Re: [IPv6 Users] IPv6 hierachical addresses and assignment policy

[Alexandru Petrescu]

Warly wrote:
>> Or are the user PC IPv6 addresses hard-coded on the PC? (e.g. I 
>> sell this PC to this end user and its address I decide to be e.g. 
>> 1::1).
> 
> PC will have, first at least, a fixed IPv6 address in its 
> configuration. I am doing the PCs configuration in our production 
> center (my company is also manufacturing the PCs)

Hardcoding addresses into sold PCs is of course a little preferable
idea, especially knowing that it may prove to be a chicken&egg problem
to change that address remotely (with the management system relying on
that address).  Second, boxes at home that need to be rebooted every
time a parameter changes aren't preferable either.

> Later on I may use DHCPv6, but as far as I could read, this is not 
> yet working very well through IPSec.

WEll, depends.  If OSPFv3 works through the IPsec tunnel then DHCPv6
will work too.

>>> Through this VPN IPv6-in-IPv4 network the user can access the 
>>> IPv6 backbone, or other computers in the same network with global
>>>  IPv6 addresses.
>> I'm not sure how this can work.  Generally speaking I'm used to VPN
>>  to mean exclusively IPv4-in-IPv4 with an initial IKE exchange. I'm
>> not sure whether IPv6-in-IPv4 is still called 'VPN'.  Secure 
>> IPv6-in-IPv6 is maybe ssh... but I'm not sure what you mean 
>> precisely by IPv6-in-IPv4 VPN.
> 
> Well, technically speaking, this is some kind of UDPv4 encapsulation
>  of IPSecv6 packets.

So the UDPv4 headers are unprotected?

>>> This is an interesting point. I was thinking that household will 
>>> preferably masquerading techniques for internal network,
>> Well there are no masquerading techniques for IPv6, as they exist 
>> in IPv4 linux parlance.  There's no IPv6 NAT currently (no 
>> software, no standards).
> 
> Ok.
> 
>>> The current goal is to include all the computers in a IPv6 
>>> network for remote management and peer 2 peer exchanges with the
>>>  collateral effect to have an IPv6 ready computer and a uplink to
>>>  the IPv6 backbone. So the IPv6 connectivity is not the primary 
>>> target, but somehow be practical.
>> Makes sense.  It sounds as if you want to build an IPv6 network 
>> that looks like an overlay network over the IPv4 network.  This 
>> makes a lot of sense for IPv6 in general.  The details are 
>> relevant.
> 
> This is exactly what I would like to do. And as the number of 
> households could be several tens of thousands, I wanted to be sure my
>  IPv6 addressing policy was correct and admitted.

Yes, this should be identified.  As you already said, thousands of
prefixes can be encoded in as little as 16bits between positions 48 and 64.

Other side remarks...

I'd say that if the new box is the first hop out of the home then one
could easily use 6to4 technology - widely available.  If the box is
_not_ the  first-hop out of the home, but somewhere deeper in the
household network, behind the IPv4 NAT running on the first-hop existing
box, then it's different, 6to4 through NAT is working badly (depending
on the type of NAT).  Commercially speaking, I think one has more
chances to sell non-first-hop boxes because the first-hop boxes are
already largely controlled by huge market players.  Or you may be part
of those.

And of course there are many other variables.

A sometimes safe way is to reuse to the maximum the widely available
software, understand the standards evolution and be ready when things
(e.g. DHCPv6) arrive.  Designing an IPv6 addressing architecture that
ignores DHCPv6 Prefix Delegation is probably prone to later change.

Anyways, great opportunities.

Alex

___
Users mailing list
Users@ipv6.org
https://lists.ipv6.org/mailman/listinfo/users

Re: [IPv6 Users] IPv6 hierachical addresses and assignment policy

[Warly]

Alexandru Petrescu <[EMAIL PROTECTED]> writes:

> Warly wrote:
>
> Hmmm... I'm not sure how the user can get an IPv6 address through a VPN
> tunnel.  Do you mean the end user PC has a virtual interface (put up by
> the VPN software) on which it will receive IPv6 Router Advertisements?
> The stateless address auto-config doesn't really work with Ethernet
> 64bit Interface ID in this case.
>
> Or do you mean the end user uses DHCPv6 Prefix Delegation on that VPN
> virtual interface?
>
> Or does the user PC use 6to4?
>
> Or are the user PC IPv6 addresses hard-coded on the PC? (e.g. I sell
> this PC to this end user and its address I decide to be e.g. 1::1).

