Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: cdnjay on October 30, 2014, 06:56:53 PM

Title: IPv6 Subnet Allocation
Post by: cdnjay on October 30, 2014, 06:56:53 PM
Hi, so I have my /64 from HE and my clients are properly generating their addresses through SLAAC from that subnet. My question relates to needing to have a range of addresses reserved for our VPN service and a couple of other things. Can I take these from the same subnet that I'm using for SLAAC or do I need to get a /48 for this and then route between subnets? Also, can I consider SLAAC addresses to be static or is it better to actually assign static addresses to things like DNS, etc.
Title: Re: IPv6 Subnet Allocation
Post by: cholzhauer on October 30, 2014, 07:02:11 PM
You need a /48 to have multiple subnets like you've described.

SLAAC can be considered static, but you're better off to assign manual addresses for them.  The issue becomes when you migrate to a new server.  If your old DNS server had a SLAAC assigned address, now you have to manually assign that address to your new DNS server...a few months down the road you'll be wondering where that horrible looking address ever came from.  You're free to have both a static and SLAAC address on one server...there's nothing technically wrong with that.
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on October 30, 2014, 07:48:55 PM
OK, so SLAAC can technically generate any address with eui-64 from within a /64 (such as FFFF:FFFF:FFFF:FFFF::1)? Good point about migrating services in the future. I don't hate the idea of having one subnet for DHCP/static allocation and another for SLAAC and another for guest WiFi but I don't really want to have to route between them if I can avoid it.

Thanks!
Title: Re: IPv6 Subnet Allocation
Post by: cholzhauer on October 30, 2014, 07:55:07 PM
OK, so SLAAC can technically generate any address with eui-64 from within a /64 (such as FFFF:FFFF:FFFF:FFFF::1)?

Technically yes, but since it's generated based on MAC address, I don't think you'll ever see an address as "clean" as that.

I'd be careful with separating SLACC and DHCP on different /64's and using both to assign addresses to one machine...keep your end goal in mind here.  If you assign IP address from different networks to different interfaces on a computer, you're turning it into a router.  If you don't need all the "extras" provided by DHCPv6, SLAAC works just fine.
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on October 30, 2014, 08:06:42 PM
I think I'd prefer, at least for now to stick with SLAAC and just distribute DNS details via DHCPv6 but I still need 100 or so static addresses for specific services and I'm not sure where to get those from if I have to dedicate an entire /64 to SLAAC. I guess my only option is to assign the /48 to the tunnel and have two separate subnets and route between them? Unless there's some way to use a /63 or /62 but only tie SLAAC to a /64 within that prefix?
Title: Re: IPv6 Subnet Allocation
Post by: kriteknetworks on October 31, 2014, 05:04:41 AM
There is no reason logically or practically to think about /62 or /63, a /48 has 65535 /64s.
Subnet on /64.
Title: Re: IPv6 Subnet Allocation
Post by: cholzhauer on October 31, 2014, 05:06:33 AM
+1

Get the /48 and make use of your 64k worth of /64's in any way your heart desires.
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on October 31, 2014, 08:26:59 AM
OK, thanks. I guess I'll just get the /48 and use one subnet for SLAAC and another for everything else, then route between them.
Title: Re: IPv6 Subnet Allocation
Post by: mattwilson9090 on November 01, 2014, 06:59:15 PM
There's no reason you have to put the statically assigned addresses in a different subnet from the devices that are getting addresses from SLAAC. When addresses are being assigned via SLAAC they won't grab an address that is already in use.

With IPv4 it's common to have servers and printers assigned static addresses from within the subnet, and then assign devices to the remaining devices via DHCP. The same concept works in IPv6 except the dynamic addresses can come from SLAAC as well as DHCPv6.
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on November 03, 2014, 08:50:57 AM
The main problem with static addresses within the SLAAC range is that a conflict might occur? In which case SLAAC will detect that without actually causing a conflict but the SLAAC auto configure will also fail instead of trying again with a different address? I'm trying to configure this with a SonicWALL, it appears that I at least need to have one static address in the SLAAC range for the LAN interface. From there it can then advertise that subnet for SLAAC for everything else.
Title: Re: IPv6 Subnet Allocation
Post by: cholzhauer on November 03, 2014, 08:52:57 AM
No, RA/SLAAC has a built-in mechanism to avoid duplicate IP addresses.

