Re: AWS and IPv6

[Tom Hill]

On 29/11/2021 02:23, William Herrin wrote:
> This technique does in fact work for IPv6, allowing you to insert a
> firewall at the edge. Interestingly though, it won't receive IPv6
> packets for an address that isn't attached to a running instance in
> the interior subnet.

That sounds remarkably sensible given that the AWS customer base will be
dipping their toes into the world of IPv6 very cautiously.

(No good for a honeypot, but we have many other means for that.)

-- 
Tom

Re: AWS and IPv6

[William Herrin]

On Sun, Nov 28, 2021 at 4:13 PM William Herrin  wrote:
> Yeah, they don't even have a practical way to implement a firewall
> instance for IPv6. Unless you want to mirror 1:many NAT for IPv6 like
> you do IPv4. You just can't route an IPv6 block to an instance. And
> with 1:many NAT you wouldn't want public IP addresses inside but AWS
> doesn't let you assign ULA addresses inside the subnet, only global
> addresses.

I stand corrected on this.

https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/

https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/

This technique does in fact work for IPv6, allowing you to insert a
firewall at the edge. Interestingly though, it won't receive IPv6
packets for an address that isn't attached to a running instance in
the interior subnet.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: AWS and IPv6

[William Herrin]

On Sun, Nov 28, 2021 at 3:52 PM Matt Palmer  wrote:
> Which is, fundamentally, half the problem with IPv6 in AWS.  I'd have much
> preferred that they'd added the ability to do actually-useful IPv6 routing
> rather than IPv6-only subnets, which strikes me as more of a toy than
> something *actually* useful.

Yeah, they don't even have a practical way to implement a firewall
instance for IPv6. Unless you want to mirror 1:many NAT for IPv6 like
you do IPv4. You just can't route an IPv6 block to an instance. And
with 1:many NAT you wouldn't want public IP addresses inside but AWS
doesn't let you assign ULA addresses inside the subnet, only global
addresses.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: AWS and IPv6

[Michael Thomas]

On 11/28/21 3:50 PM, Matt Palmer wrote:

On Sun, Nov 28, 2021 at 02:10:40PM -0800, William Herrin wrote:

On Sun, Nov 28, 2021 at 1:18 PM Karl Auer  wrote:

On Sun, 2021-11-28 at 12:53 -0800, Michael Thomas wrote:

I was reading their howto yesterday and it seems they are only
allocating a /64? Why?

That's a /64 *per subnet*...

But the size of a VPC's IPv6 CIDR block does seem to be fixed at /56.
Would have been nice to see /48 instead.

To what purpose? You can't alter the VPC routing of any of the IP
addresses (v4 or v6) assigned to an AWS VPC.

Which is, fundamentally, half the problem with IPv6 in AWS.  I'd have much
preferred that they'd added the ability to do actually-useful IPv6 routing
rather than IPv6-only subnets, which strikes me as more of a toy than
something *actually* useful.

Maybe they're future proofing themselves until they can figure out how 
to put a meter on it for more $$$?


Mike

Re: AWS and IPv6

[Matt Palmer]

On Sun, Nov 28, 2021 at 02:10:40PM -0800, William Herrin wrote:
> On Sun, Nov 28, 2021 at 1:18 PM Karl Auer  wrote:
> > On Sun, 2021-11-28 at 12:53 -0800, Michael Thomas wrote:
> > > I was reading their howto yesterday and it seems they are only
> > > allocating a /64? Why?
> >
> > That's a /64 *per subnet*...
> >
> > But the size of a VPC's IPv6 CIDR block does seem to be fixed at /56.
> > Would have been nice to see /48 instead.
> 
> To what purpose? You can't alter the VPC routing of any of the IP
> addresses (v4 or v6) assigned to an AWS VPC.

Which is, fundamentally, half the problem with IPv6 in AWS.  I'd have much
preferred that they'd added the ability to do actually-useful IPv6 routing
rather than IPv6-only subnets, which strikes me as more of a toy than
something *actually* useful.