PC will have, first at least, a fixed IPv6 address in its
configuration. I am doing the PCs configuration in our production center
(my company is also manufacturing the PCs)

Later on I may use DHCPv6, but as far as I could read, this is not yet
working very well through IPSec.

>> Through this VPN IPv6-in-IPv4 network the user can access the IPv6
>> backbone, or other computers in the same network with global IPv6
>> addresses.
>
> I'm not sure how this can work.  Generally speaking I'm used to VPN to
> mean exclusively IPv4-in-IPv4 with an initial IKE exchange.  I'm not
> sure whether IPv6-in-IPv4 is still called 'VPN'.  Secure IPv6-in-IPv6 is
> maybe ssh... but I'm not sure what you mean precisely by IPv6-in-IPv4 VPN.

Well, technically speaking, this is some kind of UDPv4 encapsulation of
IPSecv6 packets.

>> This is an interesting point. I was thinking that household will
>> preferably masquerading techniques for internal network,
>
> Well there are no masquerading techniques for IPv6, as they exist in
> IPv4 linux parlance.  There's no IPv6 NAT currently (no software, no
> standards).

Ok.

>> The current goal is to include all the computers in a IPv6 network
>> for remote management and peer 2 peer exchanges with the collateral
>> effect to have an IPv6 ready computer and a uplink to the IPv6
>> backbone. So the IPv6 connectivity is not the primary target, but
>> somehow be practical.
>
> Makes sense.  It sounds as if you want to build an IPv6 network that
> looks like an overlay network over the IPv4 network.  This makes a lot
> of sense for IPv6 in general.  The details are relevant.

This is exactly what I would like to do. And as the number of households
could be several tens of thousands, I wanted to be sure my IPv6
addressing policy was correct and admitted.

-- 
Warly
___
Users mailing list
Users@ipv6.org
https://lists.ipv6.org/mailman/listinfo/users

Re: [IPv6 Users] IPv6 hierachical addresses and assignment policy

[Warly]

Alexandru Petrescu <[EMAIL PROTECTED]> writes:

> Warly wrote:
>
> Hmmm... I'm not sure how the user can get an IPv6 address through a VPN
> tunnel.  Do you mean the end user PC has a virtual interface (put up by
> the VPN software) on which it will receive IPv6 Router Advertisements?
> The stateless address auto-config doesn't really work with Ethernet
> 64bit Interface ID in this case.
>
> Or do you mean the end user uses DHCPv6 Prefix Delegation on that VPN
> virtual interface?
>
> Or does the user PC use 6to4?
>
> Or are the user PC IPv6 addresses hard-coded on the PC? (e.g. I sell
> this PC to this end user and its address I decide to be e.g. 1::1).

PC will have, first at least, a fixed IPv6 address in its
configuration. I am doing the PCs configuration in our production center
(my company is also manufacturing the PCs)

Later on I may use DHCPv6, but as far as I could read, this is not yet
working very well through IPSec.

>> Through this VPN IPv6-in-IPv4 network the user can access the IPv6
>> backbone, or other computers in the same network with global IPv6
>> addresses.
>
> I'm not sure how this can work.  Generally speaking I'm used to VPN to
> mean exclusively IPv4-in-IPv4 with an initial IKE exchange.  I'm not
> sure whether IPv6-in-IPv4 is still called 'VPN'.  Secure IPv6-in-IPv6 is
> maybe ssh... but I'm not sure what you mean precisely by IPv6-in-IPv4 VPN.

Well, technically speaking, this is some kind of UDPv4 encapsulation of
IPSecv6 packets.

>> This is an interesting point. I was thinking that household will
>> preferably masquerading techniques for internal network,
>
> Well there are no masquerading techniques for IPv6, as they exist in
> IPv4 linux parlance.  There's no IPv6 NAT currently (no software, no
> standards).

Ok.

>> The current goal is to include all the computers in a IPv6 network
>> for remote management and peer 2 peer exchanges with the collateral
>> effect to have an IPv6 ready computer and a uplink to the IPv6
>> backbone. So the IPv6 connectivity is not the primary target, but
>> somehow be practical.
>
> Makes sense.  It sounds as if you want to build an IPv6 network that
> looks like an overlay network over the IPv4 network.  This makes a lot
> of sense for IPv6 in general.  The details are relevant.

This is exactly what I would like to do. And as the number of households
could be several tens of thousands, I wanted to be sure my IPv6
addressing policy was correct and admitted.

-- 
Warly
___
Users mailing list
Users@ipv6.org
https://lists.ipv6.org/mailman/listinfo/users

Re: [IPv6 Users] IPv6 hierachical addresses and assignment policy

[Alexandru Petrescu]

Warly wrote:
[...]
> In the first place the end user will get a dynamic IPv4 address for 
> Internet connectivity, but will also get an IPv6 address through the 
> VPN network.

Hmmm... I'm not sure how the user can get an IPv6 address through a VPN
tunnel.  Do you mean the end user PC has a virtual interface (put up by
the VPN software) on which it will receive IPv6 Router Advertisements?
The stateless address auto-config doesn't really work with Ethernet
64bit Interface ID in this case.

Or do you mean the end user uses DHCPv6 Prefix Delegation on that VPN
virtual interface?

Or does the user PC use 6to4?

Or are the user PC IPv6 addresses hard-coded on the PC? (e.g. I sell
this PC to this end user and its address I decide to be e.g. 1::1).

> Through this VPN IPv6-in-IPv4 network the user can access the IPv6 
> backbone, or other computers in the same network with global IPv6 
> addresses.

I'm not sure how this can work.  Generally speaking I'm used to VPN to
mean exclusively IPv4-in-IPv4 with an initial IKE exchange.  I'm not
sure whether IPv6-in-IPv4 is still called 'VPN'.  Secure IPv6-in-IPv6 is
maybe ssh... but I'm not sure what you mean precisely by IPv6-in-IPv4 VPN.

> The IPv6 network will also be used for connections between users, 
> which may be behind firewalls, so I need the addresses to be routed. 
> Likely link-local will not be adequate

Ah ok makes sense.

> This is an interesting point. I was thinking that household will 
> preferably masquerading techniques for internal network,

Well there are no masquerading techniques for IPv6, as they exist in
IPv4 linux parlance.  There's no IPv6 NAT currently (no software, no
standards).

[...]
> The current goal is to include all the computers in a IPv6 network 
> for remote management and peer 2 peer exchanges with the collateral 
> effect to have an IPv6 ready computer and a uplink to the IPv6 
> backbone. So the IPv6 connectivity is not the primary target, but 
> somehow be practical.

Makes sense.  It sounds as if you want to build an IPv6 network that
looks like an overlay network over the IPv4 network.  This makes a lot
of sense for IPv6 in general.  The details are relevant.

Alex


__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__
___
Users mailing list
Users@ipv6.org
https://lists.ipv6.org/mailman/listinfo/users

Re: [IPv6 Users] IPv6 hierachical addresses and assignment policy

[Warly]

Alexandru Petrescu <[EMAIL PROTECTED]> writes:

>> I am working on the device management for an initial set of about 
>> 1 computers for the end of 2008. Those computers will be included
>>  in a Internet subscription by an Internet Service Provider.
>
> Is this ISP kind of ADSL home subscription?  Or is it Enterprise?

Yes, this is Internet ADSL subscriptions for household.

[...] 

> The /64 network prefix depending on the central server - hmmm... Do you
> consider that the PC at the user's site is part of a network which is
> _already_ IPv6?  For example, an ADSL operator deploys IPv6 at home and
> there's already an IPv6 /64 prefix assigned to each ADSL subscriber.
> One would better re-use that prefix, I think, instead of assigning new
> prefixes through some tunnels.
>
> If the ISP doesn't deploy IPv6 to subscriber then there are several
> methods to deploy IPv6 to a SOHO when one has control on the ADSL box -
> 6to4 is a possibility and there are others.  With 6to4, the end user
> gets a /48 out of a single IPv4 address.

