IPv6 Dynamic Prefix Problems

[Jeroen Massar]

On 2015-12-16 10:40, Jens Link wrote:
> Johannes Weber <johannes at webernetz.net> writes:
[..]
> 5) Use a SIXXS / HE Tunnel 

Tunnel brokers (RFC3053) are transition technologies, they won't be here
forever. You likely wanted to point out commercial VPN solutions that
can provide these services just like the normal ISP who is apparently
providing insufficiently configured connectivity.

With IPv6 being 20 years old (RF1883) that transition has to end
somewhere...

Note that SixXS will be having a nice "Call your ISP for IPv6" action[1]
starting somewhere next week.

This hopefully will get people finally calling up to their ISPs and
asking for IPv6 instead of just easily bypassing IPv6 deployment with
easier means.

There is no reason anymore (missing CPE/PE device support, missing OS
support, missing software support) for 'testing IPv6', various locations
are running it natively, many are even forcing DS-Lite/CGN to make sure
they can keep the IPv4 addresses for 'business' customers. Hence, if an
ISP did not take care in the last say 10 years of getting ready for
IPv6, then they won't do that in the next few years either, thus better
to abandon hope and chose wisely with your money.


As for the dynamic issue, everybody seems to forget the great idea that
Microsoft provided: Direct Access[2] or using the 'IPv6 security
feature': IPSEC.

Sign your packets, and check that the signature is valid & known on the
receiving side, presto, does not matter what the prefix is anymore.

Indeed, that does not work like PI, but all/most-of the work on
alternative models have been abandoned, which is why there are so many
/48s PI prefix and sub-prefixes out of PA (Provider Aggregated, remember
that ;) in your routing tables....

Routing scaling research will be fun, but in the end, that is the only
real way to handle that situation.

Greets,
 Jeroen

[1] https://www.sixxs.net/news/2015/#happybirthdayipv6ipv6turns20ye-1201
[2] https://en.wikipedia.org/wiki/DirectAccess