IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

Ray Soucy rps at maine.edu
Tue Nov 29 16:39:06 UTC 2011


Windows (Vista and later) and OS X (as of Lion) now have mature IPv6
implementations and support DHCPv6 for address allocation.
Furthermore, they correctly let the network decide which method is
used and only provide the user with the option of "Manual" or
"Automatic", where Automatic will make use of SLAAC, DHCPv6, or both,
depending on the flags set in the IPv6 RA.

We run both systems, in production, using DHCPv6 on prefixes much
smaller than 64-bit (typically 120 or 119; we mirror whatever the IPv4
prefix length is).

There is functionality (current and future) that the use of a 64-bit
prefix provides; so it's a good idea to reserve that space for any LAN
network, even if you implement it as a 120-bit prefix on the router.
Just to be clear, I don't recommend not reserving a 64-bit prefix per
network.

That said; neighbor table exhaustion is a real problem.  A few lines
of C can kill IPv6 on enterprise- and carrier-grade routers.  It's a
problem that has gone largely ignored because people are still in a
private address space mindset.

We use 126-bit prefixes for link networks (we would have used 127, but
the arguments against them in RFC 3627 were compelling enough to avoid
them; after all we don't have a lack of space).  There are a few
reasons for this:

1. It let's us keep link address short by using the beginning of our
allocation (e.g. you'll see things like 2610:48::66 in traceroutes to
us), which are easily memorized in the event of DNS failure (face it;
there are still some addresses you'll memorize; even if they are
IPv6).

2. We know that the number of hosts on these networks is finite; it
will always be 2, so using a 64-bit prefix isn't useful in any way;
and until we see routers hardened against neighbor table exhaustion,
they're actually harmful.

3. We have thousands of link networks; giving them all a 64-bit prefix
seems rather wasteful.

We've been running IPv6 in production since 2009, and when we first
jumped into it I was in the same camp of being a purist; thinking
SLAAC was the best; that DHCPv6 wasn't needed; that every network
should always be a 64-bit prefix; etc.

A few years of experience with using IPv6 in an operational
environment has taught me otherwise.

I'm not saying posts on list about not using anything but a 64-bit
prefix are wrong; but it's a little more complicated than
one-size-fits-all networking.

It is perfectly valid to make use of prefixes other than 64-bit; so
long as you understand the implications of doing so.

SLAAC is a great bootstrapping mechanism for ad-hoc networking; and
the link-local scope (allowing all IPv6 traffic to happen over IPv6;
even neighbor discovery).  Just because it's a neat and useful way of
addressing doesn't mean it's the best way for every network.
Different strokes for different blokes and all that.

To those who noticed me and Owen seem to have this argument on-list a
few times a year, sorry for the recycled content. ;-)

On Mon, Nov 28, 2011 at 5:00 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>
> On Nov 28, 2011, at 4:51 52PM, Owen DeLong wrote:
>
>>
>> On Nov 28, 2011, at 7:29 AM, Ray Soucy wrote:
>>
>>> It's a good practice to reserve a 64-bit prefix for each network.
>>> That's a good general rule.  For point to point or link networks you
>>> can use something as small as a 126-bit prefix (we do).
>>>
>>
>> Technically, absent buggy {firm,soft}ware, you can use a /127. There's no
>> actual benefit to doing anything longer than a /64 unless you have
>> buggy *ware (ping pong attacks only work against buggy *ware),
>> and there can be some advantages to choosing addresses other than
>> ::1 and ::2 in some cases. If you're letting outside packets target your
>> point-to-point links, you have bigger problems than neighbor table
>> attacks. If not, then the neighbor table attack is a bit of a red-herring.
>>
>
> The context is DOCSIS, i.e., primarily residential cable modem users, and
> the cable company ISPs do not want to spend time on customer care and
> hand-holding.  How are most v6 machines configured by default?  That is,
> what did Microsoft do for Windows Vista and Windows 7?  If they're set for
> stateless autoconfig, I strongly suspect that most ISPs will want to stick
> with that and hand out /64s to each network.  (That's apart from the larger
> question of why they should want to do anything else...)
>
>
>                --Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/




More information about the NANOG mailing list