Re: Questions on IPv6 deployment

[William Herrin]

On Tue, Jan 17, 2017 at 5:13 PM, Matthew Huff  wrote:
> Please check the nanog archives.
> I was just responding to the argument that a /64 is wasteful and serves 
> little purpose.

Then respond. With explanation, reasoning and evidence. Telling me to
search a massive archive for nebulous discussions is a total cop-out.

Regards,
Bill


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Questions on IPv6 deployment

[William Herrin]

On Tue, Jan 17, 2017 at 6:06 PM, Sander Steffann  wrote:
> One thing that comes to mind is that it seems that some routers only have 
> limited space in their routing tables for prefixes longer than a /64. If you 
> would configure a /127 on the link but push the /64 to the routing table then 
> you might both avoid ND Cache exhaustion and avoid the limitations on 
> longer-than-/64 prefixes.

Hi Sander,

IIRC, the problem was that some routers could only fit the first 64
bits in the TCAM so routes longer than /64 fell out of the fast path.
That was about half a decade ago. No idea if anything modern still
suffers from this.

That would impact every route in Matthew's proposed solution: the
loopbacks from the infrastructure /64 and the /127's from otherwise
unpopulated /64's. Because programmatically those /64's don't have one
prefix, they have two: the /127 for the link and the implicit null
route for everything else. The router has to honor the implicit null
route so it can't aggregate the /127 to /64 and keep it in the fast
path.

Regards,
Bill Herrin




-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Questions on IPv6 deployment

[Sander Steffann]

Hi Bill,

> Op 17 jan. 2017, om 22:55 heeft William Herrin  het volgende 
> geschreven:
> 
> I'm always interested in learning something new. Please explain the
> DOS vectors you're referring to and how they're mitigated by
> allocating a /64 to the point to point link.

One thing that comes to mind is that it seems that some routers only have 
limited space in their routing tables for prefixes longer than a /64. If you 
would configure a /127 on the link but push the /64 to the routing table then 
you might both avoid ND Cache exhaustion and avoid the limitations on 
longer-than-/64 prefixes.

I personally prefer to set up my addressing plan that things like this are 
possible even if I don't do it today, but I also understand the choices you 
make. I don't think any of the choices is wrong. It mostly depends on 
expectations, used equipment and personal preference.

And thanks for mentioning "Minimum assignment to a customer: /60". That is 
indeed a very important one!

Cheers,
Sander



signature.asc
Description: Message signed with OpenPGP using GPGMail

RE: Questions on IPv6 deployment

[Matthew Huff]

Please check the nanog archives. There were some arguments that I and I assume 
others felt compelling why allocating a /64 per point to point link was a good 
idea. Your network, your rules. I was just responding to the argument that a 
/64 is wasteful and serves little purpose.



Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-694-5669


> -Original Message-
> From: William Herrin [mailto:b...@herrin.us]
> Sent: Tuesday, January 17, 2017 4:56 PM
> To: Matthew Huff <mh...@ox.com>
> Cc: Michael Still <stillwa...@gmail.com>; nanog@nanog.org
> Subject: Re: Questions on IPv6 deployment
> 
> On Tue, Jan 17, 2017 at 4:07 PM, Matthew Huff <mh...@ox.com> wrote:
> > The reason for allocating a /64 for a point to point link is due to
> various denial of service attack vectors.
> 
> Hi Matthew,
> 
> I'm always interested in learning something new. Please explain the
> DOS vectors you're referring to and how they're mitigated by
> allocating a /64 to the point to point link.
> 
> 
> > Just do it.
> 
> No. But if you offer a good reason, I'll factor your reason in to my
> considerations.
> 
> Regards,
> Bill Herrin
> 
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: <http://www.dirtside.com/>

Re: Questions on IPv6 deployment

[joel jaeggli]

On 1/17/17 1:55 PM, William Herrin wrote:
> On Tue, Jan 17, 2017 at 4:07 PM, Matthew Huff  wrote:
>> The reason for allocating a /64 for a point to point link is due to various 
>> denial of service attack vectors.


if you mean allocating a /127, then... sure.

