rays at maine.edu
Thu Feb 19 09:16:57 CST 2009
From: Carl Rosevear [mailto:Carl.Rosevear at demandmedia.com]
Sent: Tuesday, February 17, 2009 11:59 AM
To: nanog at nanog.org
Subject: IPv6 Confusion
> How does IPv6 addressing work?
RFC 2372 is a good starting point.
With IPv6 we provide for every LAN network to be a /64. A good starting
point would be counting your VLANs and trying to anticipate how many
networks you will need (not how many hosts on said networks). Don't
count any non-routed networks, as these can make use of ULA address
space (the IPv6 equivalent to RFC 1918 space), for more info on ULA see
If you assign a /64 to every LAN (as you should) then the rest is
deciding how much address space you need for network identifiers
(remember, since the host segment of each network is a /64 there is no
need to define the number of hosts you will have on any given network).
A /56 for example would provide you with 256 networks, which is more
than enough for most mid-sized networks. If you need more, you could
jump up to a /52, providing a 12 bit address space for network
identifiers (or 4096) which is the same size as the 802.1Q VLAN ID
field. This could be useful in tracking your IPv6 networks as you could
essentially use those 12 bits to encode the hex value of the VLAN ID
for any network you create (preventing address space conflicts). For
very large organizations (multi-campus organizations for example) moving
up to a /48 provides enough address space for 16 /52s, or 256 /56s
(again, these are just examples, I like to keep the breaks 4 bits apart
for readability, but you could use any mask in between). The point is
you need to get away from the mindset of determining network sizes based
on the number of hosts.
On a side note we do make use of /126 networks in the zero address space
for link networks (router to router) as recommended by RFC 3627. The
main reason for this is because a /64 for link networks (of which we
have several) is very wasteful. Using the zero address space for these
also provides us with the ability to have much shorter addresses for
links using the :: notation; e.g. 2001:DB8::1.
With that said, I think most providers are giving out either /64s or
/48s right now. IMHO a /48 is often wasteful, but it's not like the
address space isn't there. If you're going to be using BGP for routing
IPv6 (e.g. more than one provider) you'll want to have something larger
than a /48 (/48 and /32 are the most common prefix sizes we see
announced through BGP). Many ISPs will refuse to route anything smaller
than a /32 though, so check with who you plan on getting service from
If you don't have need for something that is a /48 or larger, you
probably should just try to go through a single provider to assign you a
prefix out of their space.
Hurricane Electric (HE.net) offers free IPv6 tunnels with /64 or /48
prefix assignments. It might be a good option for you to play around
with IPv6 before you go out and request a /32.
> I know it's been hashed and rehashed but several orgs I am associated
> with are about to ask for their allocations from ARIN and we are all
> realizing we don't really know how the network / subnet structure
> trickles down from the edge to the host. We really don't have a firm
> grasp of all of this as there seems to be multiple options regarding
> how many addresses should be assigned to a host, if the MAC address
> should be included in the address or if that is just for auto-
> configuration purposes or what the heck the deal is. There are a lot
> of clear statements out there and a lot that are clear as mud.
> Unfortunately, even when trying to analyze which RFC superseded
> another. Can I just subnet it all like IPv4 but with room to grow or
> is each host really going to need its own /84 or something? I can't
> see why hosts would need any more addresses than today but maybe I'm
> missing something because a lot of addressing models sure allow for a
> huge number of unique addresses per host.
You shouldn't make any network smaller than a /64, the exception is link
networks as mentioned above, but even then there are purists who will
say no to those and use /64s there as well. That's the entire point of
having a 128-bit address space instead of a 64-bit address space. The
intent was to do away with the need for NAT (which is costly and breaks
Stateless Autoconfiguration (RFC 4862) is your friend; don't fight it.
It will be some time before we see things like DHCPv6 snooping work its
way into L2 security, but work is already in progress for protection
against Router Advertisement (RA)... it's called RA Guard, and you can
view the current draft of it here:
On a side note, I always use ::1 for the gateway address, but there is
no requirement for that. If you need to assign static IPs to hosts you
can start using ::2 or even leave the first handful of addresses empty
for future use. Anything that doesn't have the stateless flag (FFFE
inserted in the middle) shouldn't cause a conflict.
Note that we're in a transition phase for IPv6 right now. That means
we're talking about dual-stack network deployments (IPv6 and IPv4
running side by side). It's going to be a while before we can get away
with running IPv6-only networks.
> There are people here at my company that seem to get it but can't
> seem to explain it clearly to me. To me, its basically just larger
> addressing space with some new logical boundaries.... But there are
> so many discussions of potential addressing methods that I am
> confused. I know from my lab setups that I can "make it work" but
> I'd like to "do it right". J
> I've been doing this for over 10 years now... IPv4 is native to me.
> If you can point me in the direction of some good, authoritative
> information or even say "Dood, go get IPv6 for dummies", that's fine
> I just need to know where to find some good information.
Dump the IPv4 mindset, don't use anything smaller than a /64, and assign
a /64 for each VLAN and you'll be fine.
We have IPv6 deployed on a limited number of networks. The things
slowing us down right now are mainly the lack of L2 security features
that are around for IPv4 (DHCP snooping, ARP inspection, etc.) In the
future we'll be looking at 802.1X for securing access, RA Guard for
suppressing rogue IPv6 routers, and much later on, perhaps a shift to
stateful addressing using DHCPv6 so that we can dynamically IPv6 DNS
records, but that will be much later. Many operating systems don't
support DHCPv6 natively yet, but all hosts that support IPv6 support
stateless autoconfiguration. We do DHCPv6 on our routers to hand out
IPv6 DNS servers for hosts that support DHCPv6, but that's mostly for
testing IPv6 on our DNS servers.
More information about the NANOG