North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: v6 subnet size for DSL & leased line customers
> > The primary reasons I see for separate networks on v6 would include > > firewall policy (DMZ, separate departmental networks, etc)... > > This is certainly one reason for such things. Really, in most "small business" networks I've seen, it's by far the main one if we want to be honest about it. The use of multiple networks to increase performance, for example, is something you can design around differently, and modern hardware supports things like LAG without having to get into the realm of unimaginably expensive hardware. Even if you do end up putting a quad port ethernet into a server with v6, the sizes of the allocations we're discussing would allow you 64 completely separate "workgroups" with their own server at the /56 allocation size (64 * 4 = 256). > > And I'm having some trouble envisioning a residential end user that > > honestly has a need for 256 networks with sufficiently differently > > policies. Or that a firewall device can't reasonably deal with those > > policies even on a single network, since you mainly need to protect > > devices from external access. > > Perhaps this is a lack of imagination. > > Imagine that your ethernet->bluetooth gateway wants to treat the > bluetooth > and ethernet segments as separate routed segments. That /is/ a lack of imagination. ;-) Or, at least, reaching pretty far. The history of these sorts of devices has been, to date, one of trying to keep network configuration simple enough that an average user can use them. That implies a default mode of bridging will be available. > Now, imagine that some of your bluetooth connected devices have reasons > to have some topology behind them... For example, you have a master > appliance control center which connects via Bluetooth to your network, > but, uses a different household control bus network to talk to various > appliances. For security reasons, you've decided not to have your > kitchen appliances be able to talk to your media devices (Who wants > a virus in some downloaded movie to be able to change the temperature > in your refrigerator?). Yes, and? You're saying there are no access controls at the gateway level? I'm not entirely sure that I care for the idea of making people route things at the IP level just so they can protect their fridge from their DVD. > > I keep coming to the conclusion that an end-user can be made to work > > on > > a /64, even though a /56 is probably a better choice. I can't find > > the > > rationale from the end-user's side to allocate a /48. I can maybe see > > it if you want to justify it from the provider's side, the cost of > > dealing > > with multiple prefix sizes. > > I can easily envision the need for more than a /64 in the average home > within short order. You should probably correct that from "need" to "want." There is nothing preventing the deployment of all of the below on a single /64, it would simply mean that there would be a market for smart firewalling switches that could isolate devices by address or range, rather than having smart firewalling routers that could isolate devices by subnet. > If nothing else, the average home will probably > want to be able to accommodate: > Guest network > Home wired network > Wireless network(s) > Bluetooth segment(s) > Media network > Appliance Control netowrk > Lighting Control network > etc. > > However, I agree that in any vision I can come up with today, the need > for more than 256 is beyond my current imagination. Again, I think this comes down to a matter of how configuration is going to be handled. I suspect that we're not going to see a substantial increase in sophistication on the part of end users. I /believe/ that this will likely mean that device manufacturers will be building devices that don't rely on routing for IPv6, since if I go on down to my employer's network and plug in a bluetooth gateway, there's really no guarantee that I'm going to be able to get my employer's network to magically route a network at my gateway, but it's pretty obvious that my device can play the role of a bridge. If we have significant customer-side routing of IPv6, then there's going to need to be some way to manage that. I guess that's RIPv6/ng. :-) More likely-seeming to me, would be that a provider might be willing to provide a CPE device that had 4, 8, or even 16 jacks on it - a mini-router with a separate /64 on each port, less "magic" to be figured out by the end user. This leaves the question of how much you want to trust your ISP's CPE for firewalling policy ... among other things. > I think it makes sense to assign as follows: > > /64 for the average current home user. > /56 for any home user that wants more than one subnet > /48 for any home user that can show need. I'd say skip the /64 and /48. Don't do the /64, as future-proofing. A /48 is just something I cannot see need for, given the number of addresses available as a /56, unless the "home user" is actually providing connectivity to a bunch of his nearby friends and neighbors. Having fewer options is going to be easier for the ISP, I suspect. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.