Here are my replies on this e-mail. Sorry for the late replies! > On Sun, 10 Jul 2016 21:53:52 +0300, Nikolai Petrov said: > >> 1. Currently we do not have IPv6 in our network but I have seen the ISP is >> giving us a "/56 Block" which from what I understand is a couple hundred "/64 >> Subnets". I think you can only have /64 subnets in IPv6. In our IPv4 setup we > > You can have other sized subnets, but 64 is very handy if you intend to use > SLAAC auto-configure. There's also the danger of running into broken equipment > that doesn't understand other sized subnets (similar to very old IPv4 gear > that > understood a /24, but exploded if told about a /23 or /25).
I really like SLAAC and its design and I would very much like to use it. Therefore we will be using /64 IP Ranges. Is there any way to limit the amount of devices in a subnet to avoid problems and attacks? I don't think the equipment will work with 2^64 devices in a single subnet.. > >> have 32 addresses, four of which I will use for NAT and the remaining needed >> for online services and servers. In IPv6 we have a lot of addresses but I am >> not sure whether I should give an address of the ISP to every device. I found > > Assign a /64 to everyplace that you would assign a subnet in IPv4. Give each > device on that subnet its own address. Use DHCPv6 or SLAAC or both, whatever > gets the job done in your situation. Don't worry about NAT anymore, you have > enough addresses. > >> that there is an organization that can help avoid collisions in private IPs: >> https://www.sixxs.net/tools/grh/ula/ . From what I can tell it is just a >> registry, but I am thinking of registering the ranges there and then use >> these >> subnets and NAT them to the IPv6 address of the router. > > Don't do that. NAT was invented to fix a problem that IPv6 doesn't have. Feel > free to give every single device a global address. (You'll still want a > stateful firewall someplace, but it doesn't have to do NAT, it just has to > keep > track of legitimate versus malicious traffic). So why are these addresses there? For installations not connected to the Internet? > > And don't freak out if a device has more than one address. As I'm writing this > from the sofa in my living room, my laptop wireless has: > > ra0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 > inet 192.168.1.150 netmask 255.255.255.224 broadcast 192.168.1.159 > inet6 2601:5c0:c100:6431:cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x0<global> > inet6 2601:5c0:c100:6431:c01:a589:19a4:236e prefixlen 64 scopeid 0x0<global> > inet6 2601:5c0:c100:6431::d67 prefixlen 128 scopeid 0x0<global> > inet6 2601:5c0:c100:6431:1dc3:657:eda6:8abf prefixlen 64 scopeid 0x0<global> > inet6 fe80::cad7:19ff:fe37:c02 prefixlen 64 scopeid 0x20<link> > inet6 2601:5c0:c100:6431:ad68:c60c:583:19e9 prefixlen 64 scopeid 0x0<global> > ether c8:d7:19:37:0c:02 txqueuelen 1000 (Ethernet) > > (One DHCPv6 - ::d67. One SLAAC - the one with ff:fe in it. And 4 different > RFC3041 privacy addresses that it's chunked out over the weekend. It works > just fine that way - and it's *designed* to do so. (Of course, in a corporate > environment, you may want to turn the privacy addresses off, and only use > one of DHCPv6/SLAAC - I do it this way because it tests for broken > software...) Thanks for letting me know ahead of time. I have looked up about the privacy addresses and we don't need them as you say. Is there a reason you use DHCPv6 and SLAAC? Is it for compatibility? Can I use the DHCPv4 to give out DNSv6 addresses? > > Oh, and don't block ICMPv6. :) I was never a fan of blocking ICMP except the redirects in some cases.. > >> something strange. The WAN port of our router gets a /64 IPv6 address which >> is >> not in our IPv6. Should I use this for NAT or one of "our" addresses? > > You use it for the IP address of the provider-facing interface of your router. > Assign the "inside" interface(s) addresses on the appropriate /64 subnet that > they will be on. Oh, so this is like BGP.. In my previous company we had BGP connections and we used an IPv4 /30 for these connections which was not within our IP range. I thought they would give us a /126 and not a full /64 so I did not think that was it.. Thanks!
