On 6 June 2012 14:12, Cutler James R <james.cut...@consultant.com> wrote: > > On Jun 5, 2012, at 5:23 PM, William Herrin wrote: > > > On 6/5/12, David Hubbard <dhubb...@dino.hostasaurus.com> wrote: > >> Does anyone have suggestions on good books to really get > >> a thorough understanding of v6, subnetting, security practices, > >> etc. Or a few books. Just turned up dual stack with our > >> peers and a test network but I'd like to be a lot more > >> comfortable with it before looking at our customer network. > > > > Hi David, > > > > Instead of going the book route, I'd suggest getting some tunneled > > addresses from he.net and then working through > > http://ipv6.he.net/certification/ . > > > > They have the basics pretty well covered, it's interactive and it's free. > > > > > > Some additional thoughts: > > > > 1. Anybody who tells you that there are security best practices for > > IPv6 is full of it. It simply hasn't seen enough use in the > > environment to which we're now deploying it and rudimentary > > technologies widely used in IPv4 (e.g. NAT/PAT to private address > > space) haven't yet made their transition. > > > > > > 2. Subnetting in v6 in a nutshell: > > > > a. If it's a LAN, /64. Always. Stateless autoconfiguration (SLAAC) > > only works for /64. > > > > b. Delegations on 4-bit boundaries for reverse-DNS convenience. > > > > c. If it's a point to point, a reasonable practice seems to be a /64 > > per network area and around /124 per link. Works OK for ethernet point > > to points too. > > > > d. Default customer assignments should be /56 or /48 depending on who > > you ask. /48 was the IETF's original plan. Few of your customers > > appear to use tens of LANS, let alone thousands. Maybe that will > > change but the motivations driving such a thing seem a bit pie in the > > sky. /56 let's the customer implement more than one LAN (e.g. wired > > and wireless) but burns through your address space much more slowly. > > /60 would do that too but nobody seems to be using it. /64 allows only > > one LAN, so avoid it. > > > > e. "sparse allocation" if you feel like it. The jury is still out on > > whether this is a good idea. Basically, instead of assigning address > > blocks linearly, you divide your largest free space in half and stick > > the new assignment right in the middle. Good news: if the assignment > > later needs to grow your can probably just change the subnet mask, > > keeping the number of entries in the routing table the same. Bad news: > > fragments the heck out of your address space so when you actually need > > a large address block for something, you don't have it. > > > > Trying to keep non-dynamic assignments in local or regional aggregable > > blocks works about as well as it did in IPv4, which is to say poorly. > > > > Regards, > > Bill Herrin > > > > > > -- > > William D. Herrin ................ her...@dirtside.com b...@herrin.us > > 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> > > Falls Church, VA 22042-3004 > > > > Bill's additional comments about subnetting are a concise and accurate view. > They also show and overlooked benefit of IPv6 over IPv4 -- For address > planning, it is no longer necessary to count individual end points, rather > only the subnets must be counted. This reduces labor in planning, assigning, > and tracking addresses. > > > James R. Cutler > james.cut...@consultant.com >
Hi all, Potentially silly question but, as Bill points out a LAN always occupies a /64. Does this imply that we would have large L2 segments with a large number of hosts on them? What about the age old discussion about keeping broadcast segments small? Or, will it be that a /64 will only typically have a similar number of hosts in it as say, a /23|4 in the IPv4 world? Cheers, Anton