Re: v6 subnet size for DSL leased line customers
If the ops community doesn't provide enough addresses and a way to use them then the vendors will do the same thing they did in v4. It's not clear to me where their needs don't coincide in this case. there are three legs to the tripod network operator user equipment manufacturer They have (or should have) a mutual interest in: Transparent and automatic configuration of devices. The assignment of globally routable addresses to internet connected devices the user having some control over what crosses the boundry between their network and the operators. Yes, well, that sounds fine, but I think that we've already hashed over at least some of the pressures on businesses in this thread. I've tried to focus on what's in the Subject:, and have mostly ignored other problems, which would include things such as cellular service, where I suspect that the service model is such that they'll want to find a way to allocate users a /128 ... There is, further, an effect which leads to equipment mfr being split into netwk equipment mfr and cpe equipment mfr, because the CPE guys will be trying to build things that'll work for the end user, working around any brokenness, etc. The problem space is essentially polarized, between network operators who have their own interests, and users who have theirs. So, as /engineers/ for the network operators, the question is, what can we do to encourage/coerce/force the businesses on our side of the equation to allocate larger rather than smaller numbers of bits, or find other solutions? What could we do to encourage, or better yet, mandate, that an ISP end- user connection should be allocated a minimum of /56, even if it happens to be a cellular service? ( :-) ) What do we do about corporate environments, or any other environment where there may be pressure to control topology to avoid DHCP PD to devices added to the network on an ad-hoc basis? Is it actually an absolutely unquestionable state of affairs that the smallest autoconfigurable subnet is a /64? Because if not, there are options there ... but of course, that leads down a road where an ISP may not want to allocate as much as a /64 ... What parts of this can we tackle through RIR policy? RFC requirements? Best practice? Customer education? ( :-) ) Other ideas? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: v6 subnet size for DSL leased line customers
In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500, Kevin Loch wrote: RA is a shotgun. All hosts on a segment get the same gateway. I have no idea what a host on multiple segments with different gateways would do. Hosting environments can get complex thanks to customer I would like to point out that in IPv4 we have ICMP Router Advertisement messages. I have never seen them used on a production network. I know one of the worries is security, that a compromised host could send out advertisements, drawing traffic to it that it can then snoop and pass on to the real gateway. Having not looked in great detail, I am unclear if IPv6 has done something to fix this concern or not. Is this feature going to get turned off when the first worm comes along that spoofs RA's -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgpkunR03iHNX.pgp Description: PGP signature
Re: v6 subnet size for DSL leased line customers
* Leo Bicknell: In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500, Kevin Loch wrote: RA is a shotgun. All hosts on a segment get the same gateway. I have no idea what a host on multiple segments with different gateways would do. Hosting environments can get complex thanks to customer I would like to point out that in IPv4 we have ICMP Router Advertisement messages. I have never seen them used on a production network. I know one of the worries is security, that a compromised host could send out advertisements, drawing traffic to it that it can then snoop and pass on to the real gateway. DHCP and ARP face the same issue. That's why one host per subnet is so appealing.
Re: v6 subnet size for DSL leased line customers
* Tim Durack: Probably why some vendors support dhcp snooping and private vlans for IPv4 - multiple clients per subnet with isolation. The isolation is far from perfect because you don't know from which host the packet actually came. 8-(
Re: v6 subnet size for DSL leased line customers
On Dec 26, 2007, at 8:26 AM, Leo Bicknell wrote: In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500, Kevin Loch wrote: RA is a shotgun. All hosts on a segment get the same gateway. I have no idea what a host on multiple segments with different gateways would do. Hosting environments can get complex thanks to customer I would like to point out that in IPv4 we have ICMP Router Advertisement messages. I have never seen them used on a production network. I know one of the worries is security, that a compromised host could send out advertisements, drawing traffic to it that it can then snoop and pass on to the real gateway. Having not looked in great detail, I am unclear if IPv6 has done something to fix this concern or not. Is this feature going to get turned off when the first worm comes along that spoofs RA's It's unlikely that it will matter. In practice, ICMP router discovery died a long time ago, thanks to neglect. Host vendors didn't adopt it, and it languished. The problem eventually got solved with HSRP and its clone, VRRP. This doesn't resolve the real underlying problem: Ethernet is inherently insecure. MAC addresses can be forged, protocols (ARP, ND) can be forged and at this point, there's not much that we can do about it. Architecturally, we need authentication over each and every control plane packet sent. Getting there without invoking the full complexity of a public key infrastructure is still an unsolved problem, AFAIK. Tony
Re: v6 subnet size for DSL leased line customers
On 26 dec 2007, at 19:22, Tony Li wrote: This doesn't resolve the real underlying problem: Ethernet is inherently insecure. MAC addresses can be forged, protocols (ARP, ND) can be forged and at this point, there's not much that we can do about it. Architecturally, we need authentication over each and every control plane packet sent. Getting there without invoking the full complexity of a public key infrastructure is still an unsolved problem, AFAIK. Actually, for this particular purpose, this is mostly a solved problem, although there is of course no free lunch. Many switches can enforce a MAC/port relationship, so that MAC addresses can't be spoofed. Neighbor discovery and router advertisements can be secured with SEND (SEcure Neighbor Discovery). This happens through CGAs, cryptograpically generated addresses. Basically, the lower 64 bits of the IPv6 address contains a hash over a public key. This makes it possible to prove ownership over an address. The not free part is that you need to configure certificates for trust relationships = the routers that may be default gateways.
