
What you should know about IPv6 - lucb1e
http://lucb1e.com/?p=post&id=98
======
agwa
The article is wrong about address assignments.

First, /32 is the _minimum_ allocation size, which means you (an ISP) can't
get _fewer_ addresses than that (not more as the article claims). The reason
you'd want to have a minimum allocation size is because it makes routing
tables smaller (better for an organization to have just one entry in the
routing table that's huge that they can grow into, than to start small and add
lots of small entries to the routing table as they grow).

Second, /48 is what ISPs typically give their subscribers, not what ISPs
themselves get.

Edit: to clarify, the /32 minimum is a policy of ARIN and RIPE (not sure about
the other RIRs). See for example
<https://www.arin.net/policy/archive/ipv6_policy.html#43> and
<http://www.ripe.net/ripe/docs/ripe-552#minimum_allocation>. There is no
mandatory policy for how ISPs should assign addresses to their subscribers.
RFC3177 recommended a /48 in most cases, though that has recently been
superseded by RFC6177, which recommends more flexibility rather than a one-
size-fits all approach. See <http://tools.ietf.org/html/rfc6177>.

I find the article somewhat reckless in recommending that you ban entire /64s
instead of individual IPv6 addresses. It's true that you need to be aware that
a home user will likely be in control of an entire /64 (and possibly more),
but if the offending IP address is at a university or a datacenter then a /64
ban could sweep up a lot of innocent bystanders. You really need to consider
bans on a case-by-case basis.

~~~
stephengillie
Often, banning whole ISPs is necessary to actually get rid of offenders.
Hackers and griefers have known how to get new addresses from their DHCP pool
for at least 10 years, and now that they'll get access to an entire /64, many
will be sure to exploit it.

In fact, I'll bet the malware-infested utility to automate this into a one-
click process already exists.

~~~
agwa
I don't disagree with that, but _please_ do some investigation before banning
an entire subnet, or wait until you actually observe a user jumping around the
subnet. And never ban an entire ISP if you haven't first given their abuse
department a chance to do the right thing.

If you don't do this, you're harming innocent people.

~~~
stephengillie
Your warning has merit, but it's a little out-of-scope for the problem. I'm
not talking about banning people from playing _Halo_ , I'm banning them from
just _my_ server for medium durations like a day or a week. And chances are
they're the only person connecting to my server from that ISP -- each of the
~30 people on the server probably has a different ISP.

------
Arnt
The article misunderstands IPv6 addresses. The best way to put it is that IPv6
offers addresses for 2^64 networks. IPv6 numbers networks, and hosts attach to
networks.

In v4, hosts come first and networks second. In v6, networks come first and
hosts come second.

~~~
chmike
What do you mean by _come first_ and _come second_ ?

~~~
Arnt
What's a first-class and a second-class concept in the architecture.

In IPv4, the IP address is central to the architecture, and the subnet is
secondary. In v6, the /64 network is the core, and everything is arranged
around that.

------
potkor
You have to wade pretty far until this gets to the main user-visible advantage
(global routability) and doesn't make a very compelling case of why you'd want
it.

People have been lulled into this state of apathy about crippled IPv4+NAT
connectivity (or don't know any better). The problem is that the network
effect/chilling effect wrt app deployment/development isn't something that a
user instantly sees, and the other, more immediate benefits are currently only
significant for pretty advanced users (who are already aware of how NAT makes
their lives hard).

------
diminoten
> The first 32 bits form the minimum allocation size; you can't get assigned
> more addresses than this.

Well that's not true, if the below linked article is to be believed. The DoD
has a /16, which is twice as big (bitwise, it's substantially larger in
absolute terms) as the /32 the article says is 'the minimum allocation size'.

aforementioned article: [http://gcn.com/articles/2007/02/03/dod-to-allocate-
its-ipv6-...](http://gcn.com/articles/2007/02/03/dod-to-allocate-its-
ipv6-addresses.aspx)

~~~
lucb1e
Another commenter also pointed this out (which I happened to read first), and
it has been corrected. Thanks for commenting!

------
symmetricsaurus
That was interesting and highlights that I do not know a whole lot about
networking. What would be a good source to get a basic understanding of these
things work?

~~~
weinzierl
I'm not OP, but I found the Hurricane Electric Certification[1] quite useful.

The course is free and you can do it on-line. You will have to do certain
tasks, (e.g. set up a ipv6 capable mail server), HE will check and if you were
successful you enter the next level. If you make it through to sage level you
will get a free T-shirt (which in my case they even sent for free to Germany).

The tasks are not difficult but completing the course will take some time. It
is hands on experience and I learned a lot. I'm not affiliated with HE in any
way.

[1] <http://ipv6.he.net/certification/>

