IPv6 Dynamic Prefix Problems
Bjørn Mork
bjorn at mork.no
Wed Dec 16 11:06:58 CET 2015
Johannes Weber <johannes at webernetz.net> writes:
> what are your experiences with dynamic IPv6 prefixes? Here in Germany,
> several ISPs only offer dynamic /56 prefixes that change after a router
> reboot. Of course, for "normal" end-users this is not a problem. But for
> companies having several remote offices behind such ISP lines, this is a
> problem. (And of course, for me as a network guy, too. ;))
> I encounter several problems with this type of dynamic prefixes and
> summarized them here:
> http://blog.webernetz.net/2015/10/27/ipv6-dyn-prefix-problems/
>
> 1) Many DNS changes for services behind the dyn prefix (not all devices
> are able to update DNS records)
> 2) Security policies with DynDNS ranges (how to allow a dyn IPv6-range
> in other firewall policies?)
> 3) Routing inside IPv6 VPN tunnels (solved with OSPFv3, but maybe not
> optimal?)
>
> I am highly interested in others experience about dynamic prefixes. How
> do you solve these problems, e.g., when a company has several remote
> offices with dynamic prefixes?
Not really solving your problem, but these were the main reasons why we
chose to provide (semi-)static prefixes to all users. "business class"
users get fully static prefixes, while residential users get static
prefixes as long as they don't have to change access router (due to
changes in the layer2 access network). Such events are rare, so most
users will never have to change their prefix.
This is implemented by pre-allocating prefixes for every user within
aggregation ranges allocated to the routers they connect to. Rebooting,
or even replacing, the router will not affect the prefix. Aggregating
per router avoids having too many prefixes in the table. For simplicity
we wanted to aggregate on nibble boundaries, and found that /36 was a
suitable tradeoff between number of routes and wasted addresses. Each
access router will typically use more than one /36, but going up to a
/32 seemed excessive :)
(we give every user a /48, so there are only 4096 prefixes per /36).
Sorry for your problems, but I must admit I am happy to see such reports
indicating that our strategy makes sense. To tell the truth, it wasn't
easy to sell the concept to an organization used to dynamic IPv4 pool
allocations. Some of the counter arguments included "what about privacy
when the prefix is tied to a specific user?" and "will residential users
get business class service?"
But the only "real" problem so far is that some users might not like the
prefix they are assigned permanently. Some of the reasons are actually
worth considering, like parts of the address looking like words with
specific negative meanings.
Bjørn
More information about the ipv6-ops
mailing list