On 23/02/17 11:20, Philip Homburg wrote: >>> Nobody is saying that /64 isn't extremely widely used where it's >>> appropriate to have a portable fixed length IID. Set the default >>> at 64 and trust operators to change it where they need to. >>> That's realistic. >> As a host developer I strongly oppose that. It will make life easier for >> network operators but make life harder for host OS developers, host >> operators, and host users. >> >> And it is absolutely inappropriate to change this now in given that the /64 >> boundary has been the standard for the last 20 years. It will break >> deployed code that relies on the current standard. (That includes concrete >> code I can point to that I know runs on tens of millions of devices.) >> That's not acceptable to do in a standard reclassification. > > I'm curious about the issues the host developer faces. > > For DHCP IA_NA, the host should not care about the length of the IID. The > host just configures the address as a whole. Not need to look at the prefix > length. For stateful DHCPv6 the prefix length should also be /64 and should allow multiple addresses, at least in my opinion. And I have seen several devices that only allowed configuration of /64 prefixes (printers, etc) for even static addresses, which is a perfectly valid assumption right now. So we see SLAAC, ILNP and NPT66 requiring 64-bit prefix length. But these cases all cover edge networks, with hosts, printers and similar nodes. Keeping the requirement (or moving to SHOULD) for edge networks seems reasonable to me. However, this does not make the carrier use case any less relevant. The main problem with /64 is TCAM exhaustion through ND attacks. Because NDP follows a multicast discovery model, it simply does not scale up to 2^64 addresses in a subnet when being scanned/attacked. A subscription model (like WiFi proxyNDP does) would scale a lot better. This is something that needs to be addressed as well, separately. Another problem carriers face is that /127 can not be configured on a lot of routers, because of the subnet router anycast requirement that was only lifted for /127 with rfc6164 in 2011. That means that operationally people go out-of-spec, because frankly, going out-of-spec works more reliably and consistently. And because /64s don't really work for inter-router-links because of the attack surface, and /127s don't really work because of older routers, people will start configuring /126 for inter-router-links and /125 and (slightly) shorter for VRRP and for BGP sessions with multiple routers. In my opinion, there should at least be some room in the IPv6 standard for arbitrary prefix lengths for interconnects. -- Wilco
Attachment:
signature.asc
Description: OpenPGP digital signature