
Unique IPv6 prefix per host [pdf] - fanf2
https://ripe76.ripe.net/presentations/143-rfc8273-v5.pdf
======
ddtaylor
For anyone interested in playing with IPv6 I recommend Vultr their routing
seems to work instantly, where other providers seem to have some churn. On
Linode for example once I start actually using more than ~100 IPv6 endpoints
it starts forgetting the previous ones for a few minute at a time. Vultr does
proper prefix routing it seems.

~~~
sigjuice
And Digital Ocean IPv6 is broken as well. My droplet has a /64, but there's
only a /124 back to my droplet.

Discussion here

[https://digitalocean.uservoice.com/forums/136585-digitalocea...](https://digitalocean.uservoice.com/forums/136585-digitalocean/suggestions/5914490-give-
users-ipv6-64-blocks-when-you-roll-out-ipv6)

~~~
unilynx
It's not broken per-se - the /64 you're seeing is probably the /64 next to
your IP address. But that's just the size of the subnet your droplet is on,
just like a system having '192.168.1.8/24' doesn't imply that all of the
192.168.1.* addresses route to that system

But apart from that, IPv6 at DO is indeed pretty useless without floating ip
support - I'm still not able to use IPv6 on the droplet for application that
need failover

------
magnat
> Provides a very simple mechanism for a single host or interface, to be able
> to run 2^64 virtual machines, with their own global IPv6 address

It's not uncommon to have multiple layers of virtualization (e.g. lxc/docker
running inside qemu/kvm). You'd need top-level hypervisor to passthrough
(bridge?) nested VMs requests back to the router, but then you don't have same
level of isolation.

Configurable prefix length when nesting (/64 at first level, /80 at 2nd, /96
at 3rd if needed) and automated NDP proxying could solve it, though.

------
okket
Video of the talk:
[https://ripe76.ripe.net/archives/video/131/](https://ripe76.ripe.net/archives/video/131/)

------
ra1n85
When I see things like this, I suspect people aren't thinking through all of
the NDP edge cases. Do you really want the potential to have 2^64 NDP entries
on your gateway? What about NUD - do you really want that many potential hosts
performing unreachability detection?

NDP is the abominable child of ARP and an IGP and doesn't scale well. Using
huge address spaces everywhere is a good way to let it crush your network.

~~~
nimbius
perhaps its just my lack of coffee, but I fail to see the scalability issue.
Router Redirection can prune quite a few ndp discovery table entries but
Learned link-layer addresses are kept in a neighbor discovery table. 2^64 link
layer connections are probably not present in a competently designed IPv6
network.

im also confused as to what this paper is talking about in terms of new
features.../64 and per host is already a thing in linux. RADVD for example
allows you to delegate upstream prefixes to additional interfaces in linux
routing. these /64 delegations are handled by the linux host that delegated
them and are only known one step above that router as a singly delegated
prefix from the "gateway." prefix delegation was designed explicitly for the
/64.

if anything home ISP's need a slap on the wrist for their stingy DHCPv6
delegations of what basically amount to a SINGLE ipv6 address or some weird
less-than /64\. splitting a 56 is a better idea here.

~~~
snuxoll
> if anything home ISP's need a slap on the wrist for their stingy DHCPv6
> delegations of what basically amount to a SINGLE ipv6 address or some weird
> less-than /64\. splitting a 56 is a better idea here.

This is the single most infuriating issue with IPv6 rollout in the US.
CenturyLink is starting to roll out native IPv6 support (instead of 6rd which
they've been using for years), the only issue is you get a single /64\. I
mean, I have no use for giving every single host a /64, but I've got five or
six VLAN's and without at least a /56 I've got no way of actually deploying
IPv6 on my network. By the way, this is a business DSL connection too - so
it's not like they shouldn't expect something more than your typical flat home
network where everything sits on a single broadcast domain.

~~~
ra1n85
>I mean, I have no use for giving every single host a /64, but I've got five
or six VLAN's and without at least a /56 I've got no way of actually deploying
IPv6 on my network.

Why can't you subnet the /64? CenturyLink isn't doing dot1q tagging to you, so
you must have a router with tagged interfaces on your network.

Edit: Imagine this is because you want to use SLAAC.

~~~
snuxoll
> Edit: Imagine this is because you want to use SLAAC.

Not just because of SLAAC, prefixes smaller than /64 are likely to mess with
all sorts of assumptions built into networking gear. It may not be "correct"
since there are valid reasons for subnets as small as a /127 (though they are
used infrequently enough at least), but a lot of networking gear cheats with
IPv6 routes to keep the amount of TCAM memory needed down. Why spend 128-bits
per route and quadruple the memory required when you can double it and go
64-bits per route and dump the longer ones to slower DRAM (I mean, you only
use /127's for point-to-point links that don't need link-rate switching
anyway)?

Regardless of anyone's philosophy of address assignment strategies, prefixes
smaller than /64's in IPv6 are un-wise unless you want to degrade into worst-
case routing paths on your network gear.

~~~
ra1n85
Somewhat of a good point, but I don't think it applies here - some
implementations, particularly inexpensive devices like SOC's, do exact search
on common prefix lengths like /64 and /48\. I can't imagine this would be a
huge problem within a home network, though. Even then, DRAM, which is
essentially software switching, is rarely used. Further, you said you had 6
VLANs - this is well within the route scale of the vast majority of network
devices regardless of how they implement their lookup data structures.

Good example: The SRX300, a desktop router/firewall implemented on a MIPS
based Cavium Octeon (both control and data plane) can handle up to 256K IPv6
routes:
[https://www.juniper.net/assets/us/en/local/pdf/datasheets/10...](https://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf)

The Trident series SOC's can do 8K by default, and 64K with ALPM enabled:
[https://www.juniper.net/us/en/local/pdf/datasheets/1000480-e...](https://www.juniper.net/us/en/local/pdf/datasheets/1000480-en.pdf)

>(I mean, you only use /127's for point-to-point links that don't need link-
rate switching anyway)?

/126's and /127's are often used for PTP's for peering/transit. Line rate is
table stakes. Bear in mind that the gear used in these situations has
plentiful lookup memory (SRAM, RLDRAM, HMC, or HBM).

