Re: Choice of address for IPv6 default gateway
On Wed, 25 Jan 2012, Daniel STICKNEY wrote: I'm having trouble finding authoritative sources on the best common practice (if there even is one) for the choice of address for an IPv6 default gateway in a production server environment (not desktops). For example in IPv4 it is common to chose the first or last address in the subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested in input from production environments and or ARIN/RIPE/IANA/etc or top vendors. I've seen some documentation using prefix::1 with either a global prefix or link-local (fe80::1). Anyone use either of these in production and have negative or positive feedback? fe80::1 is seductive because it is short and the idea of having the same default gateway configured everywhere might be simple. At the same time using the same address all around the network seems to invite confusion or problems if two interfaces with the address ever ended up in the same broadcast domain. Up to your taste. Most cases it is recommended to use link-local default gateway. If you use the same address - even link local - your node should complain about the duplicate address on the same link. You can rely on the autoconfigured link-local address for default gateways (and use RA). What about using RAs to install the default route on the servers? The 'priority' option (high/medium/low) easy fits with an architecture using an active/standby router setup where the active router is configured with the 'high' priority and the standby 'medium'. With the timeout values tuned for relatively rapid (~3 seconds) failover this might be feasible. Anyone use this in production? Yes we are using NUD (and using RA to install default gateway) to switch from primary rotuer to secondary - due to no VRRP support on a particular platform. But in case of RA usage you should also use RA-guard especially if you don't have full control on servers connected to your switches. I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since we use VRRP for IPv4, using it for IPv6 would keep our architecture the same, which has merit too. If you want consistent and more predictable behavoir use VRRP or maybe HSRP if your vendor supports it. Best Regards, Janos Mohacsi
Re: Choice of address for IPv6 default gateway
Hi On 1/25/12 23:53 , Owen DeLong wrote: [...] Note, you can use RA for default gateway while still using static addressing. Could you give me a little bit more on this? It seems to me that most platforms stop listening to RAs once you give them a static address. Letting a host run slaac and then add a static address is not good enough as the slaac address might be chosen for locally generated packets. If it works with listening on RAs when running with statically configured address, why HSRP/VRRP? [...] Owen /Tias
Re: Choice of address for IPv6 default gateway
Thanks everyone for your input! I now have a more complete perspective on the pros and cons of the options available. -Daniel Le 26/01/2012 09:18, Mohacsi Janos a écrit : On Wed, 25 Jan 2012, Daniel STICKNEY wrote: I'm having trouble finding authoritative sources on the best common practice (if there even is one) for the choice of address for an IPv6 default gateway in a production server environment (not desktops). For example in IPv4 it is common to chose the first or last address in the subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested in input from production environments and or ARIN/RIPE/IANA/etc or top vendors. I've seen some documentation using prefix::1 with either a global prefix or link-local (fe80::1). Anyone use either of these in production and have negative or positive feedback? fe80::1 is seductive because it is short and the idea of having the same default gateway configured everywhere might be simple. At the same time using the same address all around the network seems to invite confusion or problems if two interfaces with the address ever ended up in the same broadcast domain. Up to your taste. Most cases it is recommended to use link-local default gateway. If you use the same address - even link local - your node should complain about the duplicate address on the same link. You can rely on the autoconfigured link-local address for default gateways (and use RA). What about using RAs to install the default route on the servers? The 'priority' option (high/medium/low) easy fits with an architecture using an active/standby router setup where the active router is configured with the 'high' priority and the standby 'medium'. With the timeout values tuned for relatively rapid (~3 seconds) failover this might be feasible. Anyone use this in production? Yes we are using NUD (and using RA to install default gateway) to switch from primary rotuer to secondary - due to no VRRP support on a particular platform. But in case of RA usage you should also use RA-guard especially if you don't have full control on servers connected to your switches. I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since we use VRRP for IPv4, using it for IPv6 would keep our architecture the same, which has merit too. If you want consistent and more predictable behavoir use VRRP or maybe HSRP if your vendor supports it. Best Regards, Janos Mohacsi
Re: Choice of address for IPv6 default gateway
