Why used DHCPv6 when RA has RDNSS and DNSSL?

Gert Doering gert at space.net
Thu Apr 2 08:19:17 CEST 2020 

Hi,

On Thu, Apr 02, 2020 at 12:09:34AM -0300, Fernando Gont wrote:
> On 1/4/20 14:16, Gert Doering wrote:
> [...]
> > Even IETF discontinued recommending DHCPv6-PD for "inside a home network",
> > because it doesn't work.
> 
> Would you mind elaborating on this one?

Which of the two parts? :-)

As far as I understand, the official IETF recommendation for "how to 
run a home with multiple subnets" is "homenet / HNCP" now, which distributes
individual /64s via HNCP, not whole prefixes via DHCPv6-PD.

The reason why I state "DHCPv6 doesn't work" is "in practice".  There is
a practical lack of interest from vendors to make it work properly (as in,
you can properly tie the delegated prefix(es) to ACLs, for example).

On the "why is this a bad idea to start with" side, the chunkiness of 
subnet distribution makes it really unsuitable for anything but the most
simple 1-level hierarchy.  


So, ISP-to-customer, delegates a /56.  Next-level router asks for a prefix,
and gets... what?  Third-level router asks for a prefix, and gets what?

Corporate ISP-to-customer delegates a /48, so theoretically, there are
"enough /56s in there to do lots of PD delegation to next-level routers" -
but in practice, a /48 is supposed to be sufficient for a good-sized
office building with *lots* of internal structure, and as soon as you
have lots of internal network segments, you have no liberty to just give
out random /56s here and there anymore.

Now, abandon the idea of "multi-level" DHCPv6-PD, and just assume "all 
you'll ever see is mobile clients asking for a single /64" (which, as
I heard, is thinking too small, because you can have stacks of stacks,
but stick to the /64 for the moment).  Normally, you'd assign a /64 per
network segment - office LAN floor 1, 2, 3, guest LAN, etc. - and have
(effectively) an infinite number of addresses for more machines than
you can ever connect.   If you need to set aside "as many /64s as there
could ever machines connect", you'll end up reserving /56s (256 hosts)
or even more *per LAN*.  Which will totally ruin your address planing,
and all of a sudden a /48 will be *tight* for a normal company network.

So you need to somehow build a prefix distribution mechanism, so people
can have an arbitrary number of PD prefixes in "wherever network they 
happen to be".  So we're back to multi-level PD, with all the challenges
(firewall rules, ACLs, internal routing, ...).  And even then, a /48
might no longer be sufficient for a company with, say, 500 internal
network segments and 40.000 employees - where it would be extremely 
spacious otherwise.


Could this be made to work?  Possibly.

Is anyone interested to *pay* for this work?  Doubtful.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20200402/9c436687/attachment.bin

More information about the ipv6-ops mailing list