> Download presentation slide deck (.pdf)
Read the transcript of the questions and answer session from the webinar below:
Q: Do you know of an IPv6 subnet calculator?
A: http://ipv6subnetcalc.sourceforge.net
Q: Please further define Nibble boundaries.
A: a nibble is 4 bits. the normal written version of an IPv6 address is 32 hexadecimal characters of 4 bits each. if you subnet in multiples of 4 bits (on nibble boundaries), you will always align with the hex chars in the written version. not required but easier for humans
Q: I have already been assigned an address space, the isp assigned me a /48 bit range—this very large—is this normal?
A: Yes. This is the smallest prefix that most ISPs will assign
Q: Who would I deal with for Address space in Australia?
A: APNIC
Q: Is there a big disadvantage to creating networks that are smaller than /64 for hosts?
A: I'm assuming you mean prefixes longer than /64, like /96, etc. it breaks autoconfiguration (SLAAC) which assumes 64 bits for the host portion of the address. you also risk broken router and OS stacks that make the same assumption causing interoperability problems
Q: If you are a small company but do not want to settle for provider assigned addresses what should be done?
A: get two connections from different ISPs (dual home) or justify your space by one of the other criteria from your RIR (# of locations, etc.)
Q: Is there an easy place to find which IPv6 transition mechanisms InfoBlox supports?
A: DNS64
Q: I know that there is no NATing with IPv6. How would we work with IPv6 w/o NATing?
A: You need to define what problem you're actually trying to solve. NAT is not a solution, it's just one of many tools
Q: If you have multiple ISP for internet access, how do IPv6 addresses work?
A: just like with ipv4. get PI (provider independant) space and have both providers announce that space or get space from one provider and convince the other to route it (unlikely)
Q: What will motivate large companies to go to IPv6? As they have so many unused /8s?
A: lots of large companies don't have a /8 or even a lot of ipv4 space, necessarily. the motivators will be as with any other company: shortage of v4 space, partners using v6, need to support new v6 only devices or to stay current with technology
Q: What are the 1918 ranges inV6
A: Look at ULA (unique local addresses). ULA is not quite the same as 1918 space but can be used in a similar fashion
Q: Do you recommend reserving a /64 for point to point links, then just configure a /127 out of it?
A: that is a valid way to do it. you may also want to have a /64 per hub or region for p2p links. the goal would be the least number of routing table entries and making it easier to implement your security policy via ACLs
Q: Is it a good idea to map existing v4 addresses to similar in v6 for ease of use/navigation?
A: if you do this, you throw away the advantage of /64 subnets, where the sheer number of addrs makes it almost impossible to brute force scan the subnet. if you map to v4, you've reduced billions of billions of addresses to the number of hosts in your v4 subnet
Q: What is the equivalent of 192.168, 10.10 etc?
A: See RFC 1918 question
Q: What is recommended regarding breaking up /64 subnets?
A: Don't do it. See previous answer on longer than /64 subnets
Q: What about unique local prefix (rfc4193)?
A: Not sure what you're asking here.
Q: Currently I aggregate IPv4 addresses by routed switch block in the internal network, do I aggregate IPv6 the same way, by routed switch block with IPv6 the same way, to keep routing tables down?
A: that would work.
Q: What is the smallest IPv6 network announcable via BGP/EIGRP. Assuming I have around 4 physical locations each with their own Inetrnet link. I'd like to do BGP multihome between them. I assume I'd need to get something like a /44 so I could allocate a /48 to each location that could be moved via BGP amongst them?
A: correct. no one is willing to announce longer than /48 (i.e. /50, etc.) so you will need at least a /48 per site and a prefix big enough to give out all those prefixes per site.
Q: How much cleaning up of the network design we should do for IPv6? In theory we can reduce the number of subnets significantly in IPv6 compared to IPv4, but that will add substantial effort and complexity to the migration. What are most of your customers doing? Any advice on minimizing the effort of mapping IPv4 subnets to IPv6 subnets (e.g., using new VLAN tags for L2 segments to be used by IPv6)?