On Thu, 26 Jan 2012, Mathias Wolkert wrote: Hi On 1/25/12 23:53 , Owen DeLong wrote: [...] Note, you can use RA for default gateway while still using static addressing. Could you give me a little bit more on this? It seems to me that most platforms stop listening to RAs once you give them a static address. Static address + RA working on FreeBSD and Linux. Sorry we don't have other servers, where we are using statically configured IPv6 addresses. Letting a host run slaac and then add a static address is not good enough as the slaac address might be chosen for locally generated packets. Define for every application your bind address - locally generated packets will use it. If it is not possible Use RFC 3484 source address selection for selecting static source addresses. If it works with listening on RAs when running with statically configured address, why HSRP/VRRP? Statically configured default gateways worked for us with VRRP/HSRP. VRRP/HSRP is for first-hop redundancy. Best Regards, Janos Mohacsi
Re: Choice of address for IPv6 default gateway
On Thu, Jan 26, 2012 at 04:16, Mathias Wolkert t...@netnod.se wrote: Note, you can use RA for default gateway while still using static addressing. Could you give me a little bit more on this? Easy: have the RAs sent w/ a prefix information option included, but w/o the A bit being set. It seems to me that most platforms stop listening to RAs once you give them a static address. That is (IMHO) a broken implementation. A static address, or even a statically configured default gateway, should not prevent RAs from being processed. /TJ
Re: Choice of address for IPv6 default gateway
Letting a host run slaac and then add a static address is not good enough as the slaac address might be chosen for locally generated packets. Define for every application your bind address - locally generated packets will use it. If it is not possible Use RFC 3484 source address selection for selecting static source addresses. Actually, RFC 3484 would be the preferred mechanism over configuring every application. Application specific address binding should only be used for applications that need an exception to the host-wide source address selection choice. + Fewer surprises for your ops team + Lower probability of a mistake leading to incorrect source address selection + Reduced probability of configuration mistake time-bombs + Reduces the amount of configuration required for a host Owen
Re: Choice of address for IPv6 default gateway
I have sites using all of the above, and concur with Owen's comment regarding it being a personal preference issue. RA route learning simply works, and I (surprisingly) have not yet had problems where the high/med/low settings were not correctly honored (95% Cent/Deb environments, FWIW). FAIR WARNING: You should tune your advertisement interval, valid lifetime, etc. to values appropriate to your environment, as most router defaults I've worked with are quite high. The issue of using FE80::1 everywhere (as the virtual IP in your FHRP of choice) is operationally a wash, in terms of perceived complexity from the front lines. Do people give me quizzical expressions the first time they learn/use it? Absolutely. But a small amount of getting comfortable with def.gwy subnet =/= the intentionally provisioned subnet is outweighed by the ease of oh, it's the same everywhere now. FHRPs gaining the use of global prefixes seems to be coming along nicely across product lines, although not yet universally supported. ...and on the ?!? front, I'd just as soon use the VRRP virtual MAC + ID formula converted to EUI-64, but the RFC says you're not supposed to. :)
Re: Choice of address for IPv6 default gateway
In a message written on Wed, Jan 25, 2012 at 03:41:36PM +0100, Daniel STICKNEY wrote: I've seen some documentation using prefix::1 with either a global prefix or link-local (fe80::1). Anyone use either of these in production and have negative or positive feedback? fe80::1 is seductive because it is short and the idea of having the same default gateway configured everywhere might be simple. At the same time using the same address all around the network seems to invite confusion or problems if two interfaces with the address ever ended up in the same broadcast domain. I don't think the industry has really found a best practice to document yet. There are people trying different ideas. We find the following convention allows us to keep things organized: prefix::1 - Default gateway prefix::last octect IPv4 - Statically assigned servers. prefix:eui-64- Auto-configured host If you need them to co-exist, you can also do things like: prefix::10240-20480- DHCP Pool And if a host learns a default gateway via RA, it will show up as fe80::eui-64 in the routing table. A static server at 10.0.1.34 has an IPv6 address of prefix::34. It's visually very easy for an admin to see everything is configured correctly, and helps reduce confusion a lot when troubleshooting. We use .1 in IPv4 for a default gateway, so ::1 similarly reduces confusion. What about using RAs to install the default route on the servers? The 'priority' option (high/medium/low) easy fits with an architecture using an active/standby router setup where the active router is configured with the 'high' priority and the standby 'medium'. With the timeout values tuned for relatively rapid (~3 seconds) failover this might be feasible. Anyone use this in production? No. We avoid RA's