[183566] in North American Network Operators' Group
RE: IPv6 Subscriber Access Deployments
daemon@ATHENA.MIT.EDU (Josh Moore)
Tue Sep 8 20:19:36 2015
X-Original-To: nanog@nanog.org
From: Josh Moore <jmoore@atcnetworks.net>
To: "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>
Date: Tue, 8 Sep 2015 20:03:57 +0000
In-Reply-To: <26760.1441742090@turing-police.cc.vt.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
That makes sense now understanding how CPE equipment has evolved into segme=
nting layer 2 services like that. /48 it is.
Most GPON networks are composed of large layer 2 rings. No way to break tha=
t up without adding additional equipment and that can get costly. With IPv4=
we got around the need to configure discrete VLANs/subnets by putting all =
customers in the same VLAN and turning on the DHCP snooping/source-guard fe=
atures. My remaining question is why isn't this desired with IPv6? What sec=
urity concerns are there with turning up SLAAC / DHCPv6 within the same /64=
for everyone that are different from IPv4?
Joshua Moore
Network Engineer
ATC Broadband
912.632.3161 - O | 912.218.3720 - M
-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]=20
Sent: Tuesday, September 08, 2015 3:55 PM
To: Josh Moore
Cc: Owen DeLong; nanog@nanog.org
Subject: Re: IPv6 Subscriber Access Deployments
On Tue, 08 Sep 2015 19:40:44 -0000, Josh Moore said:
> The question becomes manageability. Unique VLAN per customer is not=20
> always scalable. For example, only ~4000 VLAN tags. What happens when=20
> you have more than that many customers?
If you're hanging 4K customers off the same switch, you probably have bigge=
r issues than running out of VLAN tags...
> We are talking very, very, small customers here. SOHO to say the most.
> /64 should be more than sufficient for their CPE router.
A Linksys WNDR3800 running CeroWRT (and probably OpenWRT by now) will prefe=
r to create multiple /64's - one for the 4 wired ports, one for private acc=
ess on the 2.4G radio, one for guest access on the 2.4, and another private=
/guest pair on the 5G radio. So there is CPE gear out there now that can bl=
ow through 5 /64s by default, and more if you enable VLANs.
A /56 allocated via DHCPv6-PD would be a *minimum*. And prefixes are cheap=
, so you may as well hand them a /48, just in case they have a second WNDR3=
800 at the other end of the building for coverage - because that one will t=
hen ask the upstream one for a -PD allocation. So if you give the CPE a /4=
8, it can keep a /56 for itself, and hand the downstream a /56, and they ca=
n each allocate /64s as needed.
And remember - prefixes are cheap and plentiful, so don't bother with /52 o=
r /60, just split on 8-bit boundaries to make life easier for yourself...
