Cogent IPv6

Ray Soucy rps at maine.edu
Thu Jun 9 10:43:55 CDT 2011


> IPv6 newbie alert!
>
> I thought the maximum prefix length for IPv6 was 64 bits, so the comment about a v6 /112 for peering vexed me.  I have Googled so much that Larry Page called me and asked me to stop.
>
> Can someone please point me to a resource that explains how IPv6 subnets larger than 64 bits function and how they would typically be used?
>
> thanks,
> Kelly

The use of a 64-bit prefix is a requirement if using Stateless
addressing, nothing more.

Allocation of a 64-bit prefix for every host network means you won't
need to play games with subnetting based on the number of current or
potential hosts, and keeps things clean; you SHOULD allocate a 64-bit
prefix for every host network, though extending this logic to
everything is a bit ignorant.

There is a denial of service attack vector that exists on most current
production IPv6 routers: IPv6 Neighbor Table Exhaustion.

Writing a quick program to sweep through every IPv6 address within a
64-bit prefix is enough to cause most routers to drop neighbor entries
for known hosts once the table is full.  This attack is specifically
targeted against routers, which makes it more troubling.  Note that I
was a naysayer of this vector being a problem until I actually wrote
an implementation of it in a lab.  I was able to kill all IPv6 traffic
within seconds from a single server.

Because of this, I strongly encourage you to make use of smaller
prefixes for link networks.  We use 126-bit prefixes (see
http://tools.ietf.org/rfc/rfc3627.txt for why we avoid 127).

We also don't consider Stateless desirable for the majority of our
host networks.  If you enable stateless on a network, every host with
an IPv6 stack will start making use of it.  If you use DHCPv6 you can
enable global IPv6 on a per-host basis.  This makes it much, much,
easier to get buy-in on rolling out IPv6 everywhere, and while IPv6 is
nice, it's not required yet, so you have time for the non-DHCPv6 hosts
to be upgraded over the next few years (Mac OS X Lion will actually
introduce a full DHCPv6 client implementation, for example).

If you don't require stateless, then using prefixes longer than 64 is
an option.  Our current practice is to allocate a full 64-bit prefix
in the schema, but only use what is currently required for actual
implementation.   Most of our IPv6 prefixes are actually 119 or
120-bit prefixes.

Once better protection against neighbor table exhaustion is available
we plan to migrate to 64.

Also very strongly recommend enabling IPv6 on all your networks even
if you disable RA or don't hand out addresses.  This provides you with
viability of IPv6 traffic on your IPv4 networks (e.g. the ability to
check for rogue IPv6 routers).

Finally, until RA Guard is available, use of L3 switches that support
IPv6 PACL's is highly desirable as they allow you to apply a
port-level traffic filter to drop RA from unauthorized ports (we do
this system-wide at this point, and network stability has improved
dramatically as a result).

MLD snooping still needs work; the current Cisco implementation is
bugged to the point where it drops ND traffic.  I'm strongly looking
forward to support for things like DHCPv6 snooping, I was hoping that
we'd see it by now but vendors are slow to come around.

-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/




More information about the NANOG mailing list