dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
19
share rss forum feed
« Service in Richmond Hill[Outages] out in London »
page: 1 · 2 · next
This is a sub-selection from IPv6 beta

34764170

join:2007-09-06
Etobicoke, ON
reply to SimplePanda

Re: IPv6 beta

said by SimplePanda:

Why they give a /56 for the LAN side I don't understand though.

So that customers can have more than one segment on the LAN side. /56's are cheap.

said by SimplePanda:

Realistically all you really need is a /64 for the WAN interface and a /64 for the LAN. I'm happy having the /56 but it seems like the plentiful nature of v6 addresses has ISP's giving out insane numbers of them to customers.

Straight up auto configuration with DHCPv6 only ever assigns on the first /64 of the assigned /56 (without specific configuration otherwise) so the vast majority of people will never use more than a /64 anyways.

There's nothing insane about it. A /64 on the LAN side assumes only a single segment. /60's would probably be better but /56's are fine as well.


Mersault

join:2007-10-26
Toronto, ON

I think there was some suggestion in one of the RFCs that residential customers should get a /56 and commercial accounts should get a /48. Or some sort of industry defacto type standard. Anyway, that seems to be how it's shaking out.

Technically, you don't need a /64 on the WAN side, either. I've brought up my TekSavvy link using the /64 for my LAN, and using the link-local addresses for the WAN gateway. Works fine. Just means that if you want to remotely log into your router, you're technically going through the WAN to the LAN to log in. I think the /64 on the WAN side is really just an artifact of IPv4 thinking. But they're cheap, and if it makes people feel more comfortable about the deployment, then it's worthwhile.



squircle

join:2009-06-23
Oakville, ON

1 edit

said by Mersault:

I think there was some suggestion in one of the RFCs that residential customers should get a /56 and commercial accounts should get a /48. Or some sort of industry defacto type standard. Anyway, that seems to be how it's shaking out.

That's RFC6177. It clearly states something that simultaneously proves and disproves my point:

This document moves away from the previous recommendation that a single default assignment size (e.g., a /48) makes sense for all end sites in the general case. End sites come in different shapes and sizes, and a one-size-fits-all approach is not necessary or appropriate.
The rest of the RFC seems to suggest that, although it's not one-size-fits-all, it should be between (& not including) /64 and /48. So there's nothing wrong here, I guess. Personally, I don't see the need for anything as big as a /56, but I guess some people will have a use for it.

I guess what I'm still wondering is why there are two separate subnets, and why there can't just be one /56 or one /64 (or one /whatever) (things my CCNA didn't teach me).


Mersault

join:2007-10-26
Toronto, ON

said by squircle:

I guess what I'm still wondering is why there are two separate subnets, and why there can't just be one /56 or one /64 (or one /whatever) (things my CCNA didn't teach me).

I think it probably just has to do with the way the PPPoE service works with TekSavvy. I recall configuring a PPPoE daemon, and basically you assign an address to an endpoint (in the IPv6 world, this is a /64), and then you would separately assign any routes that you wanted to route in addition. Hence in the IPv4 world you get a static IP, and then a completely different /29, if you order them from TekSavvy. Same general deal with IPv6 (this is conjecture, but it's what I suspect).


Mersault

join:2007-10-26
Toronto, ON
reply to squircle

Also, check out this news from Google.


34764170

join:2007-09-06
Etobicoke, ON

»www.worldipv6launch.org/

Google properties, Facebook, the remaining Microsoft properties, Yahoo, Cisco to name a few. Akamai, Limelight and a few other CDNs going full v6 production was/is a blocker for thousands of other sites going v6. This will help to push IPv6 much further along having so many large sites with AAAA records and no whitelisting games or special URLs.

IMO this should be a challenge for TSI to be much further along by June 6th. Have full production v6 for both ON/QC and AB/BC DSL customers by then. There is no shortage of CPE gear from D-Link/Netgear/Linksys and some other vendors as well as third-party firmware options to allow for v6 over DSL.


34764170

join:2007-09-06
Etobicoke, ON
reply to squircle

said by squircle:

Personally, I don't see the need for anything as big as a /56, but I guess some people will have a use for it.

A /60 for consumer connections which allows for up to 16 /64's would be a good default, maybe allow for an opt-in for a /56. Business connections are good with a /56 by default and opt-in for a /48.


SimplePanda
Go Habs Go
Premium
join:2003-09-22
Toronto, ON
Reviews:
·TekSavvy DSL

1 edit
reply to 34764170

said by 34764170:

said by SimplePanda:

Why they give a /56 for the LAN side I don't understand though.

So that customers can have more than one segment on the LAN side. /56's are cheap.

said by SimplePanda:

Realistically all you really need is a /64 for the WAN interface and a /64 for the LAN. I'm happy having the /56 but it seems like the plentiful nature of v6 addresses has ISP's giving out insane numbers of them to customers.