Re: v6 subnet size for DSL leased line customers
Tony Li wrote: On Dec 26, 2007, at 8:26 AM, Leo Bicknell wrote: It's unlikely that it will matter. In practice, ICMP router discovery died a long time ago, thanks to neglect. Host vendors didn't adopt it, and it languished. The problem eventually got solved with HSRP and its clone, VRRP. Its been available from microsoft since windows2000, and according to documentation, on by default. I am not quite sure this can be blamed on vendors as opposed to users. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/33574.mspx?mfr=true
Re: v6 subnet size for DSL leased line customers
In a message written on Wed, Dec 26, 2007 at 09:19:54PM +0100, Iljitsch van Beijnum wrote: Many switches can enforce a MAC/port relationship, so that MAC addresses can't be spoofed. Which gets to the crux of my question. If you're a shop that uses such features today (MAC/Port tracking, DHCP snooping, etc) to secure your IPv4 infrastructure does IPv6 RA's represent a step backwards from a security perspective? Would IPv6 deployment be hindered until there is DHCPv6 snooping and DHCPv6 is able to provide a default gateway, a-la how it is done today in IPv4? It would be very interesting to me if the answer was it's moot because we're going to move to CGA's as a step forward; it would be equally interesting if the answer is CGA isn't ready for prime time / we can't deploy it for xyz reason, so IPv6 is less secure than IPv4 today and that's a problem. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgpFRvP23uRdF.pgp Description: PGP signature
Re: v6 subnet size for DSL leased line customers
vendors, like everyone else, will do what is in their best interests. as i am an operator, not a vendor, that is often not what is in my best interest, marketing literature aside. i believe it benefits the ops community to be honest when the two do not seem to coincide. If the ops community doesn't provide enough addresses and a way to use them then the vendors will do the same thing they did in v4. i presume you mean nat v6/v6. this would be a real mess and i don't think anyone is contending it is desirable. but this discussion is ostensibly operators trying to understand what is actually appropriate and useful for a class of customers, i believe those of the consumer, soho, and similar scale. to summarize the positions i think i have heard o one /64 subnet per device, but the proponent gave no estimate of the number of devices o /48 o /56 o /64 the latter three all assuming that the allocation would be different if the site had actual need and justification. personally, i do not see an end site needing more than 256 subnets *by default*, though i can certainly believe a small minority of them need more and would use the escape clause. so, if we, for the moment, stick to the one /64 per subnet religion, than a /56 seems sufficient for the default allocation. personally, i have a hard time thinking that any but a teensie minority, who can use the escape clause, need more than 256. hence, i just don't buy the /48 position. personally, i agree that one subnet is likely to be insufficient in a large proportion of cases. so keeping to the /64 per subnet religion, a /64 per site is insufficient for the default. still personally, i think the one /64 subnet per device is analogous to one receptacle per mains breaker, i.e. not sensible. there are three legs to the tripod network operator user equipment manufacturer They have (or should have) a mutual interest in: Transparent and automatic configuration of devices. as you have seen from chris's excellent post [0] on this one, one size does not fit all. this is likely another worthwhile, but separate, discussion. The assignment of globally routable addresses to internet connected devices i suspect that there are folk out there who equate nat with security. i suspect we both think them misguided. The user having some control over what crosses the boundry between their network and the operators. yup randy --- [0] - http://www.merit.edu/mail.archives/nanog/msg04887.html