In the first place the end user will get a dynamic IPv4 address for
Internet connectivity, but will also get an IPv6 address through the VPN
network. Through this VPN IPv6-in-IPv4 network the user can access the
IPv6 backbone, or other computers in the same network with global IPv6
addresses.

[...]
 
>> Each home with the same Internet connection will share the same /64 
>> prefix. Each server will have a /48 prefix and could handle up to 
>> 2^^16 different home networks. Likely this means I will need a /44 or
>>  /40 prefix as soon as I use more than two management servers.
>> 
>> Should I use site local or global adresses for each computer, given 
>> that it could be connected to the IPv6  backbone ? Can my application
>>  for a /32 prefix could be granted for such a need ?
>
> No, no use of  the site-local addresses, being deprecated.  Go for
> global addresses.  If your technical solution is IPv6-through-IPv4 then
> you may as well go for link-local addresses only (fe80::).

The IPv6 network will also be used for connections between users, which
may be behind firewalls, so I need the addresses to be routed. Likely
link-local will not be adequate

> I think yes, your application for a /32 could be granted, but I have no
> precise idea.  I would be more reasonable and ask for a /48, because
> you're talking about tens of thousands of subnets.  Is 65535 subnets
> enough?  Do you ask a RIR (RIPE)?  Or do you ask a super-provider?

I must admit I was looking for answers and clarification before any
request for a particular prefix. Moreover, I am not sure I am the one
who need to register the prefix, because I will provide a management and
IPv6 service to an Internet Service Provider for its customers. Maybe
this is what you call 'super-provider'?

>> Should I use 64 bit host id for the computer, or, given the high 
>> number of /64 subnet needed, I should go for /80 net prefix and 48 
>> bit only for host id ?
>
> That is a very good question that deserves pondering over, a lot.
>
> Software-wise: if you use the 64bit Ethernet IDs then there's much
> widely available software for address auto-configuration, whereas for
> more than 64bit (/80 net prefix) one needs to use DHCPv6 - less
> implementations, but available.

OK

> If you deliver /64 to a household and the manager of the household
> can't, or doesn't know, use DHCPv6 then that household is effectively
> limited to using one single IPv6 subnet.  At least by the current state
> of affairs in standardization.  This may prove constraining for the
> deployment of IPv6.  Many households have multiple IPv4 subnets (one for
> wifi, one gaming, one printing, one kids, etc.) and would like to
> migrate to IPv6 while keeping the same multi-subnet structure.  So it is
> more interesting to deliver less than /64 to a household (e.g. /60) so
> that the household manager can further split it up to /64.

This is an interesting point. I was thinking that household will
preferably masquerading techniques for internal network, but likely it
would be more convenient if they can use global addressing with adequate
firewalling. Then /60 or /56 may be preferred over /64, you are right.

> But, I'm not sure I understand the goal: is the goal to deliver IPv6 to
> household?  Or is to simply use IPv6 to remotely administer some
> machines?  Or is the goal to deploy a remote management system that is
> just compatible with IPv6 (be ready for IPv6 when it arrives)?  And
> finally, is the household already having IPv6 or not.

The household will have a default IPv4 connectivity, and an extra IPv6
connectivity thanks to the management network. Later on maybe the
provider will switch to IPv6 only, but this is not scheduled right now.

The current goal is to include all the computers in a IPv6 network for remote
management and peer 2 peer exchanges with the collateral effect to have
an IPv6 ready computer and a uplink to the IPv6 backbone. So the IP

Re: [IPv6 Users] IPv6 hierachical addresses and assignment policy

[Alexandru Petrescu]

Warly wrote:
> Hello,
> 
> This mail is about a deployment of computers with IPv6 network stack 
> and questions about best practices in this regard.
> 
> Please feel free to redirect me to more appropriate mailing lists if 
> this is not the right one.

I think this list is fine.  There are [EMAIL PROTECTED] and
[EMAIL PROTECTED] lists that may discuss this from a standardization
perspective.  There may also be a list at RIPE talking allocation policy.

