Networking → [ipv6] IPv6, addressing schemes, and router-layer firewalls

Hi,

I'm doing some general research into how IPv6 is currently provisioned by various ISPs, so thought I'd ask you all some questions. As background, I work for a small firewall developer that is looking at supporting IPv6 (finally), so understanding how it's used in practice sheds a lot more light than all those RFCs.

1. For native IPv6 (no tunnel), what sort of prefix are you allocated? I.e. Do you get a combination of a /64 for the WAN, and a /48 DHCPv6-PD/Delegated prefix for your LANs? Or do you only get a single /64?

2. If you are assigned a dynamic prefix, how do you deal with security? Assume not all your PCs have an IPv6 firewall, so you need to firewall at the edge router. In particular
a) Let's say you want to stop the kids computers from using IRC, so you want to block tcp-6667 for their machines, but keep access for yours. Can you do that now? Do you force your machines to have static IPs/EUI-64 rather than dynamic "privacy-extension" IPs?
b) Let's say you want to host a small web site, and use a dynamic DNS client (to keep the DNS entry pointing to the correct IP). You need to open up inbound tcp-80 traffic to just your webserver and nothing else. Can you do that now? If so how do you deal with your server's IPv6 changing over time?

3. Probably not many/any are doing this, but if you have multiple sites on IPv6 linked over VPNs, what addressing scheme are you using for all the LANs on each site: Do you just use the IPv6 global prefixes assigned by the ISP, or do you use Unique Local Addresses (ULA)?

4. Is there something missing from your router's IPv6 support (aside from NAT ) that you really wish it had?

Thanks for your time.

1. currently WANs usually get a single /128 address in their own /64 or shared /64, while LANs are /64 /60 /56 depending on provider by DHCPv6 or static.
(DHCP hint may be required to get >/64 block.).

2. yes if customer wants IPv4 style NAT security firewall will need to be on edge router/firewall, I use Cisco routers myself with IOS inspect firewall.
(I would look at how this is implemented)
a) privacy extensions would have to be turned off, or use static on admin host to allow those outbound and block rest on outbound ACL on LAN interface.
b) even without tuning off privacy, host will still have a static IPv6 suffix based on MAC address for INBOUND connections.
Since those get used for outbound not inbound connections.

3) VPNs typically only support IPv4 or IPv6... so I use IPv4. In theory for additional security ULA FD00::/16 addresses can be used when IPv4 disabled,
but those need to be set statically on hosts along with gateway route, because you will need global prefix for 2000::/3 routing,
which means it's not likely to be used in small businesses. IPv4 for internal may be used for another 50 years, unless linux/microsoft drops it.
If you can get vpn to do both more power to you, and encrypt public IP Traffic.

4) I wish Cisco ASA firewalls did DHCPv6 and DHCP-PD, but since I switch to an EoL 2851 Cisco Router with 15.1 Code it does just about everything.

Firewall should be edge device for Ethernet based connection
If used with router, router would need to have the DHCP-PD support and get >/64 from ISP (currently getting one /64 from Comcast myself)
Then firewall would be static, with static router in router, which also needs to be user managed, many are ISP managed.

WAN should support PPPoE/SLAAC/DHCPv6 and Static
LAN should support DHCP-PD and Static

Thanks, this is great.

I had not noticed the privacy addresses are in addition to the EUI-64s, that does make inbound life easier doesn't it.

Is your particular ISP comcast only giving out a single /64 for LANs? Do you know if they'll provide more if you request it explicitly from them, or will the DHCP hint suffice?

current assignments are /64 from comcast, with /60s being phased in i believe over time, because some device had issues with /60. Your DHCP-PD code should be ready to handle any size from /64 upto /48 in 1 bit increments.

I forget to mention some ISPs are doing 6RD Tunneling you'll need that as well for most complete support. (AT&T and Charter i think). With 6RD the IPv4 address of WAN + ISP prefix which needs to be setup by user in 3rd party devices (if not using all in one from att/charter) determines the IPv6 addresses avaliable for LAN usually a /60.

1 bit increments are very unlikely to occur in real life. In order to delegate DNS IPv6 prefix assignments will be on 4 bit (1 hex digit) boundaries.

while it's true 4-bit makes things easier, some small ISPs might use ::/63 or ::/61 subnets even...they are perfectly valid DHCP-PD prefixes, it' s not like Comcast is delegating DNS for ::/64 and ::/60 ones anyway.

Comcast has re-enabled /60 IA_PD requests in most areas..

That's good to know. Anything less is quite stingy really (voip vlan, house wifi, guest wifi, dmz, all starts to add up).

Oh agreed I have 5 VLAN's in my house.. Res get up to a /60 and Biz get a /56