Hacker News new | comments | show | ask | jobs | submit login
Unique IPv6 prefix per host [pdf] (ripe.net)
41 points by fanf2 5 months ago | hide | past | web | favorite | 21 comments



For anyone interested in playing with IPv6 I recommend Vultr their routing seems to work instantly, where other providers seem to have some churn. On Linode for example once I start actually using more than ~100 IPv6 endpoints it starts forgetting the previous ones for a few minute at a time. Vultr does proper prefix routing it seems.


And Digital Ocean IPv6 is broken as well. My droplet has a /64, but there's only a /124 back to my droplet.

Discussion here

https://digitalocean.uservoice.com/forums/136585-digitalocea...


It's not broken per-se - the /64 you're seeing is probably the /64 next to your IP address. But that's just the size of the subnet your droplet is on, just like a system having '192.168.1.8/24' doesn't imply that all of the 192.168.1.* addresses route to that system

But apart from that, IPv6 at DO is indeed pretty useless without floating ip support - I'm still not able to use IPv6 on the droplet for application that need failover


> Provides a very simple mechanism for a single host or interface, to be able to run 2^64 virtual machines, with their own global IPv6 address

It's not uncommon to have multiple layers of virtualization (e.g. lxc/docker running inside qemu/kvm). You'd need top-level hypervisor to passthrough (bridge?) nested VMs requests back to the router, but then you don't have same level of isolation.

Configurable prefix length when nesting (/64 at first level, /80 at 2nd, /96 at 3rd if needed) and automated NDP proxying could solve it, though.



When I see things like this, I suspect people aren't thinking through all of the NDP edge cases. Do you really want the potential to have 2^64 NDP entries on your gateway? What about NUD - do you really want that many potential hosts performing unreachability detection?

NDP is the abominable child of ARP and an IGP and doesn't scale well. Using huge address spaces everywhere is a good way to let it crush your network.


perhaps its just my lack of coffee, but I fail to see the scalability issue. Router Redirection can prune quite a few ndp discovery table entries but Learned link-layer addresses are kept in a neighbor discovery table. 2^64 link layer connections are probably not present in a competently designed IPv6 network.

im also confused as to what this paper is talking about in terms of new features.../64 and per host is already a thing in linux. RADVD for example allows you to delegate upstream prefixes to additional interfaces in linux routing. these /64 delegations are handled by the linux host that delegated them and are only known one step above that router as a singly delegated prefix from the "gateway." prefix delegation was designed explicitly for the /64.

if anything home ISP's need a slap on the wrist for their stingy DHCPv6 delegations of what basically amount to a SINGLE ipv6 address or some weird less-than /64. splitting a 56 is a better idea here.


> if anything home ISP's need a slap on the wrist for their stingy DHCPv6 delegations of what basically amount to a SINGLE ipv6 address or some weird less-than /64. splitting a 56 is a better idea here.

This is the single most infuriating issue with IPv6 rollout in the US. CenturyLink is starting to roll out native IPv6 support (instead of 6rd which they've been using for years), the only issue is you get a single /64. I mean, I have no use for giving every single host a /64, but I've got five or six VLAN's and without at least a /56 I've got no way of actually deploying IPv6 on my network. By the way, this is a business DSL connection too - so it's not like they shouldn't expect something more than your typical flat home network where everything sits on a single broadcast domain.


>I mean, I have no use for giving every single host a /64, but I've got five or six VLAN's and without at least a /56 I've got no way of actually deploying IPv6 on my network.

Why can't you subnet the /64? CenturyLink isn't doing dot1q tagging to you, so you must have a router with tagged interfaces on your network.

Edit: Imagine this is because you want to use SLAAC.


> Edit: Imagine this is because you want to use SLAAC.

Not just because of SLAAC, prefixes smaller than /64 are likely to mess with all sorts of assumptions built into networking gear. It may not be "correct" since there are valid reasons for subnets as small as a /127 (though they are used infrequently enough at least), but a lot of networking gear cheats with IPv6 routes to keep the amount of TCAM memory needed down. Why spend 128-bits per route and quadruple the memory required when you can double it and go 64-bits per route and dump the longer ones to slower DRAM (I mean, you only use /127's for point-to-point links that don't need link-rate switching anyway)?

Regardless of anyone's philosophy of address assignment strategies, prefixes smaller than /64's in IPv6 are un-wise unless you want to degrade into worst-case routing paths on your network gear.


Somewhat of a good point, but I don't think it applies here - some implementations, particularly inexpensive devices like SOC's, do exact search on common prefix lengths like /64 and /48. I can't imagine this would be a huge problem within a home network, though. Even then, DRAM, which is essentially software switching, is rarely used. Further, you said you had 6 VLANs - this is well within the route scale of the vast majority of network devices regardless of how they implement their lookup data structures.

Good example: The SRX300, a desktop router/firewall implemented on a MIPS based Cavium Octeon (both control and data plane) can handle up to 256K IPv6 routes: https://www.juniper.net/assets/us/en/local/pdf/datasheets/10...

The Trident series SOC's can do 8K by default, and 64K with ALPM enabled: https://www.juniper.net/us/en/local/pdf/datasheets/1000480-e...

>(I mean, you only use /127's for point-to-point links that don't need link-rate switching anyway)?

/126's and /127's are often used for PTP's for peering/transit. Line rate is table stakes. Bear in mind that the gear used in these situations has plentiful lookup memory (SRAM, RLDRAM, HMC, or HBM).


because if you want slaac to work without nat, the smalles ipv6 subnet you can have is a /64. so if your provider gives you just a single static /64, all you can allocate is a single subnet.


RFC4193 "Unique Local Addresses" may be your only hope when you need multiple VLANs and only a /64 allocation. You then use NPT. Basically, its a bit like RFC1918 + NAT. The horror ...


As much as I dislike the rest of their business, I have to give credit to Comcast for assigning up to a /60 if the router requests it. Of course a /56 would be better, but 16 networks should be good enough for any home network, right? <g>


>2^64 link layer connections are probably not present in a competently designed IPv6 network.

From the article: "Provides a very simple mechanism for a single host or interface to be able to run 2^64 virtual machines"

That equates to AT LEAST 2^64 NDP entries. And when the L3 domain is scoped to that of a single hypervisor, router redirects are not relevant.


Isn't the presentation talking about each host acting as a router? So any gateway only needs to know about the prefixes that are the next hop downstream, not every single host.

Maybe I have this wrong, but I think the idea here is talking more on layer 3, whereas you are imagining everything sharing the same layer 2 network?


This seems off-topic. 64-bit networks for whole companies vs 64-bit networks per host, it makes no difference for the attacks you are thinking about.


One of the benefits of /64 per host is there is no NDP since the only neighbor is your router.


Additionally you can install the routing software on server itself and let it form neighbor-ship with ToR router(s) and use ECMP directly from server in multi NIC scenarios. ECMP failover/recovery is faster and simpler (vendor agnostic) than link aggregation protocols. Basically each rack becomes its own OSPF totally stubby area. Data center core runs as area 0.


BIRD or other BGP on the host running VMs/containers is what Calico does. We had it peer with our ToR "switches" over BGP.

We could do zero downtime, 1 or 2 packets lost live migration of workloads from one hypervisor host to another and had full ECMP capabilities.

We did this with both IPv4 and IPv6. There is nothing special about IPv6, but it does make it easier to aggregate routes.


I'm speaking from the perspective of the router (or physical host) which must maintain NDP entries.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: