[ale] IPv6 Subnetting

[Michael Trausch]

I haven't run into a Linux with DHCPv6 client software installed by default.
No clue if Windows has it. It just provides the option to try an automatc
address or statically assign one. I would hope it tries DHCPv6 if no router
advertisements are seen.

--
Sent from my phone... a G2 running CM7 nightlies!
On Feb 15, 2011 1:00 AM, "David Tomaschik" <david at systemoverlord.com> wrote:
> Hrrm... yeah, I suppose DHCP6 would be the approach to use. Of
> course, do devices that have not been manually configured try DHCP6
> and fall back to stateless autoconfigure? I guess some testing would
> be in order.
>
> As far as the routing/firewall goes: I current use an Asus RT-N16 with
> DD-WRT to perform IPv4 NAT, 6rd IPv6 SIT/radvd, firewall, etc. In the
> past I've used a WRT54GL to create the 3 IPv4 networks
> (192.168.0.0/24, 192.168.1.0/24, and 10.100.100.0/24 for my lab).
> Compared to the IPv6 subnetting, the routing & firewall should be
> easy, especially since it's "little" routing. (My term for anything
> where all the routes are static, no peering, etc.)
>
> David
>
> On Tue, Feb 15, 2011 at 12:16 AM, Michael B. Trausch <mike at trausch.us>
wrote:
>> On Mon, 2011-02-14 at 21:28 -0500, David Tomaschik wrote:
>>> I'm no networking expert, so I hope I'm missing something here.
>>>
>>> According to RFC 4291, all interface IDs for unicast addresses will be
>>> 64 bits in length.  It's also widely believed that most residential
>>> ISPs will hand out a /64 on a per-client basis.  Because IPv6 does not
>>> have the concept of NAT, it seems that this forces all of the
>>> computers on that connection to be on a single subnet.
>>
>> More or less.  Though it isn't exactly as black-and-white as all that.
>> There are options (albeit non-standard). It is (technically) possible to
>> do things that are slightly more complicated, at the expense of not
>> being able to use stateless autoconfiguration).
>>
>>> This is rather disappointing to me, as in the past I have run 3 NAT
>>> subnets off a single NAT router/firewall.  I've used one as my
>>> "regular" LAN (workstations, one wifi SSID), a "guest" LAN (another
>>> SSID with a different key for my guests) and a lab network (for
>>> testing things I'd rather keep separate).  It seems to me that under
>>> IPv6 this addressing scheme will be impossible unless I can convince
>>> my ISP to hand out a /56.  (Or, I suppose, multiple /64s and have
>>> multiple (virtual) interfaces on the router.)
>>
>> It is possible to subnet further than /64, at least as I understand it.
>> So, let's say you've got a /64 prefix 2001:db8:49a1:39be::/64.
>>
>> Now, you want three subnetworks from that.  You will need a router at
>> your network's edge (a true router; not a NAT).  And of course, if you
>> desire firewalling, you'll want that at the edge of your network.  The
>> router is likely then to be connected to all three subnetworks, and to
>> the Internet.  (At least, that's how I would likely do it, unless you
>> have a device like a WRT54G that will perform routing, but you'll need
>> to configure that specially for that purpose).
>>
>> Now, then, you can subnet two ways: take a nybble for the subnetwork, or
>> take a byte.  If you have 3 subnets, and you don't think you'll ever go
>> above 16 subnets, take a nibble.  That means your prefix that you'll
>> actually use will be one of sixteen different /68 subnetworks inside
>> your /64.  (For that matter, you can take just two bits, and have
>> exactly three subnetworks.  Up to you---but either way, you break
>> stateless autoconf, so might as well do four or eight bits and move on.)
>> If you take a nybble, then you will have the following subnetworks
>> available to use:
>>
>>    2001:db8:49a1:39be:0000::/68    2001:db8:49a1:39be:8000::/68
>>    2001:db8:49a1:39be:1000::/68    2001:db8:49a1:39be:9000::/68
>>    2001:db8:49a1:39be:2000::/68    2001:db8:49a1:39be:a000::/68
>>    2001:db8:49a1:39be:3000::/68    2001:db8:49a1:39be:b000::/68
>>    2001:db8:49a1:39be:4000::/68    2001:db8:49a1:39be:c000::/68
>>    2001:db8:49a1:39be:5000::/68    2001:db8:49a1:39be:d000::/68
>>    2001:db8:49a1:39be:6000::/68    2001:db8:49a1:39be:e000::/68
>>    2001:db8:49a1:39be:7000::/68    2001:db8:49a1:39be:f000::/68
>>
>> The three zeros you see in each address there is, of course, part of the
>> host section, since each hex digit maps exactly to one nybble.
>>
>> If you use a /72 then you would have 256 subnetworks.  Either way, you
>> need to use static addresses, stateless algorithmic address generation
>> (e.g., custom software to create shorter addresses in a stateless
>> manner), or DHCPv6.
>>
>> Your nodes will still make their link-local addresses the same way.  And
>> as far as your ISP is concerned, you're using your /64.  The details of
>> your routing behind that /64 do not matter to them: your address space
>> is perfectly opaque as far as they're concerned.
>>
>> You could actually, if you really wanted to, make subnetwork prefixes as
>> long as /112 or /120 or /126 if you wanted really small networks.  I
>> mean, crap.  You've got 64 bits of network space to carve up and do with
>> what you wish.  :-)
>>
>> Now, that said, here is a BIG DISCLAIMER:  I have never *actually*
>> performed this.  I believe that Linux allows it; based on my
>> understanding, any standards-compliant operating system should.  YMMV.
>>
>>        --- Mike
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
>
> --
> David Tomaschik, RHCE, LPIC-1
> System Administrator/Open Source Advocate
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110215/59a3d118/attachment.html