A: as much as possible, clean up v4 first. however, you may not have enough v4 space to clean up as much as you'd like. different tags is certainly one way to minimize the pain.
Q: In what way is IPV6 easier to debug?
A: than v4? currently, it isn't, since it isn't as well understood. but if you can clean up your network architecture and subnetting plan because you have enough addr space, that can certainly make both ACL maintenance and debugging much easier beause it will be much more self-documenting, consistent, etc.
Q: Should i use the one /64 world wide or get 3 separate IPv6 blocks one per region NA, AP, EMEA ?
A: First, you should get at least a /44 if you have 3 sites if you want to have those sites all announced in three regions, since you'll have to assign at least a /48 to each. But if you don't need PI (provider independant) space and a single address block, it may be appropriate for you to either get PI space from each RIR or just get PA (provider assigned) space from your 3 ISPs. I can't say which is better for you; there are too many variables to guess.
Q: You say the best option for p2p links is to use /127. But I read others RFCs that say we should avoid using /127 and rather use /64. Isn't it easier to use /64 everywhere ? What about deactivating ND on such links ?
A: RFC 3627 has been deprecated and RFC 6164 specifically recommends /127 for point to points. While you can try to disable ND and filter ND traffic, using a /127 follows IETF BCP, doesn't cost anything, works fine and is another layer of protection against misconfigurations or future attacks.
Q: What about subnetting below the 64 bits, like 72 or further
A: No. See above comments about longer than /64 prefixes
Q: Do you pull all your /127s from one /64, or do you burn a /64 but only use 2 IPs from it? And for the loopback /128?
A: See above on using /64 on /127s. And yes, if you use /32 for loopbacks for v4, use /128 for v6 and as with point to points, how much space you reserve for loopbacks depends on you but number of routes and ACLs is what should inform your choice
Q: On Slide 15, if one gets an ARIN address space, say for argument, a /32, can a /48 out of that /32 be advertised in a different region e.g. Europe or Asia?
A: in theory. You will have to negotiate with your ISP to actually get them to announce the route, just like with v4 route announcements
Q: Do I need to "buy" all IPv6 I need from IANA? even if I need IP to be used in local environment, not in public?
A: IANA doesn't give out address space. You would get it from an RIR or ISP. And if you want globally routable space, yes you need to get it from an RIR or ISP. You can look at ULA (unique local) addresses if you want address space that will never be routable on the internet and you don't care about address uniqueness. However, global space is not expensive and gives you lots more choices and flexibility in designing your network.
Q: Does IPv6 have any local IP pool mechanisms (like 192.168 or 10. for IPv4) which I can use for internal network?
A: ULA. See multiple responses above
Q: From a security perspective, would you recommend using private address space or are there reasons to use public space?
A: private address space isn't guaranteed to be unique and can't be routed so must be NATed. the small additional security you get from NAT in v4 can be achieved with a stateful firewall and global addresses.
Q: I manage mostly Cisco equipment. How does Infoblox fix in that environment?
A: just fine
Q: Point to point can be /128?
A: no. that's only one address. you need two or it's not a point to point link. ou can use a /127
Q: Traditionally we deploy ipv4 loopbacks on all our routers. With concerns of aggregation and /64's being the smallest addressable space. What is the best practice for loopback addressing?
A: use a /128, just as you use a /32 in v4. see above response.
Q: Are most administrators using dual stack to accommodate non-IPv6 NMS systems? Or are the systems being upgraded to be IPv4 and IPv6 capable?
A: dual stack requires both v4 an v6 to work. as for NMSs, if the software doesn't deal with ipv6 transport for queries and dealing with ipv6 data, it will need to be upgraded or replaced.
Q: Is it possible to know if there is a RFC to assign IPv6 to a mobile scheme?
A: there are dozens...
Q: We know of broadcast storms... Are "Multi cast storms" still possible with IPv6?