Neighbor discovery on point to point links could be a problem as is the
poential for looping behavior . There are of course ways other than
allocating a longer prefix to a point to point link to achieve that, 
e.g. disabling it. among other things You have to disable DAD anyway if
you ever plan to loop them up for testing.

these are detailed in

https://tools.ietf.org/html/rfc6164
>> Hi Matthew,
>>
>> I'm always interested in learning something new. Please explain the
>> DOS vectors you're referring to and how they're mitigated by
>> allocating a /64 to the point to point link.
>>
>>
>> Just do it.
> No. But if you offer a good reason, I'll factor your reason in to my
> considerations.
>
> Regards,
> Bill Herrin
>




signature.asc
Description: OpenPGP digital signature

Re: Questions on IPv6 deployment

[William Herrin]

On Tue, Jan 17, 2017 at 4:07 PM, Matthew Huff  wrote:
> The reason for allocating a /64 for a point to point link is due to various 
> denial of service attack vectors.

Hi Matthew,

I'm always interested in learning something new. Please explain the
DOS vectors you're referring to and how they're mitigated by
allocating a /64 to the point to point link.


> Just do it.

No. But if you offer a good reason, I'll factor your reason in to my
considerations.

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Questions on IPv6 deployment

[Owen DeLong]

I think you mean /127 since a /128 would not support 2 points on the point to 
point.

Owen

> On Jan 17, 2017, at 13:07 , Matthew Huff <mh...@ox.com> wrote:
> 
> The reason for allocating a /64 for a point to point link is due to various 
> denial of service attack vectors. Just do it. The numbers in IPv6 are 
> staggering. The generally accepted best practice is to allocate a /64 and use 
> a /128 within that /64 for point to point links.
> 
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-694-5669
> 
> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of William
>> Herrin
>> Sent: Tuesday, January 17, 2017 4:02 PM
>> To: Michael Still <stillwa...@gmail.com>
>> Cc: nanog@nanog.org
>> Subject: Re: Questions on IPv6 deployment
>> 
>> On Tue, Jan 17, 2017 at 12:48 PM, Michael Still <stillwa...@gmail.com>
>> wrote:
>>> http://nabcop.org/index.php/IPv6_Subnetting
>> 
>> That's overall good advice. I quibble with a couple of points:
>> 
>> 1. If you plan to use a /126 on a point to point and can't imagine how
>> you would use a /64 on that point to point, don't allocate a /64. Odds
>> are that by the time you can imagine some way to use a /64 there, the
>> details will require you to assign a new block anyway.
>> 
>> Why be concerned about resource consumption? Because it's a good
>> habit. Don't overdo it, IPv6 is not resource constrained the way IPv4
>> is, but shrewd use of available resources is a good habit even when
>> resources are plentiful.
>> 
>> 2. Make all your point to points /124. That will work for all your
>> point to points. Serial or ethernet. Even the ethernets which have two
>> high-availability routers on both ends along with the failover address
>> needing a total of 6 IPs plus 1 for your troubleshooting laptop.
>> Configuring /124 every time allows you to standardize your
>> configuration, the same way /64 standardizes the netmask on a LAN
>> deployment.
>> 
>> 
>> 
>> One additional point not brought up:
>> 
>> Minimum assignment to a customer: /60. Never ever /64 or /128. How
>> much more than a /60 you choose as your minimum is up to you. Common
>> choices are /56 and /48. But never, ever less than a /60.   Your
>> customer will want to deploy a /64 to each LAN. And there are so many
>> cases where he'll want to deploy more than one LAN.
>> 
>> I've noticed a lot of hosting providers getting this wrong. Some of
>> your customers do create VPNs on their VPC you know.
>> 
>> Regards,
>> Bill Herrin
>> 
>> 
>> --
>> William Herrin  her...@dirtside.com  b...@herrin.us
>> Owner, Dirtside Systems . Web: <http://www.dirtside.com/>

RE: Questions on IPv6 deployment

[Matthew Huff]

The reason for allocating a /64 for a point to point link is due to various 
denial of service attack vectors. Just do it. The numbers in IPv6 are 
staggering. The generally accepted best practice is to allocate a /64 and use a 
/128 within that /64 for point to point links.


Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-694-5669


> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of William
> Herrin
> Sent: Tuesday, January 17, 2017 4:02 PM
> To: Michael Still <stillwa...@gmail.com>
> Cc: nanog@nanog.org
> Subject: Re: Questions on IPv6 deployment
> 
> On Tue, Jan 17, 2017 at 12:48 PM, Michael Still <stillwa...@gmail.com>
> wrote:
> > http://nabcop.org/index.php/IPv6_Subnetting
> 
> That's overall good advice. I quibble with a couple of points:
> 
> 1. If you plan to use a /126 on a point to point and can't imagine how
> you would use a /64 on that point to point, don't allocate a /64. Odds
> are that by the time you can imagine some way to use a /64 there, the
> details will require you to assign a new block anyway.
> 
> Why be concerned about resource consumption? Because it's a good
> habit. Don't overdo it, IPv6 is not resource constrained the way IPv4
> is, but shrewd use of available resources is a good habit even when
> resources are plentiful.
> 
> 2. Make all your point to points /124. That will work for all your
> point to points. Serial or ethernet. Even the ethernets which have two
> high-availability routers on both ends along with the failover address
> needing a total of 6 IPs plus 1 for your troubleshooting laptop.
> Configuring /124 every time allows you to standardize your
> configuration, the same way /64 standardizes the netmask on a LAN
> deployment.
> 
> 
> 
> One additional point not brought up:
> 
> Minimum assignment to a customer: /60. Never ever /64 or /128. How
> much more than a /60 you choose as your minimum is up to you. Common
> choices are /56 and /48. But never, ever less than a /60.   Your
> customer will want to deploy a /64 to each LAN. And there are so many
> cases where he'll want to deploy more than one LAN.
> 
> I've noticed a lot of hosting providers getting this wrong. Some of
> your customers do create VPNs on their VPC you know.
> 
> Regards,
> Bill Herrin
> 
> 
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: <http://www.dirtside.com/>

Re: Questions on IPv6 deployment

[William Herrin]

On Tue, Jan 17, 2017 at 12:48 PM, Michael Still  wrote:
> http://nabcop.org/index.php/IPv6_Subnetting

That's overall good advice. I quibble with a couple of points:

1. If you plan to use a /126 on a point to point and can't imagine how
you would use a /64 on that point to point, don't allocate a /64. Odds
are that by the time you can imagine some way to use a /64 there, the
details will require you to assign a new block anyway.

Why be concerned about resource consumption? Because it's a good
habit. Don't overdo it, IPv6 is not resource constrained the way IPv4
is, but shrewd use of available resources is a good habit even when
resources are plentiful.

2. Make all your point to points /124. That will work for all your
point to points. Serial or ethernet. Even the ethernets which have two
high-availability routers on both ends along with the failover address
needing a total of 6 IPs plus 1 for your troubleshooting laptop.
Configuring /124 every time allows you to standardize your
configuration, the same way /64 standardizes the netmask on a LAN
deployment.



One additional point not brought up:

Minimum assignment to a customer: /60. Never ever /64 or /128. How
much more than a /60 you choose as your minimum is up to you. Common
choices are /56 and /48. But never, ever less than a /60.   Your
customer will want to deploy a /64 to each LAN. And there are so many
cases where he'll want to deploy more than one LAN.

I've noticed a lot of hosting providers getting this wrong. Some of
your customers do create VPNs on their VPC you know.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Questions on IPv6 deployment

[Michael Still]

Oops:
http://nabcop.org/index.php/IPv6_Subnetting


On Tue, Jan 17, 2017 at 12:48 PM, Michael Still 
wrote:

> Hi, a few years back some in the community got together to write this:
>
> On Mon, Jan 16, 2017 at 10:11 AM, Matthew Crocker <
> matt...@corp.crocker.com> wrote:
>
>>
>> Hello,
>>
>> I’m AS7849 and I have an IP problem.
>>
>> I’m running IPv4 ( /16 legacy + /20) and have enough space to last me
>> for  a while,  multi-homed, BGP4 full tables + peering, ect.
>> I have some new shiny Juniper MX480s (RE-S-2X00x6, 64MB RAM) in my core.
>>
>> I want to start building my IPv6 infrastructure.
>>
>> I have a /32 assigned from ARIN (2001:4918::/32)
>>
>> I’m looking for some direction/reading list of how to properly configure
>> IPv6.  I’ve read to use a /64 for PtP interfaces and I’ve read use a /128
>> instead.Assign all loopbacks from the same /64, use a different /64 for
>> each loopback. Ect, ect.
>>
>> I’m trying not to light a religious war but what is the current best
>> practice for IPv6 deployment in a service provider network?
>>
>> PS.  I’ll be at NANOG69 in DC next month,  1st NANOG for me after 22
>> years.  ☺
>>
>> -Matt
>>
>> --
>> Matthew Crocker
>> Crocker Communications, Inc.
>> President
>>
>
>
>
> --
> [stillwa...@gmail.com ~]$ cat .signature
> cat: .signature: No such file or directory
> [stillwa...@gmail.com ~]$
>



