New Office, New Network. Questions.

Mon Jul 11 14:56:07 UTC 2016

On Sun, 10 Jul 2016 21:53:52 +0300, Nikolai Petrov said:

> 1. Currently we do not have IPv6 in our network but I have seen the ISP is
> giving us a "/56 Block" which from what I understand is a couple hundred "/64
> Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we

You can have other sized subnets, but 64 is very handy if you intend to use
SLAAC auto-configure.  There's also the danger of running into broken equipment
that doesn't understand other sized subnets (similar to very old IPv4 gear that
understood a /24, but exploded if told about a /23 or /25).

> have 32 addresses, four of which I will use for NAT and the remaining needed
> for online services and servers. In IPv6 we have a lot of addresses but I am
> not sure whether I should give an address of the ISP to every device. I found

Assign a /64 to everyplace that you would assign a subnet in IPv4.  Give each
device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever
gets the job done in your situation. Don't worry about NAT anymore, you have
enough addresses.

> that there is an organization that can help avoid collisions in private IPs:
> https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a
> registry, but I am thinking of registering the ranges there and then use these
> subnets and NAT them to the IPv6 address of the router.

Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel
free to give every single device a global address. (You'll still want a
stateful firewall someplace, but it doesn't have to do NAT, it just has to keep
track of legitimate versus malicious traffic).

And don't freak out if a device has more than one address.  As I'm writing this
from the sofa in my living room, my laptop wireless has:

ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.150  netmask 255.255.255.224  broadcast 192.168.1.159
        inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02  prefixlen 64  scopeid 0x0<global>
        inet6 2601:5c0:c100:6431:c01:a589:19a4:236e  prefixlen 64  scopeid 0x0<global>
        inet6 2601:5c0:c100:6431::d67  prefixlen 128  scopeid 0x0<global>
        inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::cad7:19ff:fe37:c02  prefixlen 64  scopeid 0x20<link>
        inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9  prefixlen 64  scopeid 0x0<global>
        ether c8:d7:19:37:0c:02  txqueuelen 1000  (Ethernet)

(One DHCPv6 - ::d67.  One SLAAC - the one with ff:fe in it.  And 4 different
RFC3041 privacy addresses that it's chunked out over the weekend.  It works
just fine that way - and it's *designed* to do so.  (Of course, in a corporate
environment, you may want to turn the privacy addresses off, and only use
one of DHCPv6/SLAAC - I do it this way because it tests for broken software...)

Oh, and don't block ICMPv6. :)

> something strange. The WAN port of our router gets a /64 IPv6 address which is
> not in our IPv6. Should I use this for NAT or one of "our" addresses?

You use it for the IP address of the provider-facing interface of your router.
Assign the "inside" interface(s) addresses on the appropriate /64 subnet that
they will be on.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160711/8929de30/attachment.sig>