Posix Systems was recently allocated some IPv6/32

I'm trying to understand how I can best meet both customer needs whilst keeping good aggregation and have come up with the following:

1) I get assigned a /32 (2001:42a0::) - where '42a0' is what ever is assigned (ok - what Posix was assigned!)

2) I am more or less expected to assign /48's to customers..
..which generally leaves 16 bits to assign to customers

My goal is to aggregate as much as possible - whilst learning from past "mistakes".

It would therefore seem a reasonable thing to split these 16 bits into something like 6 and 10. The first 6 bits (64 permutations) then becomes a logical geographical area - eg. Joburg, Cape Town, Swaziland - etc. and the last 10 bits (1024 permutations) becomes a customer in that area. This way - if the Cape Town peering point is ever re-resurrected, I can use a single net-mask (ie Route) to advertise all my Cape Town clients to that peering center. I might in fact reserve more than one set of 6 bits for the Johannesburg area (ie - 4 bits for the area and 12 bits for customers) - but that would probably be the only variation. I'm currently using 4bits for an area and the remainder for customers. I'm also using a /48 in each area for internal use (ie - local hosting, dial-up - etc), so if I loose long distant links - all the 'local' stuff would still work / be accessable.

As far as I can see - many LIR's simply allocate the next logical /48 block to the next customer and disregard any possibility of regionalising IPv6 addresses.

What do others think? Anything better?


Posix Systems (like other IPS's) does customer hosting of machines, many of which need multiple IP addresses for different SSL sites - etc. An assumption is that most people would allocate a full /64 to an Ethernet interface.

The simple mapping of a MAC address to the Host portion (ie - the last 64bits) of an IPv6 address does not allow for the easy addition of multiple IP's on the same machine. It does however make scanning a /64 difficult - unless you know that the hosting company only uses one particular brand of Ethernet card.

Given a MAC address of: 00:0D:56:FE:CB:08, (which auto becomes...::020d:56ff:fefe:cb08) I propose to turn this into....
NNNN would be a simple sequence number (from 0 or 1 upwards) [I have noticed that providing a range of IPv6 addresses on a Linux machine ie...
config_eth1=( "192.96.28.{1..9}/24"
.... only works for decimal values - it chokes on Hex  values (A-F)]

The MMMM could map to a security map of what ports that IP address should be allowed to accept......
The 16 bits could be defines as...

1 - ssh (port 22)
2 - web (port 80)
3 - ssl web (443)
4 - pop3 ( both 110 and 195)
5 - imap (both 143, 220 and 993)
F - anything (no auto firewall)

..thus a value of :0: would not allow the (upstream) firewall to send through anything, but a value of :ffff: would allow everything through.. thus a hosting client could define for themselves what ports the firewall would let through...

I'd then use a common set of filter lists on my firewall - just to look at those bits - for the majority of customers. There will always be exceptions to some customers - but this can be handled in the traditional way.

Anyone done anything like this?
Other Suggestions?

 .  .     ___. .__      Posix Systems - Sth Africa
/| /|       / /__       [EMAIL PROTECTED]  -  Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

resource-policy mailing list

Reply via email to