Straight up auto configuration with DHCPv6 only ever assigns on the first /64 of the assigned /56 (without specific configuration otherwise) so the vast majority of people will never use more than a /64 anyways.

There's nothing insane about it. A /64 on the LAN side assumes only a single segment. /60's would probably be better but /56's are fine as well.

Not really sure I can imagine the end-user scenario for 99.99% of residential customers where multiple subnets are required... and realistically this won't change anytime soon. Even as people add devices to their LAN most people don't even consider what IP is never mind bothering to neatly segment their network.

Perhaps 'insane' is the wrong word. "Unnecessary in almost all situations" is probably a better description.

34764170

join:2007-09-06
Etobicoke, ON

1 edit

said by SimplePanda:

Not really sure I can imagine the end-user scenario for 99.99% of residential customers where multiple subnets are required... and realistically this won't change anytime soon. Even as people add devices to their LAN most people don't even consider what IP is never mind bothering to neatly segment their network.

Perhaps 'insane' is the wring word. "Unnecessary in almost all situations" is probably a better description.

The 99.99% is exaggerated and they still need to cover users who need the address space. One size allocation though could cover everyones needs though with a /60 or even a /56 is fine too. There are more than 0.01% users using the v6 beta service now would require greater than one /64 never mind when they rollout to their whole customer base. Makes it easier for TSI and the users.


SimplePanda
Go Habs Go
Premium
join:2003-09-22
Toronto, ON
Reviews:
·TekSavvy DSL

1 edit

said by 34764170:

said by SimplePanda:

Not really sure I can imagine the end-user scenario for 99.99% of residential customers where multiple subnets are required... and realistically this won't change anytime soon. Even as people add devices to their LAN most people don't even consider what IP is never mind bothering to neatly segment their network.

Perhaps 'insane' is the wring word. "Unnecessary in almost all situations" is probably a better description.

The 99.99% is exaggerated and they still need to cover users who need the address space. One size allocation though could cover everyones needs though with a /60 or even a /56 is fine too. There are more than 0.01% users using the v6 beta service now would require greater than one /64 never mind when they rollout to their whole customer base. Makes it easier for TSI and the users.

I was really more trying to say "the vast majority". There aren't many residential DSL customers in the customer base at large who "require" 256 subnets (or even 16).

I'd also suggest that rolling it out to the whole customer base will decrease the percentage of people who need more than a single /64, rather than increase it. People who want multiple subnets are likely already in the beta.

I suppose it's all moot in that TSI -can- hand out /56's en masse if they so choose. It just seems like wasteful overallocation to me.


Mersault

join:2007-10-26
Toronto, ON

said by SimplePanda:

It just seems like wasteful overallocation to me.

It's a gross overallocation for the way we consume the internet *at present*. Can you really safely say the same for 15 years from now? Sure, you only have a few computers at home, but once integration is better and the internet embeds itself ever deeper into your house, it's going to change. A subnet for all my lighting fixtures makes sense, for instance.

Also, what if the one-IP-per-device template we use right now starts to break down? Lots of communication within a device happens over the loopback interface, I wouldn't be surprised to find that as different devices within the home need to talk to each other that they don't just start giving IPs to parts of devices. The DAC in your home audio system will have it's own IP, and your remote can talk directly to just that component.

With IPs no longer a constraining resource, I'm interested to see some true innovation in networking in the home.


squircle

join:2009-06-23
Oakville, ON

said by Mersault:

I wouldn't be surprised to find that as different devices within the home need to talk to each other that they don't just start giving IPs to parts of devices.

But that's what fe80::/10 is for...

rev

join:2011-12-14
Toronto, ON

said by squircle:

But that's what fe80::/10 is for...

»tools.ietf.org/html/rfc3879
"Deprecating Site Local Addresses"

Heard there was a vote recently (jan 2012) that was in favour of it, I read it in passing and am too lazy to get a citation, so grain of salt please.

I for one, do not want my smart shelves on a site-local address.


squircle

join:2009-06-23
Oakville, ON

said by rev:

said by squircle:

But that's what fe80::/10 is for...

»tools.ietf.org/html/rfc3879
"Deprecating Site Local Addresses"

Heard there was a vote recently (jan 2012) that was in favour of it, I read it in passing and am too lazy to get a citation, so grain of salt please.

I for one, do not want my smart shelves on a site-local address.

You're right, however, RFC4291 (section 2.5.6) requires IPv6 devices to have link-local addresses. So you'd see why I'd propose that. If you have smart-home stuff (for example), there's no reason why they need globally-routable IPv6 addresses (and, really, I'd prefer my lights and security system etc. not to be globally accessible, but rather from a home automation controller with some authentication that is globally accessible). Just my opinion.


