Reviews:
 ·TekSavvy DSL
1 edit | reply to brad
Re: IPv6 beta said by brad:said by SimplePanda:Why they give a /56 for the LAN side I don't understand though.
So that customers can have more than one segment on the LAN side. /56's are cheap. said by SimplePanda:Realistically all you really need is a /64 for the WAN interface and a /64 for the LAN. I'm happy having the /56 but it seems like the plentiful nature of v6 addresses has ISP's giving out insane numbers of them to customers.
Straight up auto configuration with DHCPv6 only ever assigns on the first /64 of the assigned /56 (without specific configuration otherwise) so the vast majority of people will never use more than a /64 anyways.
There's nothing insane about it. A /64 on the LAN side assumes only a single segment. /60's would probably be better but /56's are fine as well. Not really sure I can imagine the end-user scenario for 99.99% of residential customers where multiple subnets are required... and realistically this won't change anytime soon. Even as people add devices to their LAN most people don't even consider what IP is never mind bothering to neatly segment their network.
Perhaps 'insane' is the wrong word. "Unnecessary in almost all situations" is probably a better description. |
|
brad
join:2007-09-06
Etobicoke, ON
1 edit | said by SimplePanda:Not really sure I can imagine the end-user scenario for 99.99% of residential customers where multiple subnets are required... and realistically this won't change anytime soon. Even as people add devices to their LAN most people don't even consider what IP is never mind bothering to neatly segment their network.
Perhaps 'insane' is the wring word. "Unnecessary in almost all situations" is probably a better description.
The 99.99% is exaggerated and they still need to cover users who need the address space. One size allocation though could cover everyones needs though with a /60 or even a /56 is fine too. There are more than 0.01% users using the v6 beta service now would require greater than one /64 never mind when they rollout to their whole customer base. Makes it easier for TSI and the users. |
|
Reviews:
·TekSavvy DSL
1 edit | said by brad:said by SimplePanda:Not really sure I can imagine the end-user scenario for 99.99% of residential customers where multiple subnets are required... and realistically this won't change anytime soon. Even as people add devices to their LAN most people don't even consider what IP is never mind bothering to neatly segment their network.
Perhaps 'insane' is the wring word. "Unnecessary in almost all situations" is probably a better description.
The 99.99% is exaggerated and they still need to cover users who need the address space. One size allocation though could cover everyones needs though with a /60 or even a /56 is fine too. There are more than 0.01% users using the v6 beta service now would require greater than one /64 never mind when they rollout to their whole customer base. Makes it easier for TSI and the users. I was really more trying to say "the vast majority". There aren't many residential DSL customers in the customer base at large who "require" 256 subnets (or even 16).
I'd also suggest that rolling it out to the whole customer base will decrease the percentage of people who need more than a single /64, rather than increase it. People who want multiple subnets are likely already in the beta.
I suppose it's all moot in that TSI -can- hand out /56's en masse if they so choose. It just seems like wasteful overallocation to me. |
|
| said by SimplePanda:It just seems like wasteful overallocation to me.
It's a gross overallocation for the way we consume the internet *at present*. Can you really safely say the same for 15 years from now? Sure, you only have a few computers at home, but once integration is better and the internet embeds itself ever deeper into your house, it's going to change. A subnet for all my lighting fixtures makes sense, for instance.
Also, what if the one-IP-per-device template we use right now starts to break down? Lots of communication within a device happens over the loopback interface, I wouldn't be surprised to find that as different devices within the home need to talk to each other that they don't just start giving IPs to parts of devices. The DAC in your home audio system will have it's own IP, and your remote can talk directly to just that component.
With IPs no longer a constraining resource, I'm interested to see some true innovation in networking in the home. |
|
Reviews:
 ·linode
| said by Mersault:I wouldn't be surprised to find that as different devices within the home need to talk to each other that they don't just start giving IPs to parts of devices. But that's what fe80::/10 is for... |
|
rev
join:2011-12-14
Toronto, ON | said by squircle:But that's what fe80::/10 is for...
