[183596] in North American Network Operators' Group
Re: IPv6 Subscriber Access Deployments
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Sep 9 13:28:54 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CBD23973-D829-42AD-9001-21ADAE1A594C@atcnetworks.net>
Date: Wed, 9 Sep 2015 10:23:17 -0700
To: Josh Moore <jmoore@atcnetworks.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
The ACLs/Security policy can actually be fairly generic or automated, so =
I don=92t see that as an issue.
The DHCP forwarder configuration is usually global, so the helper =
address statement demonstrates your lack of IPv6 understanding.
The /64 is pretty much nothing, but yeah, so what?
Owen
> On Sep 9, 2015, at 10:16 , Josh Moore <jmoore@atcnetworks.net> wrote:
>=20
> It's not just the tag though... You have the /64 that has to be =
provisioned, the helper addresses for DHCP, ACLs/security policy, etc.
>=20
>=20
>=20
>=20
> Thanks,
>=20
> Joshua Moore
> Network Engineer
> ATC Broadband
> 912.632.3161
>=20
>> On Sep 9, 2015, at 1:14 PM, Owen DeLong <owen@delong.com> wrote:
>>=20
>> VLAN tags aren=92t global and 4096 is only a limitation on ethernet.
>>=20
>> VPI/VCI is many more.
>>=20
>> Yes, if you need more than 4096 customers on a single switch, you=92ve =
got an issue, but there are many potential issues in that scenario =
beyond VLAN tagging (like customers choosing not to use routers and =
filling up your MAC tables).
>>=20
>> Owen
>>=20
>>> On Sep 8, 2015, at 12:40 , Josh Moore <jmoore@atcnetworks.net> =
wrote:
>>>=20
>>> The question becomes manageability. Unique VLAN per customer is not =
always scalable. For example, only ~4000 VLAN tags. What happens when =
you have more than that many customers? Also, provisioning. Who is going =
to provision thousands of unique prefixes and VLANs, trunk them through =
relevant equipment and ensure they are secured as well?
>>>=20
>>> We are talking very, very, small customers here. SOHO to say the =
most. /64 should be more than sufficient for their CPE router.
>>>=20
>>>=20
>>>=20
>>>=20
>>> Joshua Moore
>>> Network Engineer
>>> ATC Broadband
>>> 912.632.3161 - O | 912.218.3720 - M
>>>=20
>>>=20
>>>=20
>>> -----Original Message-----
>>> From: Owen DeLong [mailto:owen@delong.com]=20
>>> Sent: Tuesday, September 08, 2015 3:31 PM
>>> To: Josh Moore
>>> Cc: Valdis.Kletnieks@vt.edu; nanog@nanog.org
>>> Subject: Re: IPv6 Subscriber Access Deployments
>>>=20
>>> Short answer to that is =93DHCPv6-PD=94
>>>=20
>>> Longer answer:
>>>=20
>>> Customer=92s router should get an address on the external interface =
through one of SLAAC, DHCP-PD, Static Assignment, depending on how the =
ISP prefers to do this.
>>>=20
>>> If the ISPs equipment supports IPv6 on shared VLANs with DHCP =
snooping and other security, you can implement it with a single /64 =
giving each router a unique address within that segment, but it=92s not =
really ideal. This was mainly done in IPv4 to conserve addresses. =
Separate point to point VLANs are a cleaner solution and since there are =
enough addresses in IPv6 to do this, that is how most providers =
implement. I prefer using /64s (or at least assigning /64s) to these =
VLANs, but there are those who argue for /127, some equipment is broken =
and requires a /126, and yet others argue for other nonsensical =
prefixes.
>>>=20
>>> Once the router has an external address communicating point to point =
with the ISP router, it should then send an DHCPv6-PD request asking for =
a prefix that it can manage. The ISPs DHCP server should then send back =
a /48 (or if you want to be silly, a /56 or a /60, and if you want to be =
insane, a /64).
>>>=20
>>> The reality is that if you send a smaller prefix back, you risk =
having difficulty with your future ARIN applications as your Provider =
Allocation Unit is based on the smallest prefix you delegate to =
end-users. So if you, for example, assign /48 to business customers and =
/60 to residential customers, you=92re going to have to justify why each =
of your business customers needed 4096 /60s when you claim that you need =
more IPv6 space.
>>>=20
>>> OTOH, if you simply issue /48s to everyone, you can just go back and =
say =93Each end site got a /48 and there are N end-sites=94 and you=92re =
good, no questions asked about the size of any of those end-sites.
>>>=20
>>> Owen
>>>=20
>>>> On Sep 8, 2015, at 12:12 , Josh Moore <jmoore@atcnetworks.net> =
wrote:
>>>>=20
>>>> We are talking a purely bridged environment. However, I have been =
wondering how in the world end-to-end IPv6 connectivity is supposed to =
work if a customer hooks up their own router. That is one of the points =
of IPv6...
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Joshua Moore
>>>> Network Engineer
>>>> ATC Broadband
>>>> 912.632.3161 - O | 912.218.3720 - M
>>>>=20
>>>>=20
>>>> -----Original Message-----
>>>> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]=20
>>>> Sent: Tuesday, September 08, 2015 3:08 PM
>>>> To: Josh Moore
>>>> Cc: nanog@nanog.org
>>>> Subject: Re: IPv6 Subscriber Access Deployments
>>>>=20
>>>> On Tue, 08 Sep 2015 19:04:06 -0000, Josh Moore said:
>>>>> I'm reading that the recommended method for assigning IPv6 =
addresses to end-users is to do this via a dedicated VLAN and /64.
>>>>=20
>>>> Important question - are you talking about the IPv6 address =
supplied to the CPE router itself, or a /48 or /56 delegated to the CPE =
router to allocate to subnets and devices behind it?
>>>=20
>>=20
