IPV6 planning

Karl Auer kauer at biplane.com.au
Sat Mar 5 22:59:50 UTC 2016

On Sat, 2016-03-05 at 16:19 -0500, Laurent Dumont wrote:
> We are currently considering deploying IPv6 for a Lan event in April.
> We are assigned a /48 which we then split into smaller subnets for 
> each player vlan. That said, what remains to be decided is how we are 
> going to assign the IPv6. Basically, it seems that are two ways, one 
> SLAAC where the endpoints uses RA to generate it's own IP and DHCPv6 
> which is basically DHCP but for IPv6.

SLAAC is way easier:
 - no DHCPv6 server is required
 - every IPv6-capable device can do it
 - you only have to configure the router

With SLAAC you don't get DNS names, whereas DHCPv6 can update the DNS
for you. You can let player hosts update the DNS directly, but it's
more open to abuse. Or maybe you don't need names anyway.

Other thing with SLAAC is that you get 64-bit subnets and only 64-bit
subnets. This should not be any kind of problem with a flat /48, but if
you will have more complicated subnetting you should keep an eye on it.

Unless you take steps to prevent SLAAC happening, SLAAC will happen.
The simplest way to prevent it happening is to allocate non-64-bit
subnets to the router interfaces.

The biggest gotcha (or gotchas) you will face is/are buggy IPv6
implementations on the router/switch side - especially the switches. A
small test setup to make sure that your expected host operating systems
all work as expected with your planned network infrastructure would be
a Very Good Idea.

Second biggest gotcha will be forgetting to secure IPv6. IPv6 packet
filters, firewall rules etc are all completely separate and independent
from your IPv4 stuff.

Third gotcha - related to the second - is forgetting that your IPv6
-connected hosts are not behind NAT and are thus directly exposed to
the Internet via IPv6 unless you take steps to make it not so. You
should probably provide at least the same basic setup for IPv6 on your
outside router interfaces that NAT provides for IPv4, plus ICMPv6.
 - allow established/related inbound
 - allow all ICMPv6
 - allow all outbound
 - block all inbound

A possible gotcha is people using temporary or privacy IPv6 addressing,
which is the default on many modern operating systems. Addresses change
- on boot for temporary addresses, at regular intervals. Whether that
will be a problem or not depends on whether the hosts will be using
long-lived connections.
You may find that some participants have disabled IPv6. Since you are
dual stack this shouldn't be an issue, unless your IPv6 connectivity is
faster than your IPv4 connectivity. Might be worth getting up to speed
on how to enable/disable IPv6 on various operating systems so that you
can advise people.

Regards, K.

Karl Auer (kauer at biplane.com.au)

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

More information about the NANOG mailing list