Yes, if you're asking your SonicWall to do SLAAC, you need to give it a static address on that interface that's in the same range as you wish to automagically assign.  Some devices will make you specify the /64 you want to dole out addresses from; I don't know about SonicWall
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on November 03, 2014, 10:02:16 AM
But is the built-in mechanism to detect and fail or is it to try again with a different address? Not sure how the privacy extensions play into this but I thought if it couldn't get the MAC-based address it wanted then it would just fail.
Title: Re: IPv6 Subnet Allocation
Post by: cholzhauer on November 03, 2014, 10:02:56 AM
It'll try with another address

http://tools.ietf.org/html/rfc4862#page-12
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on November 03, 2014, 11:36:27 AM
Are you referring to 5.4.5? As I understand it that just says it may retry if the address has been formed with privacy extensions.

That being said using this calculator it doesn't seem possible for a single quad host ID such as ::100 to be formed from a valid MAC address so it's probably safe to use a range like ::1 - ::1000 for static addresses. Not sure if that's actually defined anywhere though or if it's possible using privacy extensions.

http://silmor.de/ipaddrcalc.html#ip6
Title: Re: IPv6 Subnet Allocation
Post by: mattwilson9090 on November 04, 2014, 03:50:17 PM
The privacy extensions will generate an address anywhere within their subnet. With a standard /64 subnet that's a lot of possibly addresses. The odds of a collision with a static address are close enough to zero that I wouldn't worry about it. Especially since most people using static address put them at the very highest or lowest end of the range just to make things easier to remember and read.

Personally, I always leave the privacy extensions enabled. For a whole lot of reasons, including tracking by commercial or governmental entities I really don't need an address out on the internet that can be tied to a specific piece of hardware, though I do understand that it's trivially simple to assign a different MAC address to just about everything.

And though I haven't made an in depth look into the IPv6 addresses that are generated via a MAC address, it's always a 1:1 to one correlation which amounts to the MAC address plus some padding. It's not a hash, so I don't see how an address that only uses the first or last octet, with everything else being zeros would create a collision with SLAAC addresses derived from the MAC.

Honestly, I think you're overthinking things and trying to make them far more complex than they need to be. Just as with IPv4 go ahead and put all of your static and dynamic IPv6 address in the same subnet. In this area at least, IPv6 isn't significantly different from IPv4, and unless you have a specific need doesn't need to be treated any differently. As I've said in several presentations on IPv6, forget everything you've ever learned about IPv4, and then be guided by what you you do and know in IPv4. Meaning it's different, but related.
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on November 05, 2014, 10:22:32 AM
Haha, you're probably right. It just seems weird to me this notion that a SLAAC address can be anything within a /64 and yet some static addresses are still required (like for the LAN interface on the router) and yet there's no range of addresses in a SLAAC /64 reserved for that. Like you say though, the odds of a collision are pretty much non-existent with there being about 18 Quintillion addresses in a /64.
Title: Re: IPv6 Subnet Allocation
Post by: mattwilson9090 on November 05, 2014, 10:18:32 PM
Why would it be weird that some devices, especially a router in an IPv6 network need a static address? It's exactly the same in an IPv4 network, the router needs to have a static address.

Why would a range of IPv6 addresses need to be reserved for static addresses? Addresses in IPv4 aren't reserved that way as part of the spec.

Have you ever setup an IPv4 network and handled address assignments through a combination of static and dynamic addresses? The basic concepts aren't really different with IPv6, although with the massively larger numbers of addresses available to work with, a lot more options are opened up.

The biggest difference is that DHCPv6 can no longer provide all of the information that DHCPv4 could, especially the gateway address, means that RA (router advertisement) is going to play a role as well unless you statically assign everything.
Title: Re: IPv6 Subnet Allocation
Post by: cdnjay on November 07, 2014, 10:23:52 AM
I find it weird because you don't define a range for SLAAC to use like you do with DHCPv4, it can just use anything in the /64 which makes it difficult to then guarantee that there will never be a conflict with a static IP in the same /64. It would just make more sense to me if there was something saying EUI-64 and the privacy extensions will use something within a specific range and we just need to make sure our static addresses are outside of that. As I mentioned earlier I'm pretty sure something where the first 3 of the last 4 quads are all zeroes will never be used with SLAAC for MAC -> EUI-64 (and if it's used with privacy extensions the system will retry), just can't find anything confirming that.
Title: Re: IPv6 Subnet Allocation
Post by: mattwilson9090 on November 07, 2014, 01:10:56 PM
Even with DHCPv4 you can still get a conflict with a static IP if someone assigns an addresses that is within the assigned range. There is no technological guarantee that there will never be a conflict. Both IPv4 and IPv6 have mechanisms in place for resolving a conflict like that if it takes place.

It doesn't really matter though. A single /64 has 2^32 more addresses than the entirety of all addresses in all of IPv4. The odds of you choosing a static address that is going to create a conflict with dynamically assigned addresses is so small as to effectively be zero.

Best to just stop overthinking all of this and to design your IPv6 network, including whatever standards you want in place for assigning static addreses.