We have a small
office network deployed with dual stack, using a
tunnel out to
Hurricane Electric. We have a /64 block assigned,
and are using an
OpenBSD/pf firewall/router/RA server we built.
We can see the
dancing Kame from all nodes in our private
network!
The network has
three internal networks (easiest to designate
by their IPv4
address spaces):
private:
10.0.0.0/8
dmz:
172.16.0.0/16
test:
172.17.0.0/16
Our /64 block is
working well in our private network. We now wish
to put two dual
stack nameservers (prototypes of our soon to be
released DNS
appliance) in our DMZ, along with a dual stack
webserver (replica
of our website, which will be available both
via IPv4 and IPv6).
We ran into problems
when we tried to route IPv6 addresses from
our /64 block into
the DMZ. Because we are using stateless auto
config to assign
addresses (which uses EUI-64 for low 64 bits), we
cannot subnet our
/64 into smaller chunks, say /68. This is because
the automatically
generated EUI-64's will not fit into the available
60 bit node number
fields. Would this work if we were doing all
manually generated
addresses, or possibly by using DHCPv6?
It appears to me we
can resolve the situation in either of two ways:
1. Get two more
/64s, tunneled behind two mode static IPv4 addresses,
and route the two
new /64 blocks into our DMZ and test networks
respectively.
2. Upgrade our /64
to a /48, then allocate three /64 subnets from that
our three internal
networks.
Questions:
1. Could we do /68
subnets if we manually assigned addresses rather
than using EUI-64
automatically generated ones? Or are /64 and /48
the only allowable
subnet sizes in IPv6?
2. If DHCPv6 were
available today, could we make do with a single
/64 subnetted into
multiple internal networks?
3. How in general
are you supposed to handle multiple internal
subnets? One /64 for
each subnet?
4. If we wanted
stateless autoconfig in more than one internal
network, would we
run three instances of the RA daemon, one
for each firewall
interface? Or can one instance be configured to
publish different
/64 prefixes for each firewall interface?
