Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Stateless vs. Stateful  (Read 2559 times)

bhamacher

  • Newbie
  • *
  • Posts: 1
Stateless vs. Stateful
« on: December 03, 2012, 03:00:45 PM »

I am struggling with deploying a stateless vs. stateful network.  I am used to all IP Addresses being logged and recording the MAC Address that requested them.  As an ISP should I be concerned about a stateless deployment and not knowing who has what IPv6 Address?  With a stateless configuration I don't see how I would even know how many /64's are in use.

I guess what I am looking for is a good book or break down of what options I can implement on my network to maintain some control over the IP Address scheme.  How do others handle this now?  I would like to do DHCPv6-PD to all of my end users that can accept it.  Is this the right deployment option?

Any input would be appreciated.

Thank You

 
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: Stateless vs. Stateful
« Reply #1 on: December 03, 2012, 04:11:43 PM »

I suggest you aim for a setup where you don't keep track of individual addresses, but you do keep track of which prefixes are assigned to which customers.

You should assign a /64 to the link between your network and the CPE. If possible, I recommend that you use a different /64 for each customer. How to do that depends on the link layer technology. I only know how to do it on Ethernet, and most ISPs are using a different link layer protocol than Ethernet.

On Ethernet it would be easier to configure a shared /64 connecting a core router to a number of CPE routers. But that comes with the drawback that there are certain vulnerabilities that haven't been patched on all systems yet, because they can only be exploited by an adversary on the same segment. Additionally, it becomes harder to figure out who have been using a specific IP address.

With Ethernet, the solution would be VLANs. With a separate VLAN for each port and a core router that can communicate on all the VLANs, it is possible to assign a /64 to the link to each customer. It means one more hop for packets between two customers on the same switch, otherwise customers won't see a difference.

I suppose other link layer technologies have ways to achieve the same.

Doing DHCPv6-PD as well sounds like the right way to go. When the DHCPv6 server delegates a prefix it should also log information about which customer it was delegated to. If you already have logs indicating which /64 is used on the link to each customer, you just need the DHCPv6 server to log delegated prefix and corresponding next hop.

As much as possible you want a static allocation of IPv6 prefixes to customers. It means it is easier for you to keep track of the addresses, and it is easier for the customers when they can rely on their addresses being static.

What to allocate for each customer is another question. Two of the many possible approaches are:
  • Allocate a link /64 as well as a routed /48 to each customer and keep it at that. Regardless of what the router requests, it receives a /48. Only one router per customer at any given time.
  • Allocate a /48 per customer and allocate a link /64 out of that. The DHCPv6 server needs to know which addresses it has to work with, and it can never delegate a full /48. But it could delegate 15 separate /52s allowing the customer to bring up 15 separate routers on the link.
There are many other ways to do it, so just pick one, which feels right to you.
Logged