Re: v6 subnet size for DSL & leased line customers

> > Why not a /48 for all? IPv6 address space is
probably cheap enough that
> > even just the time cost of dealing with the
occasional justification
> > for moving from a /56 to a /48 might be more
expensive than just giving
> > everybody a /48 from the outset. Then there's the
op-ex cost of
> > dealing with two end-site prefix lengths - not a
big cost, but a
> > constant additional cost none the less.
> 
> And let's not ignore the on-going cost of table-bloat.
If you provide a 
> /48 to everyone, in 5 years, those allocations may/may
not look stupid. 
> 
> Right now, we might say "wow, 256 subnets for a
single end-user... 
> hogwash!" and in years to come, "wow, only
256 subnets... what were we 
> thinking!?"

Well, what's the likelihood of the "only 256
subnets" problem?

Given that a "subnet" in the current model
consists of a network that is
capable of swallowing the entire v4 Internet, and still
being virtually
empty, it should be clear that *number of devices* will
never be a serious
issue for any network, business or residential.  You'll
always be able to
get as many devices as you'd like connected to the Internet
with v6.  This
may ignore some /current/ practical issues that devices such
as switches
may impose, but that doesn't make it any less true.

The question becomes, under what conditions would you need
separate
"subnets".  We have to remember that the answer to
this question can be,
and probably should be, relatively different than it is
under v4.  Under
v4, subnet policies involved both network capacity and
network number
availability.  A small business with a /25 allocation might
use a /26 and
a /27 for their office PC's, a /28 for a DMZ, and the last
/28 for
miscellaneous stuff like a VPN concentrator, etc.  The
office PC /26 and
/27 would generally be on different switches, and the server
would have
more than one gigE port to accomodate.  To deal with higher
bandwidth
users, you typically try to split up those users between the
two networks.

Under a v6 model, it may be simpler and more convenient to
have a single
PC network, with dual gigE LAG (or even 10G) to the
switch(es).  So I am
envisioning that separate networks primarily imposed due to
numbering
reasons under v4 will most likely become single networks
under v6.

The primary reasons I see for separate networks on v6 would
include
firewall policy (DMZ, separate departmental networks,
etc)...

And I'm having some trouble envisioning a residential end
user that 
honestly has a need for 256 networks with sufficiently
differently
policies.  Or that a firewall device can't reasonably deal
with those 
policies even on a single network, since you mainly need to
protect
devices from external access.

I keep coming to the conclusion that an end-user can be made
to work on
a /64, even though a /56 is probably a better choice.  I
can't find the
rationale from the end-user's side to allocate a /48.  I can
maybe see
it if you want to justify it from the provider's side, the
cost of dealing
with multiple prefix sizes.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me
one chance [and] then I
won't contact you again." - Direct Marketing Ass'n
position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way
too many apples.

> The primary reasons I see for separate networks on v6
would include
> firewall policy (DMZ, separate departmental networks,
etc)...
>
This is certainly one reason for such things.

> And I'm having some trouble envisioning a residential
end user that
> honestly has a need for 256 networks with sufficiently
differently
> policies.  Or that a firewall device can't reasonably
deal with those
> policies even on a single network, since you mainly
need to protect
> devices from external access.
>
Perhaps this is a lack of imagination.

Imagine that your ethernet->bluetooth gateway wants to
treat the  
bluetooth
and ethernet segments as separate routed segments.

Now, imagine that some of your bluetooth connected devices
have reasons
to have some topology behind them... For example, you have a
master
appliance control center which connects via Bluetooth to
your network,
but, uses a different household control bus network to talk
to various
appliances.  For security reasons, you've decided not to
have your
kitchen appliances be able to talk to your media devices
(Who wants
a virus in some downloaded movie to be able to change the
temperature
in your refrigerator?).

