Why used DHCPv6 when RA has RDNSS and DNSSL?
Gert Doering
gert at space.net
Thu Apr 2 08:19:17 CEST 2020
Hi,
On Thu, Apr 02, 2020 at 12:09:34AM -0300, Fernando Gont wrote:
> On 1/4/20 14:16, Gert Doering wrote:
> [...]
> > Even IETF discontinued recommending DHCPv6-PD for "inside a home network",
> > because it doesn't work.
>
> Would you mind elaborating on this one?
Which of the two parts? :-)
As far as I understand, the official IETF recommendation for "how to
run a home with multiple subnets" is "homenet / HNCP" now, which distributes
individual /64s via HNCP, not whole prefixes via DHCPv6-PD.
The reason why I state "DHCPv6 doesn't work" is "in practice". There is
a practical lack of interest from vendors to make it work properly (as in,
you can properly tie the delegated prefix(es) to ACLs, for example).
On the "why is this a bad idea to start with" side, the chunkiness of
subnet distribution makes it really unsuitable for anything but the most
simple 1-level hierarchy.
So, ISP-to-customer, delegates a /56. Next-level router asks for a prefix,
and gets... what? Third-level router asks for a prefix, and gets what?
Corporate ISP-to-customer delegates a /48, so theoretically, there are
"enough /56s in there to do lots of PD delegation to next-level routers" -
but in practice, a /48 is supposed to be sufficient for a good-sized
office building with *lots* of internal structure, and as soon as you
have lots of internal network segments, you have no liberty to just give
out random /56s here and there anymore.
Now, abandon the idea of "multi-level" DHCPv6-PD, and just assume "all
you'll ever see is mobile clients asking for a single /64" (which, as
I heard, is thinking too small, because you can have stacks of stacks,
but stick to the /64 for the moment). Normally, you'd assign a /64 per
network segment - office LAN floor 1, 2, 3, guest LAN, etc. - and have
(effectively) an infinite number of addresses for more machines than
you can ever connect. If you need to set aside "as many /64s as there
could ever machines connect", you'll end up reserving /56s (256 hosts)
or even more *per LAN*. Which will totally ruin your address planing,
and all of a sudden a /48 will be *tight* for a normal company network.
So you need to somehow build a prefix distribution mechanism, so people
can have an arbitrary number of PD prefixes in "wherever network they
happen to be". So we're back to multi-level PD, with all the challenges
(firewall rules, ACLs, internal routing, ...). And even then, a /48
might no longer be sufficient for a company with, say, 500 internal
network segments and 40.000 employees - where it would be extremely
spacious otherwise.
Could this be made to work? Possibly.
Is anyone interested to *pay* for this work? Doubtful.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20200402/9c436687/attachment.sig>
More information about the ipv6-ops
mailing list