IPv6. Think Big, Really Big.

 

Modular and scalable IPv6 subnet design

May 19, 2012. By Justin Franks

英語で  日本語で

 

This is directed towards organizations that have acquired or plan to acquire their own provider independent IPv6 address block.

First, do NOT think of IPv6 in terms of IP addresses when designing a scalable IPv6 address model for your organization. Think of IPv6 in terms of /64 subnets. Forget about "wasting" IP addresses. We want to design a consistent and saleable address scheme.

 

RIR's basically provide two types of IPv6 blocks. A /48 and a /32. Really big organizations and ISP's are given a /32 block. Smaller organizations are given a /48 block. A /48 prefix contains ~65,536 IPv6 subnets. A /32 prefix contains 4,294,967,296. Perfect, more than enough for any Organization for the foreseeable future. Now we need to think about network requirements. How many subnets (private and public) would the entire Organization require in the Asian region? In the north American region? In the European region? In all regions combined considering room for massive expansion? Lots and lots, right? Based on those numbers you now know which size prefix you request from your RIR. A /48 or a /32.

 

Remember, IPv6 address design scheme does NOT consider addresses as a limited resource and thus numbers are non-significant. Conserving IP addresses is about as trivial as trying to save oxygen molecules while you take a walk. Don’t try to do it. This is one of the reasons why the recommended minimum subnet size for IPv6 is a /64. Sure, a /64 has 18 quintillion addresses in it. Sure we will use a single /64 subnet for a simple point-to-point circuit. Sure, it is a “waste” of IP addresses. Again, forget about thinking in terms of amount of IP addresses. Think about things only in terms of subnets. It's all about number of subnets and organization of subnets which will determine the flexibility and limitations of your IPv6 network. However, some argue that a /64 prefix should not be used on point-to-point links or circuits between routers. Some say that there are exploits and vulnerabilities if a /64 is used on point-to-point links, for example, the Neighbor Discovery Protocol exhaustion attack. But keep in mind, any prefix larger than a /64 (for example, a /120) will break many IPv6 features such as Stateless Address Auto Configuration (SLAAC), Neighbor Discovery (ND), Secure Neighborship Discovery (SEND), privacy extensions, parts of Mobile IPv6, PIM-SM with Embedded-RP, and SHIM6. Other IPv6 features currently in development, or being proposed, also rely on /64 subnet prefixes. In short, IPv6 features (existing and future) will rely on all of the bits in a /64 prefix. If you decide to use a prefix larger than a /64 please be mindful of what it may break compared to what it may solve. After considering exploits, etc… my personal opinion is that a /64 should be used on everything, even on point-to-point links. My only reason is that I do not know all of the implications of using longer prefixes such as a /127 or /120. I think it is fair to say that nobody knows all of the implications. It is also fair to say that regardless of what we do there will always be exploits. Time will go on and who can really say for a certainty what should and shouldn’t be used? And if there are exploits, well, it is the vendors job as well as the IETFs job to learn of them and provide upgraded hardware/software to protect against us against them.

 

First, as mentioned before, determine how many subnets (private and public) your Organization will require overall and in each region. That will tell you if you need a /48 or a /32. A /48 will be sufficient for all but the largest Organizations. Then get your Provider Independent IPv6 space from your RIR.

http://www.iana.org/numbers/

The next step is to divide the Parent Prefix (the /48 or /32) into smaller prefixes, Child Prefixes. Child prefixes can be independently advertised from disperse sites. For example, organization A office #1 can advertise one Child Prefix out to the Internet with BGP while organization A office #2 can advertise another Child Prefix out to the Internet with BGP.  Also keep in mind that we do not want to divide the Parent Prefix into too many Child Prefixes. We want to divide it into just enough Child Prefixes so that each global region (Asia, Africa, Europe, North America, South America) can be assigned its own Child Prefix and still have just a few left over for reserves. Also keep in mind that you should not make your Child prefixes too large. In my opinion a /52 Child Prefix is the largest you should go. Also be sure to consider RFC3956 "Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address". We also need to make sure that the subnet requirements of our LARGEST region do not exceed the number of subnets provided by ONE of the Child Prefixes. Now, these Child Prefixes will be the minimum prefix allowed to be advertised by your Organizations BGP AS Number. With this model large AND small Organizations will have network design flexibility. With IPv6 it would not make sense for a large international organization to acquire a /32 from EACH of the 5 IANA RIR’s. By using Parent and Child prefixes an Organization, large or small, can assign a Child Prefix to each of its global regions from its single Parent Prefix. This model is a hierarchal order, same as IPv6. So it fits well. This model is super modular, super simple and super scalable. Why? Because it is consistent. As a side note it is assumed that network engineers would know they have the option to advertise Parent and/or Child prefixes out specific BGP routers and the advantages/disadvantages of doing so. If it was me I would only advertise Child Prefixes from the appropriate BGP routers per region.

 

However, with this model of Child Prefixes it means that BGP filters of all ISP’s and backbone providers must NOT filter out prefixes larger than a /48. What should be the prefix limit? Some argue that a /48 should be the largest allowed to be advertised by BGP. But we have very little large scale real world experience in IPv6 and BGP. So we should not make these hard and fast rules now. Let’s remain flexible in our thoughts and actions. Not filtering prefixes larger than a /48 will allow even small global organizations adequate network design flexibility Again, the issue here is about an Organizations ability to utilize their IPv6 assignment/allotment in a flexible way while still facilitating IPv6 global multicast. What should be the filter limit? I can’t say for certain. But not a /48 and not a /64. Something in between…

 

Why is this a good IPv6 prefix model? Because IPv6 is hierarchical. Not only that but IPv6 is specifically designed to allow true peer-to-peer connectivity. That means that every single device that hooks into the IPv6 network SHOULD have a unique IP address that it will grab automatically. That means that every electrical appliance whether it be a server, refrigerator, GPS, lighting system, speaker system, clock, airplane controls, car engine, air-conditioner or anything else can connect to the IPv6 network and send/receive instructions via multicast. It means than an Organizations network will become truly global.

 

Another thing. The entire IPv4 concept of Public/Private IP addresses should be forgotten when designing IPv6 networks. If you are concerned about a device being reachable by others then use a filter to control access to/from the device. Private IPv6 addresses are Unique Local Addresses (ULA). They all start with “fd” so fdxx:xxxx:x….. they are non-routable. In short, always use globally routable IPv6 addresses. In other words, only use the IPv6 addresses from your /48 or /32. Again, if you are concerned about devices being globally reachable then make sure that some blocks of addresses from WITHIN your /48 or /32 are specifically reserved “secret” un-routable devices. Meaning, those blocks will be heavily filtered. So create access policies unique to each network environment and apply those policies to one of your “secret” prefixes. Perhaps the “secret” prefix can be one of the reserved Child Prefixes or a Sub-Child Prefix that is filtered on every edge router of your international organization. If you are a Network Engineer I think you follow me and can take it from there. It’s all about organizing your IPv6 space from the top down using a GLOBAL perspective.

 

 

-Justin Franks

justintfranks@gmail.com