-- 
[stillwa...@gmail.com ~]$ cat .signature
cat: .signature: No such file or directory
[stillwa...@gmail.com ~]$

Re: Questions on IPv6 deployment

[Michael Still]

Hi, a few years back some in the community got together to write this:

On Mon, Jan 16, 2017 at 10:11 AM, Matthew Crocker 
wrote:

>
> Hello,
>
> I’m AS7849 and I have an IP problem.
>
> I’m running IPv4 ( /16 legacy + /20) and have enough space to last me for
> a while,  multi-homed, BGP4 full tables + peering, ect.
> I have some new shiny Juniper MX480s (RE-S-2X00x6, 64MB RAM) in my core.
>
> I want to start building my IPv6 infrastructure.
>
> I have a /32 assigned from ARIN (2001:4918::/32)
>
> I’m looking for some direction/reading list of how to properly configure
> IPv6.  I’ve read to use a /64 for PtP interfaces and I’ve read use a /128
> instead.Assign all loopbacks from the same /64, use a different /64 for
> each loopback. Ect, ect.
>
> I’m trying not to light a religious war but what is the current best
> practice for IPv6 deployment in a service provider network?
>
> PS.  I’ll be at NANOG69 in DC next month,  1st NANOG for me after 22
> years.  ☺
>
> -Matt
>
> --
> Matthew Crocker
> Crocker Communications, Inc.
> President
>



-- 
[stillwa...@gmail.com ~]$ cat .signature
cat: .signature: No such file or directory
[stillwa...@gmail.com ~]$

Re: Questions on IPv6 deployment

[Sander Steffann]

Hi,

> Suggest /128's for loopbacks and /124's for point to points, all from
> the same /64. This way you don't burn space needlessly, don't open
> yourself to neighbor discovery issues on point to points

I usually reserve one /64 for loopbacks, reserve a /64 per point-to-point 
connection and configure a /127 using ::a on one side and ::b on the other. All 
of these from a block reserved for infrastructure for filtering:

> and can
> filter inbound Internet packets to that /64 in one fell swoop so that
> it's harder to hit your routers directly. Just make sure not to filter
> the outbound packets.

Having a single block for infrastructure makes this very easy. In most cases I 
don't need to worry about "burning space needlessly" so I reserve /64s per 
point-to-point. Worrying about "wasting" address space is more often an 
IPv4-ism than good practice with IPv6 IMHO :-)  But it all depends on the 
complexity of your network. There are cases where it makes sense to think about 
this.

> Reminder: No matter what size you pick, use nibble boundaries for
> visual and DNS convenience. So /124, not /126.

Good advice!

Cheers,
Sander



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Questions on IPv6 deployment

[William Herrin]

On Mon, Jan 16, 2017 at 10:11 AM, Matthew Crocker
 wrote:
> I’m looking for some direction/reading list of how to properly configure 
> IPv6.  I’ve read to use a /64 for PtP interfaces and I’ve read use a /128 
> instead.Assign all loopbacks from the same /64, use a different /64 for 
> each loopback. Ect, ect.

Hi Matthew,

Suggest /128's for loopbacks and /124's for point to points, all from
the same /64. This way you don't burn space needlessly, don't open
yourself to neighbor discovery issues on point to points and can
filter inbound Internet packets to that /64 in one fell swoop so that
it's harder to hit your routers directly. Just make sure not to filter
the outbound packets.

Reminder: No matter what size you pick, use nibble boundaries for
visual and DNS convenience. So /124, not /126.

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Questions on IPv6 deployment

[Ca By]

 Why do not you feel compelled to ask this question?

Did you ask this question when you deployed ipv4?