»tools.ietf.org/html/rfc3879
"Deprecating Site Local Addresses"
Heard there was a vote recently (jan 2012) that was in favour of it, I read it in passing and am too lazy to get a citation, so grain of salt please.
I for one, do not want my smart shelves on a site-local address. |
|
Reviews:
·linode
| said by rev:said by squircle:But that's what fe80::/10 is for...
» tools.ietf.org/html/rfc3879"Deprecating Site Local Addresses" Heard there was a vote recently (jan 2012) that was in favour of it, I read it in passing and am too lazy to get a citation, so grain of salt please. I for one, do not want my smart shelves on a site-local address. You're right, however, RFC4291 (section 2.5.6) requires IPv6 devices to have link-local addresses. So you'd see why I'd propose that. If you have smart-home stuff (for example), there's no reason why they need globally-routable IPv6 addresses (and, really, I'd prefer my lights and security system etc. not to be globally accessible, but rather from a home automation controller with some authentication that is globally accessible). Just my opinion. |
|
| Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure. |
|
Reviews:
·linode
| Well, I'm not trying to say it's for security, but I don't really want to argue. I know it's an IPv4 mindset, but do things that will never communicate outside of the LAN really need globally-routable IP addresses?
I'll shut up now.  |
|
| reply to Mersault
said by Mersault:Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.
Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device? |
|
| said by theboyk:said by Mersault:Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.
Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device? Yes. |
|
| Yes, to both? |
|
| What's important is that you have a wall between the source of possible trouble and the destination where you don't want said trouble. One wall, two walls, where the wall is, doesn't matter.
The router is a choke point between you and the internet. So if you absolutely trust everything on your LAN side (including possibly weak WiFi) then a firewall on your router is going to be just as good as a firewall on each device. This is no different than IPv4. |
|
| I'm more thinking of work where I have 40+ computers, 5 servers, 4 printers, etc. and right now I trust my Cisco (enterprise class) security device for that wall. And I'm just trying to figure out how to deal with IPv6 where all of these devices have accessible IPs. Don't want to manage firewalls on all the computers, and some devices, that wouldnt even be possible. Just starting to look into this whole thing, so lots to learn... |
|
|
|
| Well, it's pretty simple. Block everything. Then, selectively open for only the traffic you know you want. The difference between a default-deny firewall and NAT - for security purposes - is nil. And I would argue that the firewall is superior in that it forces you to at least think about it and consider it. |
|
| Hey Folks
Great discussion here, I especially appreciated "roast's" July 2011 post on Cisco config. Where and how do I request my IPv6 user credentials, when I signed up and asked for IPv6 I was given one PPPoE user name and password (an @dslinternet.ca) and only a /64 IPv6 address. It appears I require an hsiservice account and my /56 still.
I understand this is a beta so didn't expect them to have the details - just need to know where I should be asking ?
Thanks
Steve |
|
| TSI Joel set me up, thanks, I'm good to go
Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5
Thanks
Steve |
|
brad
join:2007-09-06
Etobicoke, ON | said by scbenoit:Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5
I'd check for any newer firmware for the equipment mentioned above. |
|
| reply to scbenoit
said by scbenoit:Now to test my rtr's and cfgs - Cisco 1841 I'd be interested in hearing how this goes. What are the details on your 1841? What IOS are you running, etc.?
I'm going to need to upgrade my 1841, which I haven't been super happy with, to support IPv6 and just trying to decide if I'm going to upgrade it or go with another security device (been thinking about switching back to a SonicWALL, but that's another story). |
|
| reply to scbenoit
said by scbenoit:TSI Joel set me up, thanks, I'm good to go
Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5
Thanks
Steve
I've been pretty happy with my 1841 WIC1-ADSL setup. Very stable. Just wish I had an HWIC so I could get the higher DSL packages when they hit my area.
--
Matt |
|