where possible, because of the rogue RA problem. Rogue in this case usually means an admin fat fingering something or plugging into the wrong port, not an actual, but it quickly causes an outage. Unless you happen to have new enough switches that support RA Guard extreme care is warranted. (Note, we're also a server enviornment, not an end user one, and servers tend to end up statically configured (possibly via script) anyway for reasons that have nothing to do with IPv4 or IPv6.) That said, it can be used where redundancy is required, and your routers do not yet support the VRRP or HSRP protocols that support IPv6. Generally speaking across the board we find it makes a lot of sense to treat IPv6 as IPv4 with bigger addresses, and do things the same way as before. That's not to say we don't take advantage of /64's on LAN's, or RA's in some cases, but it reduces admin confusion where you can make things operate the same way. In a lot of cases, like a default gateway of ::1, or a BGP policy that looks the same config parity can be achieved and works out really well. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpdVcjXE5U0A.pgp Description: PGP signature
Re: Choice of address for IPv6 default gateway
Hi Daniel, On Jan 25, 2012, at 8:41 AM, Daniel STICKNEY wrote: I'm having trouble finding authoritative sources on the best common practice (if there even is one) for the choice of address for an IPv6 default gateway in a production server environment (not desktops). For example in IPv4 it is common to chose the first or last address in the subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested in input from production environments and or ARIN/RIPE/IANA/etc or top vendors. Well, you're not going to find anything authoritative per se, but we are using fe80::1 with HSRP on every LAN with v6 enabled. More recent HSRP implementations also support prefix::1, but that doesn't seem to make any sense to me since link-local is where your gateway lives. What about using RAs to install the default route on the servers? The 'priority' option (high/medium/low) easy fits with an architecture using an active/standby router setup where the active router is configured with the 'high' priority and the standby 'medium'. With the timeout values tuned for relatively rapid (~3 seconds) failover this might be feasible. Anyone use this in production? Our servers are statically assigned with prefix::1000 and counting up, and fe80::1%int for the gateway. Some servers are doing an IP per service / customer. In some initial deployments I did, RA Priority did not seem to be observed. That was 8 or 9 years ago so maybe that has changed, but it was not comforting. We were more worried about unintentional rogue RA vs active/standby routers. Now that we have RA Guard deployed on 100,000 edge ports, that doesn't really matter anymore. Dale
Re: Choice of address for IPv6 default gateway
On Wed, Jan 25, 2012 at 10:06 AM, Leo Bicknell bickn...@ufp.org wrote: I don't think the industry has really found a best practice to document yet. There are people trying different ideas. We find the following convention allows us to keep things organized: prefix::1 - Default gateway prefix::last octect IPv4 - Statically assigned servers. prefix:eui-64 - Auto-configured host This is essentially what we do (except we use the hex value of the last octet, so .34 would be ::22, probably just the purist in me). If you have an environment where hosts will be statically configured, then you probably want to use a global default, if only to avoid confusion from users or poorly written software that expects the default to be in the same prefix as the address. If people understand their prefix is 2001:DB8::/64, and the gateway is 2001:DB8::1 it raises a lot less questions than your prefix is 2001:DB8::/64 but your default router is FE80 -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
Re: Choice of address for IPv6 default gateway
On Jan 25, 2012, at 6:41 AM, Daniel STICKNEY wrote: I'm having trouble finding authoritative sources on the best common practice (if there even is one) for the choice of address for an IPv6 default gateway in a production server environment (not desktops). For example in IPv4 it is common to chose the first or last address in the subnet (.1 or .254 for example) as the VIP for VRRP/HSRP. I'm interested in input from production environments and or ARIN/RIPE/IANA/etc or top vendors. It's mostly a matter of personal preference. If you want to just use RAs (which is a perfectly fine alternative in most server environments if you're not especially paranoid), then that will automatically use the link local address of the router as next-hop. If you want to go with something configured via static configuration (note, you CANNOT currently provide default gateway information in DHCPv6), then ::1 or ::something:1 or whatever is a perfectly viable alternative, so long as your ops folks can all agree on using pretty much the same thing on every subnet. Using different default gateways on different subnets is perfectly functional, but, leads to human factors complications that tend to outweigh any perceived benefit to doing so. I've seen some documentation using prefix::1 with either a global prefix or link-local (fe80::1). Anyone use either of these in production and have negative or positive feedback? fe80::1 is seductive