> I keep coming to the conclusion that an end-user can be
made to work  
> on
> a /64, even though a /56 is probably a better choice. 
I can't find  
> the
> rationale from the end-user's side to allocate a /48. 
I can maybe see
> it if you want to justify it from the provider's side,
the cost of  
> dealing
> with multiple prefix sizes.
>
I can easily envision the need for more than a /64 in the
average home
within short order. If nothing else, the average home will
probably
want to be able to accommodate:
	Guest network
	Home wired network
	Wireless network(s)
	Bluetooth segment(s)
	Media network
	Appliance Control netowrk
	Lighting Control network
	etc.

However, I agree that in any vision I can come up with
today, the need
for more than 256 is beyond my current imagination.

I think it makes sense to assign as follows:

/64 for the average current home user.
/56 for any home user that wants more than one subnet
/48 for any home user that can show need.

Owen

Once upon a time, Owen DeLong <owendelong.com> said:
> I think it makes sense to assign as follows:
> 
> /64 for the average current home user.
> /56 for any home user that wants more than one subnet
> /48 for any home user that can show need.

Dumb question alert: why the 8 bit boundary?  That makes
sense for IPv4,
where reverse DNS delegation is cumbersome on non-octet
boundaries, but
IPv6 reverse DNS can be delegated at the nibble boundary. 
Why not
assign /60, /52, etc.?  A /60 would probably satisfy
virtually all home
users (up to 16 subnets) for example.
-- 
Chris Adams <cmadamshiwaay.net>
Systems and Network Administrator - HiWAAY Internet
Services
I don't speak for anybody but myself - that's enough
trouble.

Once upon a time, TJ <trejrcotjevans.net> said:
> Short answer - no spec for it.
> 	ARIN breaks it at /56, as a nod towards maybe a /48
for everyone is
> a bit much.

On ARIN's site:

 The following guidelines may be useful (but they are only
guidelines):

    * /64 when it is known that one and only one subnet is
needed
    * /56 for small sites, those expected to need only a few
subnets
      over the next 5 years.
    * /48 for larger sites

 For end sites to whom reverse DNS will be delegated, the
LIR/ISP should
 consider making an assignment on a nibble (4-bit) boundary
to simplify
 reverse lookup delegation.

So, the guidelines are on 8 bit boundaries, but then right
below they
also suggest making assignments on 4 bit boundaries (and it
is all "only
guidelines").

-- 
Chris Adams <cmadamshiwaay.net>
Systems and Network Administrator - HiWAAY Internet
Services
I don't speak for anybody but myself - that's enough
trouble.

On Fri, 21 Dec 2007 08:48:35 -0600 (CST)
Joe Greco <jgrecons.sol.net> wrote:

> I keep coming to the conclusion that an end-user can be
made to work
> on a /64, even though a /56 is probably a better
choice.

A /56 is definitely better.  Of course, I used to have 4
LANs just in
my house (wired, wireless, VPN to employer,
"teen-net" to which certain
users were consigned for violation of the house AUP...).  I
suspect
there are others on this list with more than that, today.

Sure, we're power users.  We're also talking about
technology that's
been around for a while.  If all of my lights were
controlled over the
net, I'd probably want a separate subnet for that, for
access control.
I might want a separate subnet for environmental controls,
because
access problems there can result in physical damage.  I
really need to
set up a VPN for remote access to the house.

To quote a line from a science fiction book I'm fond of,
"no artificial
shortages!"



		--Steve Bellovin, http://www.cs.columbi
a.edu/~smb

Chris Adams <cmadamshiwaay.net> writes:

> Once upon a time, Owen DeLong <owendelong.com> said:
>> I think it makes sense to assign as follows:
>> 
>> /64 for the average current home user.
>> /56 for any home user that wants more than one
subnet
>> /48 for any home user that can show need.
>
> Dumb question alert: why the 8 bit boundary?  That
makes sense for IPv4,
> where reverse DNS delegation is cumbersome on non-octet
boundaries, but
> IPv6 reverse DNS can be delegated at the nibble
boundary.  Why not
> assign /60, /52, etc.?  A /60 would probably satisfy
virtually all home
> users (up to 16 subnets) for example.