A: yes. if you put thousands of hosts into one single broadcast domain (like 64k hosts on a single /64 in a switch), you would certainly wind up with a flood of ND/NS messages. ipv6 doesn't save us from bad software or bad network designs...
Q: In a /64, is it possible to have too many hosts ? eg. in an IPv4 the recommended max user subnet size is usually /24 256 hosts... In 1pv6 world... /64 is virutally unlimited.
A: see previous question/answer. you could probably survive 1-2k of hosts in a stable network on one broadcast domain but certainly not a lot more.
Q: What do you think about making subnets from the numbers of vlans actually I have in IPv4?
A: it does make it easier for a bad guy to target your subnets but if the risk is lower and the self-documentation advantage is significant to you, you can do that. I would recommend heavily against reusing host *numbers*.
Q: What will be the minimum IPv6 Prefix that can be advertised with BGP Peerthe challenge is ISP would not like announce small none-aggregated subnetsfrom your experience, how big of the subnet ISP would like to accept if the subnet does not belong to the ISP?
A: /48
Q: When I have 10 places in 10 countries do I have to request for an /47 range from the ripe?
A: you should ask for at least a /44 (16 /48s) to give yourself some growth room.
Q: As a large organization with a single block allocation, how would you devise your address allocation scheme to receive Internet connectivity from 2 different ISPs? Would it be better to go and get another block of address?
A: make sure the division is at last /48 or larger per site and make sure your ISPs are willing to announce the longer prefixes
Q: What size company would you consider large? I've seen guidance that has stated that if you are a 1000 user company, obtain the IPv6 space from the RIR's. I have also heard 2000 people. What does Infoblox recommend?with /48 how any more addresses we get than the existing IPv4/32?
A: per user count isn't very meaningful. per subnet is probably a better metric but there are lots of variables and definitions of "large". not sure what you mean by ipv4/32. That's just one host address....
Q: /64 is what ISP gives to users or we might get /80 /88 also
A: hard to say for sure but most experts are recommending against every going below /64 for consumer ISPs. doesn't mean that won't happen but they're ignoring expert advice
Q: In ipv4 subnet we have network and broadcast address, how is it in IPv6, if it is /4 we can only 14 address not 16, i mean if we get /48 and use /52 as subnet
A: There is no equivalent in v6 of the all ones or all zeros per subnet in v4. Even in v4, it's broken to not allow .0 as a host address but a lot of stacks are broken. But there is no broadcast at all in v6.
Q: Using a /127 has significant risks. There are concerns about whether devices will support /127 subnets and restrictions on which address ranges can be used in order not to collide with any /64 anycast addresses. How would this risk be mitigated using a /127
A: I see no evidence that /127s are any risk. The places you're going to see them is on large backbones between routers and all the serious router vendors and current software on them handle this just fine and have for years. There is very little likelihood of consumer grade ever needing to deal with /127s and that gear is where you see most of the broken routing implementations.I'm not sure what you mean but /64 anycast addrs. There is no reserved range for anycast; it's a routing technique, not a different address type like unicast or multicast is.
Q: If an organization is dual homed to multiple carriers and has multiple Internet points of presence, I would assume that multiple /48's would be required. Is this a valid assumption?
A: yes
Q: Is /127 equivalent to the current /31 that I use with my Cisco routers' point-to-point connections?
A: yes
Q: If I have 2 offices in NA, 12 in Europe, 8 in AsiaPacific do I have to request ranges from multiple RIRs
A: depends on your needs. you can try to it all out of one block or three. since you have more sites in europe, it might be worth getting the one block from RIPE if you got that way.
Q: What has been noted about requesting a /32 from ARIN?
A: you have to be able to justify it based on their published rules. if you can, you'll get it.
Q: Can you recommend books or links that explain IPv6 please?
A: there are lots of books but the best way to learn is to get a tunnel from HE (hurricane electric) or SIXXS to your home or lab and then go through the HE certification program.