> I am working on the device management for an initial set of about 
> 1 computers for the end of 2008. Those computers will be included
>  in a Internet subscription by an Internet Service Provider.

Is this ISP kind of ADSL home subscription?  Or is it Enterprise?

> Those computers will use a classic IPv4 network stack for Internet 
> connectivity with dynamic IPv4 addresses.
> 
> However those computers will be remotely administrated. To do so I 
> intend to use an IPsec VPN with IPv6 unique address per computer.
> 
> The management servers will have IPv6 connectivity to the IPv6 
> backbone, so the IPv6 VPN used for network administration could also 
> be used as tunnel to access the IPv6 backbone by the computers.
> 
> My initial idea was to assign to each computer an unique 64 bit host 
> id and a /64 network prefix based on the management server it depends
> on.

The 64bit HostID can easily be derived from the MAC address, especially
if it's a PC with Ethernet card - the IPv6 stacks all do that.  No need
for a person to assign these host ids (if that's what you meant).

The /64 network prefix depending on the central server - hmmm... Do you
consider that the PC at the user's site is part of a network which is
_already_ IPv6?  For example, an ADSL operator deploys IPv6 at home and
there's already an IPv6 /64 prefix assigned to each ADSL subscriber.
One would better re-use that prefix, I think, instead of assigning new
prefixes through some tunnels.

If the ISP doesn't deploy IPv6 to subscriber then there are several
methods to deploy IPv6 to a SOHO when one has control on the ADSL box -
6to4 is a possibility and there are others.  With 6to4, the end user
gets a /48 out of a single IPv4 address.

> The initial 1 computers may then be followed by several other 
> bunch of 1 computers, depending on the commercial success of the
>  offer.
> 
> Depending on the charge on the server, each server may handle a few 
> thousands of computers to a few tens of thousands.
> 
> Each home with the same Internet connection will share the same /64 
> prefix. Each server will have a /48 prefix and could handle up to 
> 2^^16 different home networks. Likely this means I will need a /44 or
>  /40 prefix as soon as I use more than two management servers.
> 
> Should I use site local or global adresses for each computer, given 
> that it could be connected to the IPv6  backbone ? Can my application
>  for a /32 prefix could be granted for such a need ?

No, no use of  the site-local addresses, being deprecated.  Go for
global addresses.  If your technical solution is IPv6-through-IPv4 then
you may as well go for link-local addresses only (fe80::).

I think yes, your application for a /32 could be granted, but I have no
precise idea.  I would be more reasonable and ask for a /48, because
you're talking about tens of thousands of subnets.  Is 65535 subnets
enough?  Do you ask a RIR (RIPE)?  Or do you ask a super-provider?

> Should I use 64 bit host id for the computer, or, given the high 
> number of /64 subnet needed, I should go for /80 net prefix and 48 
> bit only for host id ?

That is a very good question that deserves pondering over, a lot.

Software-wise: if you use the 64bit Ethernet IDs then there's much
widely available software for address auto-configuration, whereas for
more than 64bit (/80 net prefix) one needs to use DHCPv6 - less
implementations, but available.

If you deliver /64 to a household and the manager of the household
can't, or doesn't know, use DHCPv6 then that household is effectively
limited to using one single IPv6 subnet.  At least by the current state
of affairs in standardization.  This may prove constraining for the
deployment of IPv6.  Many households have multiple IPv4 subnets (one for
wifi, one gaming, one printing, one kids, etc.) and would like to
migrate to IPv6 while keeping the same multi-subnet structure.  So it is
more interesting to deliver less than /64 to a household (e.g. /60) so
that the household manager can further split it up to /64.

But, I'm not sure I understand the goal: is the goal to deliver IPv6 to
household?  Or is to simply use IPv6 to remotely administer some
machines?  Or is the goal to deploy a remote management system that is
just compatible with IPv6 (be ready for IPv6 when it arrives)?  And
finally, is the household already having IPv6 or not.

Alex


> 
> Thanks!
> 


__
This email has been scanned by the MessageLabs Email Sec