NANOG 40 agenda posted

Iljitsch van Beijnum iljitsch at muada.com
Tue May 29 12:06:54 UTC 2007


On 29-mei-2007, at 13:41, Adrian Chadd wrote:

> * So is DHCPv6 the "way to go" for deploying IPv6 range(s) to end- 
> customers?
>   Considering the current models of L2TP over IP for broadband  
> aggregation
>   and wholesaling where the customer device speaks PPPoX.

IP6CP in PPP doesn't have the capability to negotiate actual IPv6  
addresses, like IPCP can for IPv4. Also, giving out individual  
addresses isn't likely to be a useful model in IPv6 where the  
abundance of address space and the lack of NAT make giving out at  
least one subnet to a user a more natural model.

With IPv4, DHCP gives out an address to a host, accompanied by a  
default gateway address and additional information such as DNS  
resolvers. IPv6 DHCP (DHCPv6) is capable of giving out addresses, but  
this isn't universally implemented because IPv6 hosts traditionally  
get their addresses from stateless autoconfig. DHCPv6 can't provide a  
default gateway, you need stateless autoconfig for that even if you  
use DHCPv6 for address assignment.

And there is the extra info, but DNS resolvers may be availalbe in  
stateless autoconfig in the future as well.

However, DHCPv6 also has a different mode of operation: prefix  
delegation. This does what the name implies. What you can do today  
with a Cisco router is request a prefix from a DHCPv6 server, and  
then, on a different interface, send out router advertisements using  
a subprefix from the DHCPv6 one so that hosts will receive addresses  
in that prefix using stateless autoconfig. When the DHCPv6 server  
gives out a new prefix, the router and all the hosts are  
automatically renumbered without much impact, if any.

This is probably the way we want to do IPv6 address provisioning for  
end-users in the future, but that requires that home gateways that  
implement IPv6 routing functionality come with the DHCPv6 prefix  
delegation client capability and have this configured by default so  
it all works out of the box.

> * Has anyone sat down and thought about the security implications  
> for running
>   native IPv6 addresses on end-devices which, at the moment, don't  
> have 'direct'
>   access to the internet (ie sitting behind a NAT.)

Sure:

http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars






More information about the NANOG mailing list