[146943] in North American Network Operators' Group
Re: IPv6 prefixes longer then /64: are they possible in DOCSIS
daemon@ATHENA.MIT.EDU (Fred Baker)
Mon Nov 28 18:15:05 2011
From: Fred Baker <fred@cisco.com>
In-Reply-To: <CAF976C9.1B7412%john_brzozowski@cable.comcast.com>
Date: Mon, 28 Nov 2011 15:13:51 -0800
To: "Brzozowski, John" <John_Brzozowski@Cable.Comcast.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Basically, if the address used by a host is allocated using RFC =
3971/4861/4941, the host assumes a /64 from the router and concocts a 64 =
bit EID as specified. If the address used by the host is allocated using =
DHCP/DHCPv6, it is the 128 bit number assigned by the DHCP server. I see =
no reason you couldn't use a /127 prefix if the link was point to point.
As you note, there is significant deployment of ND, and insignificant =
deployment of DHCPv6. However, any network that is in control of all of =
its hosts should be able to specify the use of DHCPv6.
On Nov 28, 2011, at 2:39 PM, Brzozowski, John wrote:
> I mentioned this in an earlier reply. CM vs CPE vs CPE router are all
> different use cases. =46rom a CPE or CPE router point of view SLAAC =
will
> likely not be used to provisioned devices, stateful DHCPv6 is =
required.
> As such Vista/7 machines that are directly connected to cable modems =
will
> receive an IPv6 address and configuration options via stateful DHCPv6.
> The same now applies to OSX Lion.
>=20
>=20
> I do agree that many host implementations have been built around /64
> assumptions and departures from the same at this time will seemingly
> introduce more problems that benefits.
>=20
> John
>=20
> On 11/28/11 5:00 PM, "Steven Bellovin" <smb@cs.columbia.edu> wrote:
>=20
>>=20
>> On Nov 28, 2011, at 4:51 52PM, Owen DeLong wrote:
>>=20
>>>=20
>>> On Nov 28, 2011, at 7:29 AM, Ray Soucy wrote:
>>>=20
>>>> It's a good practice to reserve a 64-bit prefix for each network.
>>>> That's a good general rule. For point to point or link networks =
you
>>>> can use something as small as a 126-bit prefix (we do).
>>>>=20
>>>=20
>>> Technically, absent buggy {firm,soft}ware, you can use a /127. =
There's
>>> no
>>> actual benefit to doing anything longer than a /64 unless you have
>>> buggy *ware (ping pong attacks only work against buggy *ware),
>>> and there can be some advantages to choosing addresses other than
>>> ::1 and ::2 in some cases. If you're letting outside packets target =
your
>>> point-to-point links, you have bigger problems than neighbor table
>>> attacks. If not, then the neighbor table attack is a bit of a
>>> red-herring.
>>>=20
>>=20
>> The context is DOCSIS, i.e., primarily residential cable modem users, =
and
>> the cable company ISPs do not want to spend time on customer care and
>> hand-holding. How are most v6 machines configured by default? That =
is,
>> what did Microsoft do for Windows Vista and Windows 7? If they're =
set for
>> stateless autoconfig, I strongly suspect that most ISPs will want to =
stick
>> with that and hand out /64s to each network. (That's apart from the
>> larger
>> question of why they should want to do anything else...)
>>=20
>>=20
>> --Steve Bellovin, https://www.cs.columbia.edu/~smb
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>=20
>=20