because it is short and the idea of having the same default gateway configured everywhere might be simple. At the same time using the same address all around the network seems to invite confusion or problems if two interfaces with the address ever ended up in the same broadcast domain. I don't recommend fe80::1 because not all platforms support configuration of link local addresses vs. using the IID based address or in addition to the IID based address. Also, HSRP/VRRP comes with overhead which you can avoid by using RA. Note, you can use RA for default gateway while still using static addressing. What about using RAs to install the default route on the servers? The 'priority' option (high/medium/low) easy fits with an architecture using an active/standby router setup where the active router is configured with the 'high' priority and the standby 'medium'. With the timeout values tuned for relatively rapid (~3 seconds) failover this might be feasible. Anyone use this in production? Yes, many people use RA in production. The timeout is, I believe, usually more on the order of 1,000 ms or less. I note that VRRPv3 (and keepalived) and HSRP both support IPv6. Since we use VRRP for IPv4, using it for IPv6 would keep our architecture the same, which has merit too. Support for VRRP IPv6 varies from vendor to vendor and while you might keep the same architecture, there are likely differences in the vendor- specific behaviors and/or bugs for their IPv6 VRRP implementations. RA being a much simpler protocol is somewhat less likely to get screwed up in the implementation process by the vendors. It's also the part of the code that gets exercised by more of their IPv6 using customers at this point. Owen
Re: Choice of address for IPv6 default gateway
On Jan 25, 2012, at 7:06 AM, Leo Bicknell wrote: In a message written on Wed, Jan 25, 2012 at 03:41:36PM +0100, Daniel STICKNEY wrote: I've seen some documentation using prefix::1 with either a global prefix or link-local (fe80::1). Anyone use either of these in production and have negative or positive feedback? fe80::1 is seductive because it is short and the idea of having the same default gateway configured everywhere might be simple. At the same time using the same address all around the network seems to invite confusion or problems if two interfaces with the address ever ended up in the same broadcast domain. I don't think the industry has really found a best practice to document yet. There are people trying different ideas. We find the following convention allows us to keep things organized: prefix::1 - Default gateway prefix::last octect IPv4 - Statically assigned servers. prefix:eui-64- Auto-configured host If you need them to co-exist, you can also do things like: prefix::10240-20480- DHCP Pool I'll note that 10240-20480 are not valid IPv6 suffixes and that you would need to represent that as prefix::2800-5000 and would probably be better off to use something more like prefix::8:* as your DHCP pool. Owen
Re: Choice of address for IPv6 default gateway
On Jan 25, 2012, at 8:40 AM, Ray Soucy wrote: On Wed, Jan 25, 2012 at 10:06 AM, Leo Bicknell bickn...@ufp.org wrote: I don't think the industry has really found a best practice to document yet. There are people trying different ideas. We find the following convention allows us to keep things organized: prefix::1 - Default gateway prefix::last octect IPv4 - Statically assigned servers. prefix:eui-64- Auto-configured host This is essentially what we do (except we use the hex value of the last octet, so .34 would be ::22, probably just the purist in me). Having done both hex-conversion and BCD (in fact I mention both possibilities in the IPv6 courses that I teach), I have to say that the purist loses to the pragmatist in my mind and BCD makes much more sense. You can, actually, safely BCD up to the last three IPv4 octets in an IPv6 address without violating the 12-bits of zeroes rule to avoid EUI-64 collisions, so, for example, 10.1.2.3 could become prefix::1:2:3, or, 10.209.198.144 could be prefix::209:198:144. If you have an environment where hosts will be statically configured, then you probably want to use a global default, if only to avoid confusion from users or poorly written software that expects the default to be in the same prefix as the address. Well, any software should be able to handle a link-local default, but, otherwise, yes. If people understand their prefix is 2001:DB8::/64, and the gateway is 2001:DB8::1 it raises a lot less questions than your prefix is 2001:DB8::/64 but your default router is FE80 People will have to get used to the fe80 thing pretty quickly anyway, since that's what you get with RAs regardless. Owen
Re: Choice of address for IPv6 default gateway
In a message written on Wed, Jan 25, 2012 at 03:22:37PM -0800, Owen DeLong wrote: On Jan 25, 2012, at 7:06 AM, Leo Bicknell wrote: prefix::10240-20480- DHCP Pool I'll note that 10240-20480 are not valid IPv6 suffixes and that you would need to represent that as prefix::2800-5000 and would probably be better off to use something more like prefix::8:* as your DHCP pool. Yeah, I'm not sure why my brain put 0's on the end when typing. I intended to say prefix::1024-2048, but as you point out using prefix::1:1-n works just as well. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpbPw48woTda.pgp Description: PGP signature
