IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

Brzozowski, John John_Brzozowski at Cable.Comcast.com
Thu Dec 1 20:33:43 CST 2011


See below.


On 12/1/11 5:11 AM, "Dmitry Cherkasov" <doctorchd at gmail.com> wrote:

>John,
>
>Due to your note I carefully read again Cable Labs specs and found
>that really SLAAC is not prohibited. According to CM-SP-MULPIv3.0:
[jjmb] I was part of the team that wrote IPv6 for DOCSIS, so I know the
history well.  ;)

>
>* If the M bit in the RA is set to 1, the CM (cable modem) MUST use
>DHCPv6 ...;
>* If there are no prefix information options in the RA, the CM MUST
>NOT perform SLAAC;
[jjmb] even if there are PIOs and the A bit is set to 0, the CM will
not/must not perform SLAAC.

>* If the RA contains a prefix advertisement with the A bit set to 0,
>the CM MUST NOT perform SLAAC on that prefix.
[jjmb] yes, see above.
>
>That means that if M bit in the RA is set to 0 and RA contains a
>prefix advertisement with the A bit set to 1 nothing prevents CM from
>SLAAC.
[jjmb] correct.

>And if so we probably better reserve /64 per network just in case we
>may use SLAAC in it in the future. While we do not use SLAAC we can
>shorten the range of actually used IPv6 addresses by using longer then
>/64 prefix.
[jjmb] I suppose, again not sure why you would want to take this route.
This also assumes no PIOs in the RA.  Please note there are other
operational reason why SLAAC is not a truly deployable alternative.  We
can discuss off list if you are interested.
>
>You are completely right that prefix delegation enforce DHCPv6 so
>SLAAC mentioned above can be used only for CMs, not for CPE.
[jjmb] similar to cable modems, CPEs that only request or require IA_NA
could conceivably use SLAAC.  Same caveat and comments as above.

>
>Just a note: as far as I can see available DOCSIS 3.0 CMTSes do not
>support the ability of SLAAC for CMs currently (checked Casa and Cisco
>uBR10K).
[jjmb] I am sure you make it work on at least one of the above. :)
>
>
>Dmitry Cherkasov
>
>
>
>2011/11/30 Brzozowski, John <John_Brzozowski at cable.comcast.com>:
>> Technically this is not true.  SLAAC is not prohibited, it does come
>>with
>> side affects that complicate the deployment of IPv6.  It is technically
>> feasible to use SLAAC, it is just not practical in most cases.
>>
>> Stateful DHCPv6 is the preferred mechanism for address and configuration
>> assignment.  Prefix delegation requires the use of stateful DHCPv6 in
>> DOCSIS networks.
>>
>> John
>> =========================================
>> John Jason Brzozowski
>> Comcast Cable
>> e) mailto:john_brzozowski at cable.comcast.com
>> o) 609-377-6594
>> m) 484-962-0060
>> w) http://www.comcast6.net
>> =========================================
>>
>>
>>
>>
>> On 11/29/11 7:09 AM, "Dmitry Cherkasov" <doctorchd at gmail.com> wrote:
>>
>>>Steven,
>>>
>>>SLAAC is prohibited for using in DOCSIS networks, router
>>>advertisements that allow SLAAC must be ignored by end-devices,
>>>therefore DHCPv6 is the only way of configuring (if not talking about
>>>statical assignment). I have seen at least Windows7 handling this
>>>properly in its default configuration: it starts DHCPv6 negotiation
>>>instead of auto-configuration.
>>>
>>>Dmitry Cherkasov
>>>
>>>
>>>
>>>2011/11/29 Steven Bellovin <smb at cs.columbia.edu>:
>>>>
>>>> On Nov 28, 2011, at 4:51 52PM, Owen DeLong wrote:
>>>>
>>>>>
>>>>> On Nov 28, 2011, at 7:29 AM, Ray Soucy wrote:
>>>>>
>>>>>> It's a good practice to reserve a 64-bit prefix for each network.
>>>>>> That's a good general rule.  For point to point or link networks you
>>>>>> can use something as small as a 126-bit prefix (we do).
>>>>>>
>>>>>
>>>>> Technically, absent buggy {firm,soft}ware, you can use a /127.
>>>>>There's
>>>>>no
>>>>> actual benefit to doing anything longer than a /64 unless you have
>>>>> buggy *ware (ping pong attacks only work against buggy *ware),
>>>>> and there can be some advantages to choosing addresses other than
>>>>> ::1 and ::2 in some cases. If you're letting outside packets target
>>>>>your
>>>>> point-to-point links, you have bigger problems than neighbor table
>>>>> attacks. If not, then the neighbor table attack is a bit of a
>>>>>red-herring.
>>>>>
>>>>
>>>> The context is DOCSIS, i.e., primarily residential cable modem users,
>>>>and
>>>> the cable company ISPs do not want to spend time on customer care and
>>>> hand-holding.  How are most v6 machines configured by default?  That
>>>>is,
>>>> what did Microsoft do for Windows Vista and Windows 7?  If they're set
>>>>for
>>>> stateless autoconfig, I strongly suspect that most ISPs will want to
>>>>stick
>>>> with that and hand out /64s to each network.  (That's apart from the
>>>>larger
>>>> question of why they should want to do anything else...)
>>>>
>>>>
>>>>                --Steve Bellovin, https://www.cs.columbia.edu/~smb
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>




More information about the NANOG mailing list