• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 Subnet Allocation

Started by cdnjay, October 30, 2014, 06:56:53 PM

Previous topic - Next topic

cdnjay

Hi, so I have my /64 from HE and my clients are properly generating their addresses through SLAAC from that subnet. My question relates to needing to have a range of addresses reserved for our VPN service and a couple of other things. Can I take these from the same subnet that I'm using for SLAAC or do I need to get a /48 for this and then route between subnets? Also, can I consider SLAAC addresses to be static or is it better to actually assign static addresses to things like DNS, etc.

cholzhauer

You need a /48 to have multiple subnets like you've described.

SLAAC can be considered static, but you're better off to assign manual addresses for them.  The issue becomes when you migrate to a new server.  If your old DNS server had a SLAAC assigned address, now you have to manually assign that address to your new DNS server...a few months down the road you'll be wondering where that horrible looking address ever came from.  You're free to have both a static and SLAAC address on one server...there's nothing technically wrong with that.

cdnjay

OK, so SLAAC can technically generate any address with eui-64 from within a /64 (such as FFFF:FFFF:FFFF:FFFF::1)? Good point about migrating services in the future. I don't hate the idea of having one subnet for DHCP/static allocation and another for SLAAC and another for guest WiFi but I don't really want to have to route between them if I can avoid it.

Thanks!

cholzhauer

Quote from: cdnjay on October 30, 2014, 07:48:55 PM
OK, so SLAAC can technically generate any address with eui-64 from within a /64 (such as FFFF:FFFF:FFFF:FFFF::1)?

Technically yes, but since it's generated based on MAC address, I don't think you'll ever see an address as "clean" as that.

I'd be careful with separating SLACC and DHCP on different /64's and using both to assign addresses to one machine...keep your end goal in mind here.  If you assign IP address from different networks to different interfaces on a computer, you're turning it into a router.  If you don't need all the "extras" provided by DHCPv6, SLAAC works just fine.

cdnjay

I think I'd prefer, at least for now to stick with SLAAC and just distribute DNS details via DHCPv6 but I still need 100 or so static addresses for specific services and I'm not sure where to get those from if I have to dedicate an entire /64 to SLAAC. I guess my only option is to assign the /48 to the tunnel and have two separate subnets and route between them? Unless there's some way to use a /63 or /62 but only tie SLAAC to a /64 within that prefix?

kriteknetworks

There is no reason logically or practically to think about /62 or /63, a /48 has 65535 /64s.
Subnet on /64.

cholzhauer

+1

Get the /48 and make use of your 64k worth of /64's in any way your heart desires.

cdnjay

OK, thanks. I guess I'll just get the /48 and use one subnet for SLAAC and another for everything else, then route between them.

mattwilson9090

There's no reason you have to put the statically assigned addresses in a different subnet from the devices that are getting addresses from SLAAC. When addresses are being assigned via SLAAC they won't grab an address that is already in use.

With IPv4 it's common to have servers and printers assigned static addresses from within the subnet, and then assign devices to the remaining devices via DHCP. The same concept works in IPv6 except the dynamic addresses can come from SLAAC as well as DHCPv6.
Matt Wilson

cdnjay

The main problem with static addresses within the SLAAC range is that a conflict might occur? In which case SLAAC will detect that without actually causing a conflict but the SLAAC auto configure will also fail instead of trying again with a different address? I'm trying to configure this with a SonicWALL, it appears that I at least need to have one static address in the SLAAC range for the LAN interface. From there it can then advertise that subnet for SLAAC for everything else.

cholzhauer

No, RA/SLAAC has a built-in mechanism to avoid duplicate IP addresses.

Yes, if you're asking your SonicWall to do SLAAC, you need to give it a static address on that interface that's in the same range as you wish to automagically assign.  Some devices will make you specify the /64 you want to dole out addresses from; I don't know about SonicWall

cdnjay

But is the built-in mechanism to detect and fail or is it to try again with a different address? Not sure how the privacy extensions play into this but I thought if it couldn't get the MAC-based address it wanted then it would just fail.

cholzhauer


cdnjay

#13
Are you referring to 5.4.5? As I understand it that just says it may retry if the address has been formed with privacy extensions.

That being said using this calculator it doesn't seem possible for a single quad host ID such as ::100 to be formed from a valid MAC address so it's probably safe to use a range like ::1 - ::1000 for static addresses. Not sure if that's actually defined anywhere though or if it's possible using privacy extensions.

http://silmor.de/ipaddrcalc.html#ip6

mattwilson9090

The privacy extensions will generate an address anywhere within their subnet. With a standard /64 subnet that's a lot of possibly addresses. The odds of a collision with a static address are close enough to zero that I wouldn't worry about it. Especially since most people using static address put them at the very highest or lowest end of the range just to make things easier to remember and read.

Personally, I always leave the privacy extensions enabled. For a whole lot of reasons, including tracking by commercial or governmental entities I really don't need an address out on the internet that can be tied to a specific piece of hardware, though I do understand that it's trivially simple to assign a different MAC address to just about everything.

And though I haven't made an in depth look into the IPv6 addresses that are generated via a MAC address, it's always a 1:1 to one correlation which amounts to the MAC address plus some padding. It's not a hash, so I don't see how an address that only uses the first or last octet, with everything else being zeros would create a collision with SLAAC addresses derived from the MAC.

Honestly, I think you're overthinking things and trying to make them far more complex than they need to be. Just as with IPv4 go ahead and put all of your static and dynamic IPv6 address in the same subnet. In this area at least, IPv6 isn't significantly different from IPv4, and unless you have a specific need doesn't need to be treated any differently. As I've said in several presentations on IPv6, forget everything you've ever learned about IPv4, and then be guided by what you you do and know in IPv4. Meaning it's different, but related.
Matt Wilson