[96873] in North American Network Operators' Group
Re: NANOG 40 agenda posted
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Tue May 29 08:08:16 2007
In-Reply-To: <20070529114122.GH16527@skywalker.creative.net.au>
Cc: michael.dillon@bt.com, nanog@nanog.org
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 29 May 2007 14:06:54 +0200
To: Adrian Chadd <adrian@creative.net.au>
Errors-To: owner-nanog@merit.edu
On 29-mei-2007, at 13:41, Adrian Chadd wrote:
> * So is DHCPv6 the "way to go" for deploying IPv6 range(s) to end-
> customers?
> Considering the current models of L2TP over IP for broadband
> aggregation
> and wholesaling where the customer device speaks PPPoX.
IP6CP in PPP doesn't have the capability to negotiate actual IPv6
addresses, like IPCP can for IPv4. Also, giving out individual
addresses isn't likely to be a useful model in IPv6 where the
abundance of address space and the lack of NAT make giving out at
least one subnet to a user a more natural model.
With IPv4, DHCP gives out an address to a host, accompanied by a
default gateway address and additional information such as DNS
resolvers. IPv6 DHCP (DHCPv6) is capable of giving out addresses, but
this isn't universally implemented because IPv6 hosts traditionally
get their addresses from stateless autoconfig. DHCPv6 can't provide a
default gateway, you need stateless autoconfig for that even if you
use DHCPv6 for address assignment.
And there is the extra info, but DNS resolvers may be availalbe in
stateless autoconfig in the future as well.
However, DHCPv6 also has a different mode of operation: prefix
delegation. This does what the name implies. What you can do today
with a Cisco router is request a prefix from a DHCPv6 server, and
then, on a different interface, send out router advertisements using
a subprefix from the DHCPv6 one so that hosts will receive addresses
in that prefix using stateless autoconfig. When the DHCPv6 server
gives out a new prefix, the router and all the hosts are
automatically renumbered without much impact, if any.
This is probably the way we want to do IPv6 address provisioning for
end-users in the future, but that requires that home gateways that
implement IPv6 routing functionality come with the DHCPv6 prefix
delegation client capability and have this configured by default so
it all works out of the box.
> * Has anyone sat down and thought about the security implications
> for running
> native IPv6 addresses on end-devices which, at the moment, don't
> have 'direct'
> access to the internet (ie sitting behind a NAT.)
Sure:
http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars
