[ale] IPv6 Subnetting
David Tomaschik
david at systemoverlord.com
Tue Feb 15 00:59:36 EST 2011
Hrrm... yeah, I suppose DHCP6 would be the approach to use. Of
course, do devices that have not been manually configured try DHCP6
and fall back to stateless autoconfigure? I guess some testing would
be in order.
As far as the routing/firewall goes: I current use an Asus RT-N16 with
DD-WRT to perform IPv4 NAT, 6rd IPv6 SIT/radvd, firewall, etc. In the
past I've used a WRT54GL to create the 3 IPv4 networks
(192.168.0.0/24, 192.168.1.0/24, and 10.100.100.0/24 for my lab).
Compared to the IPv6 subnetting, the routing & firewall should be
easy, especially since it's "little" routing. (My term for anything
where all the routes are static, no peering, etc.)
David
On Tue, Feb 15, 2011 at 12:16 AM, Michael B. Trausch <mike at trausch.us> wrote:
> On Mon, 2011-02-14 at 21:28 -0500, David Tomaschik wrote:
>> I'm no networking expert, so I hope I'm missing something here.
>>
>> According to RFC 4291, all interface IDs for unicast addresses will be
>> 64 bits in length. It's also widely believed that most residential
>> ISPs will hand out a /64 on a per-client basis. Because IPv6 does not
>> have the concept of NAT, it seems that this forces all of the
>> computers on that connection to be on a single subnet.
>
> More or less. Though it isn't exactly as black-and-white as all that.
> There are options (albeit non-standard). It is (technically) possible to
> do things that are slightly more complicated, at the expense of not
> being able to use stateless autoconfiguration).
>
>> This is rather disappointing to me, as in the past I have run 3 NAT
>> subnets off a single NAT router/firewall. I've used one as my
>> "regular" LAN (workstations, one wifi SSID), a "guest" LAN (another
>> SSID with a different key for my guests) and a lab network (for
>> testing things I'd rather keep separate). It seems to me that under
>> IPv6 this addressing scheme will be impossible unless I can convince
>> my ISP to hand out a /56. (Or, I suppose, multiple /64s and have
>> multiple (virtual) interfaces on the router.)
>
> It is possible to subnet further than /64, at least as I understand it.
> So, let's say you've got a /64 prefix 2001:db8:49a1:39be::/64.
>
> Now, you want three subnetworks from that. You will need a router at
> your network's edge (a true router; not a NAT). And of course, if you
> desire firewalling, you'll want that at the edge of your network. The
> router is likely then to be connected to all three subnetworks, and to
> the Internet. (At least, that's how I would likely do it, unless you
> have a device like a WRT54G that will perform routing, but you'll need
> to configure that specially for that purpose).
>
> Now, then, you can subnet two ways: take a nybble for the subnetwork, or
> take a byte. If you have 3 subnets, and you don't think you'll ever go
> above 16 subnets, take a nibble. That means your prefix that you'll
> actually use will be one of sixteen different /68 subnetworks inside
> your /64. (For that matter, you can take just two bits, and have
> exactly three subnetworks. Up to you---but either way, you break
> stateless autoconf, so might as well do four or eight bits and move on.)
> If you take a nybble, then you will have the following subnetworks
> available to use:
>
> 2001:db8:49a1:39be:0000::/68 2001:db8:49a1:39be:8000::/68
> 2001:db8:49a1:39be:1000::/68 2001:db8:49a1:39be:9000::/68
> 2001:db8:49a1:39be:2000::/68 2001:db8:49a1:39be:a000::/68
> 2001:db8:49a1:39be:3000::/68 2001:db8:49a1:39be:b000::/68
> 2001:db8:49a1:39be:4000::/68 2001:db8:49a1:39be:c000::/68
> 2001:db8:49a1:39be:5000::/68 2001:db8:49a1:39be:d000::/68
> 2001:db8:49a1:39be:6000::/68 2001:db8:49a1:39be:e000::/68
> 2001:db8:49a1:39be:7000::/68 2001:db8:49a1:39be:f000::/68
>
> The three zeros you see in each address there is, of course, part of the
> host section, since each hex digit maps exactly to one nybble.
>
> If you use a /72 then you would have 256 subnetworks. Either way, you
> need to use static addresses, stateless algorithmic address generation
> (e.g., custom software to create shorter addresses in a stateless
> manner), or DHCPv6.
>
> Your nodes will still make their link-local addresses the same way. And
> as far as your ISP is concerned, you're using your /64. The details of
> your routing behind that /64 do not matter to them: your address space
> is perfectly opaque as far as they're concerned.
>
> You could actually, if you really wanted to, make subnetwork prefixes as
> long as /112 or /120 or /126 if you wanted really small networks. I
> mean, crap. You've got 64 bits of network space to carve up and do with
> what you wish. :-)
>
> Now, that said, here is a BIG DISCLAIMER: I have never *actually*
> performed this. I believe that Linux allows it; based on my
> understanding, any standards-compliant operating system should. YMMV.
>
> --- Mike
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
More information about the Ale
mailing list