IPv6 Dynamic Prefix Problems
Gert Doering
gert at space.net
Wed Dec 16 11:29:25 CET 2015
Hi,
On Wed, Dec 16, 2015 at 10:33:29AM +0100, Johannes Weber wrote:
> what are your experiences with dynamic IPv6 prefixes? Here in Germany,
> several ISPs only offer dynamic /56 prefixes that change after a router
> reboot. Of course, for "normal" end-users this is not a problem. But for
> companies having several remote offices behind such ISP lines, this is a
> problem. (And of course, for me as a network guy, too. ;))
I do feel your pain, but I wonder if this is not just assumptions that
need to go away - and if this is the right way to *make* them go away
(by breaking stuff that relies on "the IPv6 address of <box> will never
ever change!").
Yes, network people like to have SSH sessions that survive for weeks or
longer, but really, we're just 0.01% of the users - and typical users
have no idea what a "long-lived TCP session" might be...
OTOH, what you really want is multihoming with two different IPv6 access
ISPs, and that will have to work with "I get one prefix from each ISP
and my devices have to handle having multiple addresses, some of them
coming and going at unexpected times" - which inevitably leads to needing
new strategies for service discovery (= "dynDNS") and session failover
in case one of the addresses just stops working because the ISP line
broke.
[..]
> 1) Many DNS changes for services behind the dyn prefix (not all devices
> are able to update DNS records)
This indeed is tricky. OTOH, AVM can do it for devices *behind* the
router, so we "just" need to ensure router vendors understand what
is needed...
> 2) Security policies with DynDNS ranges (how to allow a dyn IPv6-range
> in other firewall policies?)
Is "relying on source IP address" a good security strategy?
> 3) Routing inside IPv6 VPN tunnels (solved with OSPFv3, but maybe not
> optimal?)
The "multiple addresses" model lends itself to "the VPN will provide
yet another /64 for the LAN, and by choosing the appropriate *source*
address the client will decide whether it wants to go into the VPN or
not" (homenet source-address dependent routing).
> I am highly interested in others experience about dynamic prefixes. How
> do you solve these problems, e.g., when a company has several remote
> offices with dynamic prefixes?
Add a second prefix from the internal company range and put that into the
VPN (source address selection will nicely handle this today, unlike
all the potential pitfalls with proper source address *failover* in the
multihoming case).
Food for thought, not an "answer today".
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops
mailing list