IPv6 allocation plan, security, and 6-to-4 conversion

Owen DeLong owen at delong.com
Sat Jan 31 01:32:27 UTC 2015


> On Jan 30, 2015, at 07:12 , Karsten Elfenbein <karsten.elfenbein at gmail.com> wrote:
> 
> Hi,
> 
> 2015-01-30 0:28 GMT+01:00 Eric Louie <elouie at techintegrity.com>:
>> I'm putting together my first IPv6 allocation plan.  The general layout:
>> /48 for customers universally and uniformly
>> /38 for larger regions on an even (/37) boundary
>> /39 for smaller regions on an even (/38) boundary
>> A few /48's for "internal use" to allow us to monitor and maintain systems.
> 
> Depending on how many regions you have I would just go for /40 as it
> is the byte boundary or request a bigger block and use the /32.

Given that ARIN policy allows you two levels of nibble-round-up, I’d suggest
putting your regions all at /36, actually, assuming you have enough customers
in your largest region to justify more than 75% of a /40 (which I assume to be the
case given the limited information provided).

Don’t make your network fit inside a /32 if it doesn’t fit conveniently. Get a /28 instead.

> 
>> For security sake, do I need (am I better off) to "reserve" a "management
>> block" (/39, /40, /41 or something of that nature) that does NOT get
>> advertised into BGP to my upstreams, and use that for my device management
>> and monitoring address space?  In other words, make a small "private"
>> address space for management?  What are folks doing around that?
> 
> Do not spam the BGP table for that. Use firewalls or ACLs to prevent
> unwanted access.

Exactly!

> You could use Unique Local addresses (ULA) for this if you have some
> VPN infrastructure in your network.

But only if you are truly a masochist. It’s so much easier to do this with GUA and
filters.

> Not announcing these blocks does not prevent people on your network to
> access these areas.

Among other various issues with using announcement control in lieu of actual
security policy.

>> If I have to do 6-to-4 conversion, is there any way to do that with
>> multiple diverse ISP connections, or am I "restricted" to using one
>> entry/exit point?  (If that's true, do I need to allocate a separate block
>> of addresses that would be designated "6 to 4" so they'd always be routed
>> out that one entry/exit point?)
> 
> I would not use 6to4 as it tunnels the IPv6 traffic over IPv4 which is
> a pain to control.

6to4 is in the process of being moved to historic status in the IETF for good reason.
If you’re deploying real IPv6, there’s no need to add any 6to4 headaches into your environment.
At its best, 6to4 was for people who couldn’t get real IPv6 transport. Today, it’s mostly an anachronism.

Owen




More information about the NANOG mailing list