- Matt

Re: AWS and IPv6

[Oliver O'Boyle]

On Sun., Nov. 28, 2021, 17:13 William Herrin,  wrote:

> On Sun, Nov 28, 2021 at 1:18 PM Karl Auer  wrote:
> > On Sun, 2021-11-28 at 12:53 -0800, Michael Thomas wrote:
> > > I was reading their howto yesterday and it seems they are only
> > > allocating a /64? Why?
> >
> > That's a /64 *per subnet*...
> >
> > But the size of a VPC's IPv6 CIDR block does seem to be fixed at /56.
> > Would have been nice to see /48 instead.
>
> Hi Karl,
>
> To what purpose? You can't alter the VPC routing of any of the IP
> addresses (v4 or v6) assigned to an AWS VPC. If you try, for example,
> to assign a /64 to an instance you get a funky error: "Route
> destination doesn't match any subnet CIDR blocks." You can only assign
> the block's IP addresses to subnets or not and then assign addresses
> from the subnet to the instances. You can't have more than 256 subnets
> in a VPC so why would you need more than a /56 of IPv6 addresses?
>

Agreed, those limits align and are reasonable. If you BYO, then you can
bring up to 5 /48's per account, but only use one per region. The limit of
a /56 per VPC remains, but you can create multiple VPCs per region and most
companies use multiple accounts. There are some other limitations but some
of these may change over time:


   -

   The most specific IPv6 address range that you can bring is /48 for CIDRs
   that are publicly advertised, and /56 for CIDRs that are not publicly
   advertised
   

   .
   -

   You can bring each address range to one Region at a time.
   -

   You can bring a total of five IPv4 and IPv6 address ranges per Region to
   your AWS account.
   -

   You cannot share your IP address range with other accounts using AWS
   Resource Access Manager (AWS RAM).


Regards,
> Bill Herrin
>
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/



>

Re: AWS and IPv6

[William Herrin]

On Sun, Nov 28, 2021 at 1:18 PM Karl Auer  wrote:
> On Sun, 2021-11-28 at 12:53 -0800, Michael Thomas wrote:
> > I was reading their howto yesterday and it seems they are only
> > allocating a /64? Why?
>
> That's a /64 *per subnet*...
>
> But the size of a VPC's IPv6 CIDR block does seem to be fixed at /56.
> Would have been nice to see /48 instead.

Hi Karl,

To what purpose? You can't alter the VPC routing of any of the IP
addresses (v4 or v6) assigned to an AWS VPC. If you try, for example,
to assign a /64 to an instance you get a funky error: "Route
destination doesn't match any subnet CIDR blocks." You can only assign
the block's IP addresses to subnets or not and then assign addresses
from the subnet to the instances. You can't have more than 256 subnets
in a VPC so why would you need more than a /56 of IPv6 addresses?

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: AWS and IPv6

[Michael Thomas]

On 11/28/21 1:17 PM, Karl Auer wrote:

On Sun, 2021-11-28 at 12:53 -0800, Michael Thomas wrote:

I was reading their howto yesterday and it seems they are only
allocating a /64? Why?

That's a /64 *per subnet*...

But the size of a VPC's IPv6 CIDR block does seem to be fixed at /56.
Would have been nice to see /48 instead.


Ah ok, I must have missed that.

Mike

Re: AWS and IPv6

[Dave Bell]

It's a /56 per VPC, and a /64 per subnet.

Seems reasonable to me.

https://docs.aws.amazon.com/vpc/latest/userguide/get-started-ipv6.html

Dave

On Sun, 28 Nov 2021 at 20:54, Michael Thomas  wrote:

>
> On 11/27/21 2:44 PM, Fletcher Kittredge wrote:
>
>
> The Register  says: AWS claims 'monumental
> step forward' with optional IPv6-only networks
> 
>
>
> I was reading their howto yesterday and it seems they are only allocating
> a /64? Why?
>
> I guess I just don't get the point of the VPC in the first place. I get
> the firewall aspect but it seem to be more than that.
>
> Mike
>

Re: AWS and IPv6

[Karl Auer]

On Sun, 2021-11-28 at 12:53 -0800, Michael Thomas wrote:
> I was reading their howto yesterday and it seems they are only 
> allocating a /64? Why?

That's a /64 *per subnet*...

But the size of a VPC's IPv6 CIDR block does seem to be fixed at /56.
Would have been nice to see /48 instead.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58
Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170

Re: AWS and IPv6

[Michael Thomas]

On 11/27/21 2:44 PM, Fletcher Kittredge wrote:


The Register  says: AWS claims 
'monumental step forward' with optional IPv6-only networks 




I was reading their howto yesterday and it seems they are only 
allocating a /64? Why?


I guess I just don't get the point of the VPC in the first place. I get 
the firewall aspect but it seem to be more than that.


Mike