Mersault

join:2007-10-26
Toronto, ON

Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.



squircle

join:2009-06-23
Oakville, ON

Well, I'm not trying to say it's for security, but I don't really want to argue. I know it's an IPv4 mindset, but do things that will never communicate outside of the LAN really need globally-routable IP addresses?

I'll shut up now.



theboyk

join:2004-10-04
Toronto, ON
reply to Mersault

said by Mersault:

Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.

Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device?


Mersault

join:2007-10-26
Toronto, ON

said by theboyk:

said by Mersault:

Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.

Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device?

Yes.


theboyk

join:2004-10-04
Toronto, ON

Yes, to both?


mactalla

join:2008-02-19
kudos:1

What's important is that you have a wall between the source of possible trouble and the destination where you don't want said trouble. One wall, two walls, where the wall is, doesn't matter.

The router is a choke point between you and the internet. So if you absolutely trust everything on your LAN side (including possibly weak WiFi) then a firewall on your router is going to be just as good as a firewall on each device. This is no different than IPv4.



theboyk

join:2004-10-04
Toronto, ON

I'm more thinking of work where I have 40+ computers, 5 servers, 4 printers, etc. and right now I trust my Cisco (enterprise class) security device for that wall. And I'm just trying to figure out how to deal with IPv6 where all of these devices have accessible IPs. Don't want to manage firewalls on all the computers, and some devices, that wouldnt even be possible. Just starting to look into this whole thing, so lots to learn...



Mersault

join:2007-10-26
Toronto, ON

Well, it's pretty simple. Block everything. Then, selectively open for only the traffic you know you want. The difference between a default-deny firewall and NAT - for security purposes - is nil. And I would argue that the firewall is superior in that it forces you to at least think about it and consider it.


scbenoit

join:2012-01-28
Barrie, ON

Hey Folks

Great discussion here, I especially appreciated "roast's" July 2011 post on Cisco config. Where and how do I request my IPv6 user credentials, when I signed up and asked for IPv6 I was given one PPPoE user name and password (an @dslinternet.ca) and only a /64 IPv6 address. It appears I require an hsiservice account and my /56 still.

I understand this is a beta so didn't expect them to have the details - just need to know where I should be asking ?

Thanks

Steve


scbenoit

join:2012-01-28
Barrie, ON

TSI Joel set me up, thanks, I'm good to go

Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5

Thanks

Steve


34764170

join:2007-09-06
Etobicoke, ON

said by scbenoit:

Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5

I'd check for any newer firmware for the equipment mentioned above.


theboyk

join:2004-10-04
Toronto, ON
reply to scbenoit

said by scbenoit:

Now to test my rtr's and cfgs - Cisco 1841

I'd be interested in hearing how this goes. What are the details on your 1841? What IOS are you running, etc.?

I'm going to need to upgrade my 1841, which I haven't been super happy with, to support IPv6 and just trying to decide if I'm going to upgrade it or go with another security device (been thinking about switching back to a SonicWALL, but that's another story).

mattvmotas
Premium
join:2010-09-04
Amherstburg, ON
reply to scbenoit

said by scbenoit:

TSI Joel set me up, thanks, I'm good to go

Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5

Thanks

Steve

I've been pretty happy with my 1841 WIC1-ADSL setup. Very stable. Just wish I had an HWIC so I could get the higher DSL packages when they hit my area.
--
Matt


TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON
kudos:7

I've looked at getting HWICs as well for at home. But they are so damn expensive. Can't justify spending 500$ per card for home use...



theboyk

join:2004-10-04
Toronto, ON

So, I put in a new (old) router last night (at home) - a D-Link DIR825 - and it seems to be running IPv6 quite well. It lacks an IPv6 firewall, so going to have to upgrade eventually, but for now, for testing, it's doing the trick.

Anyway - when I run the test-ipv6 tests, I get 10/10 and 10/10, but, when I test something like ipv6test.google.com, it says "no problems", but under that, it says "you don't have ipv6, but you shouldn't have problems with sites that add ipv6 support".

Can anyone explain what this means?

Thanks,
Kristin.



SimplePanda
Go Habs Go
Premium
join:2003-09-22
Toronto, ON
Reviews:
·TekSavvy DSL

1 recommendation

Few things: Are you using a Mac? Latest Mac's have basically broken IPV6 support. Apple would argue it's "working" in that IPV6 works and is rock solid, but the issue is how Apple chooses IPV6 vs IPV4 for connectivity. While the standard / accepted practice (in Windows 7 / Linux for example) is to favour IPV6 when present, Apple has chosen to implement a scheme where by the first DNS record returned is the protocol used.

Second possibility: you're caching the IP from a previous lookup. Try flushing your DNS caches (router and computer) and try again.