Like so many things IPv6, many of the wifi vendors seem to lack decent support for IPv6 clients. I'm not sure why I thought the situation was better than it seems to be, I guess I'm just an optimist.
Anyway, what wifi vendors provide the best support for IPv6? I don't really care too much about management, but to deploy wifi in a service provider environment with IPv6, it would seem that you'd want at least:
RA Guard
DHCPv6 Shield (unless you just do SLAAC, I guess)
IPv6 Source Address Guard
MLD Snooping and IPv6 ACLs are a must. Check to make sure that the solution
allows for many (for your network's definition of many) IPv6 addresses per
host. You'll have at least three per host between link local, global, and
one or more privacy addresses.
I've been providing native dual stack on my Cisco controller based wireless
network for a few years now. IPv6 support was brought up a notch with the
7.2 code release. RA Guard was the obvious big features that was added, but
I also appreciated the addition of ND caching to keep that chatter down. http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml#discovery
I've also used some Ruckus gear on an IPv6 network and it seemed to have
all the right knobs and pass all the right IPv6 packets. Though this was on
my home network so I can't speek to their IPv6 scalability (no reason to
doubt it, just wanted to be clear).
Feel free to ping me on or off list about either if you have more specific
questions.
MLD Snooping only seems important to me if you are actually going to do multicast outside of the local broadcast domain, which I can't imagine doing in most service provider environments. Am I missing a reason for it or a use case otherwise?
Check to make sure that the solution allows for many (for your network's definition of many) IPv6 addresses per host. You'll have at least three per host between link local, global, and one or more privacy addresses.
It would seem to me that either a wifi vendor would support source address shield for IPv6, which MUST include multiple addresses, or it would just pass everything without paying attention to source addresses. Is there a vendor that does not do one or the other? If so, please name names.
I've been providing native dual stack on my Cisco controller based wireless
network for a few years now. IPv6 support was brought up a notch with the
7.2 code release. RA Guard was the obvious big features that was added, but
I also appreciated the addition of ND caching to keep that chatter down. Wireless LAN IPv6 Client Deployment Guide - Cisco
Nice. Can you confirm if they've added DHCPv6 shield too? Source address shield for IPv6?
I've also used some Ruckus gear on an IPv6 network and it seemed to have
all the right knobs and pass all the right IPv6 packets. Though this was on
my home network so I can't speek to their IPv6 scalability (no reason to
doubt it, just wanted to be clear).
MLD snooping allows the switch to send multicast traffic only to those
listeners wanting to receive it. Witout MLD snooping, the switch floods
multicast to all ports. May be a security issue, is definitely a traffic
issue, though in a small network, it may make no difference.
For example, multicast is used by ND, the IPv6 equivalent of ARP. MLD
snooping means only a few hosts (typically only one, in fact) in the
subnet see any given ND request. Without MLD snooping, every port in the
subnet sees it. Or DHCPv6 - without MLD snooping, every port sees all
client traffic for all DHCP requests; with MLD snooping only the
routers/relays in the subnet see it. "See" with MLD snooping means "see
it at all", not "see and ignore it" as in the broadcast world.
ND just uses multicast, so MLD messages are not really part of ND
itself. But during the setup of any interface with an IPv6 address, MLD
traffic will move and can be snooped on. The switch then knows what
listeners are where, so when for example an NS is sent to the solicited
node multicast address of a target during ND, the switch can send it
only to those hosts it knows are listeners on that group.
Okay, so then to answer my own question from earlier, the answer is actually that an MLD is sent when an interface configures a new address to join the appropriate solicited node multicast group. It seems that, then, MLD snooping is valuable as it will prevent DAD and other ND traffic from using bandwidth towards hosts not in that group.
Other than solicited node multicast, is MLD used anywhere else in a network that does not have layer 3 multicast enabled on a router?
It seems that, then,
MLD snooping is valuable as it will prevent DAD and other ND traffic from
using bandwidth towards hosts not in that group.
It will prevent *all* multicast traffic from using bandwidth towards
hosts not in the multicast groups involved. ND, DAD etc are just
specific cases.
Other than solicited node multicast, is MLD used anywhere else in a
network that does not have layer 3 multicast enabled on a router?
MLD is used for all multicast - so a DHCPv6 packet, for example, will
only go to any relays and servers in the subnet. *Any* multicast will be
limited to its listeners. The only multicast that will go to all nodes
will be multicast sent to the "all link-local nodes" address - and even
that will not go to non-IPv6 nodes.
MLD snooping happens on switches - you will get the benefit even if in
an isolated network (no router at all).
In a wifi environment, however, this has additional complexity.
A multicast packet originating within the WAP or from the wired
side of the WAP and destined for more than one wireless host should
be sent to be heard by all hosts so it is only transmitted once.
Otherwise it ties up excessive air time. In this regard, a WAP
is more like a hub than a switch.
A multicast packet originating from a wifi host, OTOH, must be
repeated by the WAP so that all subscribed hosts can hear it.
Access point support from many vendors seems okay. But another vendor gap
on IPv6 is WiFi AAA, policy servers, and tunnel servers from vendors like
Ericsson and ALU. I hope to see richer IPv6 support for these aspects of
WiFi (helpful for those operating lots of outdoor WiFi systems for
example).