New Office, New Network. Questions.

Nikolai_Petrov · July 12, 2016, 12:30pm

Here are my replies on this e-mail. Sorry for the late replies!

1. Currently we do not have IPv6 in our network but I have seen the ISP is
giving us a "/56 Block" which from what I understand is a couple hundred "/64
Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we

You can have other sized subnets, but 64 is very handy if you intend to use
SLAAC auto-configure. There's also the danger of running into broken equipment
that doesn't understand other sized subnets (similar to very old IPv4 gear that
understood a /24, but exploded if told about a /23 or /25).

I really like SLAAC and its design and I would very much like to use it. Therefore we will be using /64 IP Ranges.
Is there any way to limit the amount of devices in a subnet to avoid problems and attacks? I don't think the equipment will work with 2^64 devices in a single subnet..

have 32 addresses, four of which I will use for NAT and the remaining needed
for online services and servers. In IPv6 we have a lot of addresses but I am
not sure whether I should give an address of the ISP to every device. I found

Assign a /64 to everyplace that you would assign a subnet in IPv4. Give each
device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever
gets the job done in your situation. Don't worry about NAT anymore, you have
enough addresses.

that there is an organization that can help avoid collisions in private IPs:
IPv6 ULA (Unique Local Address) RFC4193 registration :: SixXS - IPv6 Deployment & Tunnel Broker . From what I can tell it is just a
registry, but I am thinking of registering the ranges there and then use these
subnets and NAT them to the IPv6 address of the router.

Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel
free to give every single device a global address. (You'll still want a
stateful firewall someplace, but it doesn't have to do NAT, it just has to keep
track of legitimate versus malicious traffic).

So why are these addresses there? For installations not connected to the Internet?

And don't freak out if a device has more than one address. As I'm writing this
from the sofa in my living room, my laptop wireless has:

ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.150 netmask 255.255.255.224 broadcast 192.168.1.159
inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x0<global>
inet6 2601:5c0:c100:6431:c01:a589:19a4:236e prefixlen 64 scopeid 0x0<global>
inet6 2601:5c0:c100:6431::d67 prefixlen 128 scopeid 0x0<global>
inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf prefixlen 64 scopeid 0x0<global>
inet6 fe80::cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x20<link>
inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9 prefixlen 64 scopeid 0x0<global>
ether c8:d7:19:37:0c:02 txqueuelen 1000 (Ethernet)

(One DHCPv6 - ::d67. One SLAAC - the one with ff:fe in it. And 4 different
RFC3041 privacy addresses that it's chunked out over the weekend. It works
just fine that way - and it's *designed* to do so. (Of course, in a corporate
environment, you may want to turn the privacy addresses off, and only use
one of DHCPv6/SLAAC - I do it this way because it tests for broken software...)

Thanks for letting me know ahead of time. I have looked up about the privacy addresses and we don't need them as you say. Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I use the DHCPv4 to give out DNSv6 addresses?

Oh, and don't block ICMPv6.

I was never a fan of blocking ICMP except the redirects in some cases..

something strange. The WAN port of our router gets a /64 IPv6 address which is
not in our IPv6. Should I use this for NAT or one of "our" addresses?

You use it for the IP address of the provider-facing interface of your router.
Assign the "inside" interface(s) addresses on the appropriate /64 subnet that
they will be on.

Oh, so this is like BGP.. In my previous company we had BGP connections and we used an IPv4 /30 for these connections which was not within our IP range. I thought they would give us a /126 and not a full /64 so I did not think that was it..

Thanks!

Valdis_Kletnieks · July 13, 2016, 6:53pm

Is there any way to limit the amount of devices in a subnet to avoid problems
and attacks? I don't think the equipment will work with 2^64 devices in a
single subnet..

Sure. Just don't connect that many devices to one subnet, just the same as you
do in IPv4. No need to drop them all into one subnet. You got a /56, so you can
make 256 /64s out of it. Carve it up whatever way your cabling says to do it.
Maybe one subnet for your external router to all your in-building switches,
then each switch has a subnet for one floor/office suite/whatever and 1
interface on your organization-wide fabric. Maybe something else - but in
general you'll be using a subnet everyplace you'd use one in IPv4.

So why are these addresses there? For installations not connected to the Internet?

Exactly. It's an attempt to avoid the current mess during corporate acquisitions
where they find out that both companies used 10.16.12.0/24 for different things.

Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility?

My laptop works just fine at both home and work just using SLAAC - I hit both
mostly to make sure that if I'm travelling and hit someplace where the routers
don't do SLAAC, I'll still configure.

And as I noted, I do it at least partially to stress-test for stuff like
network logging tools, to make sure they don't fall over if they see an address
that isn't either SLAAC or DHCPv6, and so on...

Can I use the DHCPv4 to give out DNSv6 addresses?

No. You'll need to use either SLAAC or DHCPv6 for that.

Baldur_Norddahl · July 13, 2016, 10:53pm

"Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I
use the DHCPv4 to give out DNSv6 addresses?"

Unless you plan om having IPv6 only hosts, there is no advantage in
providing IPv6 DNS servers. Just stay with IPv4 for your DNS resolver in
the DHCPv4 config. Notice that your IPv4 DNs resolver is perfectly capable
of providing AAAA IPv6 replies.

Using DHCPv6 in a corporate environment makes it easier to track which
machine has an IP address as you can lookup the info in the DHCP lease
database. Also some prefers the nice short addresses that you get from DHCP
compared to SLAAC.

My network has both enabled, so my tablet has the following two addresses:

SLAAC: 2a00:7660:5c6:0:74cd:d48c:8230:a44f
DHCP: 2a00:7660:5c6::701

The later is easier to type if you have to add rules to your firewall etc.

Regards

Baldur

Owen_DeLong · July 14, 2016, 2:42am

To provide some additional clarity and detail:

1. No, you can’t to the best of my knowledge hand out any IPv6
parameters via IPv4, nor should you really want to.

2. You can hand out IPv6 DNS resolver information from either or both
of SLAAC and DHCPv6.

For SLAAC, you’ll need routers that support RFC 6106. Juniper finally
added this in 14.1.

Cisco added it in 15.4(1)T, 15.3(2)S

More information here: https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems

To the best of my knowledge, DNS is a configuration option in all DHCPv6
implementations.

3. I disagree with Baldur about not bothering with IPv6 DNS resolvers.
  Given that the long term goal is to get back to single-stack networking,
  but with the single stack being IPv6, each and every vestigial IPv4
  dependency you leave lying around is just another thing you need to clean
  up at some point in the future. Since it’s so completely easy to enable
  dual-stack (or even better IPv6-only) resolving when you first deploy
  IPv6 to your end-systems, why not just do that?

Owen