/, and having the onboard 
software be sufficiently intelligent that an end-user can deal with his 
firewalling switch as an abstract item, without having to understand 
the underlying network topology.  This could even be generalized into a
useful "general purpose networking" device, that could provide services 
such as VPN's.

However, I am certain that there will be situations in which DHCP PD
not work, and so I expect that most protocol bridges will in fact be
to support bridging from an already populated IPv6 /64.

> My next question is that there is this idea that there will be no NAT
in the
> IPv6 world. Some companies have old IPv4 only software, some companies
> branch offices using the same software on different networks, and some
> the added security NAT provides.

What "added security" would that be, exactly?  Introducing a proper
firewall would give you about the same security, without the penalties
having to write proxyware for every new protocol that comes along.
/are/ some differences; a NAT gateway is less likely to fail to firewall
a catastrophic manner, for example: if it isn't working, network
connectivity vaporizes.  A stateful firewall might go away and leave you
with your pants down.  However, that doesn't really make NAT a better

{P,N}AT is a technology that was designed to allow more than one
to share {ports, addresses}.  This is fundamentally unnecessary in IPv6
because there are plenty of addresses available, and providers are
to hand them out like candy.

I would much prefer to see a different security model evolve, where even
residential class equipment gains the ability to do smart firewalling.
Some of that discussion is in the thread you skipped.

> There are also serious privacy concerns with having a MAC address
within an
> IP address. Aside from opening the doors to websites to share
information on
> specific users, lack of NAT also means the information they have is
> detailed in households where separate residents use different
computers. I
> can become an IPv4 stranger to websites once a week by deleting
> IPv6 means they can profile exactly what I do over periods of years
> work, home, starbucks, it doesn't matter. I don't see NAT going away
> time soon.

This seems to be an urban myth.  Your current average broadband customer
is leased an IP address that may stay active for years at a time.  To
imagine that most websites care about "a specific PC behind a NAT
as opposed to "the small set of users behind this IP address" is a minor
distinction at best - they can still track you, and since most
only have a single computer, it's best to assume they can already deal
the more difficult realities of multiple users on a single computer.

Given the ready availability of addresses, it may not be that long
we start seeing the anti-NAT happen; a single PC that utilizes a vaguely
RFC3041-like strategy, but instead of allocating a single address at a
time, it may allocate a /pool/ of them from the local subnet, and use a
different IPv6 address for each outgoing request.  Think of it as
extending the port number field into the lower bits of the address
I'm sure someone has a name for this already, but I have no idea what it

Anyways, I suggest you run over and read

as it is useful foundation material to explain IPv6 strategies and how
differ from IPv4.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and]
then I
won't contact you again." - Direct Marketing Ass'n position on e-mail
With 24 million small businesses in the US alone, that's way too many

More information about the NANOG mailing list