AFAIK, everyone deploys ipv4 in a unique way. Same for ipv6. IPv6 is not
exotic or filled with unique pitfalls.  A lot of networks have deployed
production networks with ipv6, each one unique, so you don't need to watch
out for that one weird bug ( at least any more than ipv4). So, just like
ipv4, read about the standards, read about vendor implementation that are
close to you, make informed decisions.

My only nugget of advice is to deploy ipv6 in such a way it is not forever
coupled with ipv4.  There will be a day when you deploy ipv6 without ipv4,
this day already came for  Facebook, Comast, T-mobile and others.

I have not read this, but you may find the discussion helpful

https://tools.ietf.org/html/draft-ietf-v6ops-design-choices-12




On Mon, Jan 16, 2017 at 7:13 AM Matthew Crocker 
wrote:

>
>
> Hello,
>
>
>
> I’m AS7849 and I have an IP problem.
>
>
>
> I’m running IPv4 ( /16 legacy + /20) and have enough space to last me for
> a while,  multi-homed, BGP4 full tables + peering, ect.
>
> I have some new shiny Juniper MX480s (RE-S-2X00x6, 64MB RAM) in my core.
>
>
>
> I want to start building my IPv6 infrastructure.
>
>
>
> I have a /32 assigned from ARIN (2001:4918::/32)
>
>
>
> I’m looking for some direction/reading list of how to properly configure
> IPv6.  I’ve read to use a /64 for PtP interfaces and I’ve read use a /128
> instead.Assign all loopbacks from the same /64, use a different /64 for
> each loopback. Ect, ect.
>
>
>
> I’m trying not to light a religious war but what is the current best
> practice for IPv6 deployment in a service provider network?
>
>
>
> PS.  I’ll be at NANOG69 in DC next month,  1st NANOG for me after 22
> years.  ☺
>
>
>
> -Matt
>
>
>
> --
>
> Matthew Crocker
>
> Crocker Communications, Inc.
>
> President
>
>

Re: Questions on IPv6 deployment

[Chris Russell]

I have a /32 assigned from ARIN (2001:4918::/32)

I’m looking for some direction/reading list of how to properly
configure IPv6.  I’ve read to use a /64 for PtP interfaces and I’ve
read use a /128 instead.Assign all loopbacks from the same /64,
use a different /64 for each loopback. Ect, ect.

I’m trying not to light a religious war but what is the current best
practice for IPv6 deployment in a service provider network?

PS.  I’ll be at NANOG69 in DC next month,  1st NANOG for me after 22 
years.  ☺


 At the start, the advice was to configure individual /64 for 
loopbacks, however latterly its assign a /64 for loopbacks and configure 
/128 instead.


 Stick with a /48 for sites/customers.

 The best advice is to use nibble boundaries  (see: 
https://www.ripe.net/manage-ips-and-asns/ipv6/ipv6-subnetting-card) 
hence /52 /56 /60


 I also recommend watching this (Tom Coffeen from Infoblox at UKNOF35 
which covers this exact subject):


 
https://www.youtube.com/watch?v=lWFcIk4oMMU=youtu.be=PLjzK5ZtLlc90teq9-rGzytIVu-hvsF9hd


 Its worth a watch and covers the basics


HTH

Chris

Questions on IPv6 deployment

[Matthew Crocker]

Hello,

I’m AS7849 and I have an IP problem.

I’m running IPv4 ( /16 legacy + /20) and have enough space to last me for  a 
while,  multi-homed, BGP4 full tables + peering, ect.
I have some new shiny Juniper MX480s (RE-S-2X00x6, 64MB RAM) in my core.

I want to start building my IPv6 infrastructure.

I have a /32 assigned from ARIN (2001:4918::/32)

I’m looking for some direction/reading list of how to properly configure IPv6.  
I’ve read to use a /64 for PtP interfaces and I’ve read use a /128 instead.
Assign all loopbacks from the same /64, use a different /64 for each loopback. 
Ect, ect.

I’m trying not to light a religious war but what is the current best practice 
for IPv6 deployment in a service provider network?

PS.  I’ll be at NANOG69 in DC next month,  1st NANOG for me after 22 years.  ☺

-Matt

--
Matthew Crocker
Crocker Communications, Inc.
President