IPv6 is supposed to last a whole lot longer than the current
horizon
for any of our imaginations, and given the large amount of
space in
play it seems prudent to err on the side of giving people
more rather
than less so as to avoid having to revisit this issue
later.

                                        ---rob

On Fri, 21 Dec 2007 08:31:07 -0800
Owen DeLong <owendelong.com> wrote:

> 
> > The primary reasons I see for separate networks on
v6 would include
> > firewall policy (DMZ, separate departmental
networks, etc)...
> >
> This is certainly one reason for such things.
> 
> > And I'm having some trouble envisioning a
residential end user that
> > honestly has a need for 256 networks with
sufficiently differently
> > policies.  Or that a firewall device can't
reasonably deal with those
> > policies even on a single network, since you
mainly need to protect
> > devices from external access.
> >
> Perhaps this is a lack of imagination.
> 
> Imagine that your ethernet->bluetooth gateway wants
to treat the  
> bluetooth
> and ethernet segments as separate routed segments.
> 
<snip>

I think this is also showing a bit of a lack of
imagination:

> I think it makes sense to assign as follows:
> 
> /64 for the average current home user.
> /56 for any home user that wants more than one subnet
> /48 for any home user that can show need.
> 

Well, it doesn't really make sense to me - I think it's far
more
conservative than it has to be. Even spending time on
considering and
evaluating the checkboxes for the last two options is time
that could
be better spent on something else, and probably costs more
than the
IPv6 address space (and associated costs) saved by being
conservative
with the allocations.

I'd be interested to know *why* that makes sense to you -
the justifications.

I'd also be interested to know what you'd *want* if you were
asked how
you'd like to structure IPv6 addressing, if you didn't have
any history
of having to be conservative with IPv4 addressing. IOW,
imagine IPv4
didn't exist, and therefore your thinking about IPv6 isn't
influenced
by your history with IPv4.

Regards,
Mark.

-- 

        "Sheep are slow and tasty, and therefore must
remain constantly
         alert."
                                   - Bruce Schneier,
"Beyond Fear"

On Dec 21, 2007 6:48 AM, Joe Greco <jgrecons.sol.net> wrote:
>
> And I'm having some trouble envisioning a residential
end user that
> honestly has a need for 256 networks with sufficiently
differently
> policies.  Or that a firewall device can't reasonably
deal with those
> policies even on a single network, since you mainly
need to protect
> devices from external access.
>

I'd agree that 256 at home seems high to me, today... I do
have 10
vlans at home but I could be considered an outlier. I'm not
sure that
in the future 10 would even been considered small, maybe
things split
on room levels, or appliance types or 'needs vendor support'
or some
other set of arbitrary policy points. I agree with you below
though
that a /48 seems very large for a residence 

-Chris

On Fri, Dec 21, 2007 at 01:33:15PM -0500, Deepak Jain
wrote:
> For example... Within one's own network (or subnet if
you will) we can 
> absorb all the concepts of V4 today and have lots of
space available. 
> For example... for the DMZ of a business... Why not
give them 6 bits 
> (/122?) are we anticipating topology differences
UPSTREAM from the 
> customers that can take advantage of subnet differences
between /64 and 
> /56 ?

I am confused on this point as well.  IPv6 documents seem to
assume
that because auto-discovery on a LAN uses a /64, you always
have to
use a /64 global-scope subnet.  I don't see any technical
issues that
require this though.  ICMPv6 is capable of passing info on
prefixes of
any length -  prefix length is a plain old 8bit field.

In fact, until I read the ARIN documents to receive an
assignment at
work, I assumed this would be how people would operate.  So
what's the
concern?  Give all end users a /64 and let them subnet that
as they
see fit.  If DHCPv6 would take care of it automatically with
shorter
prefixes, that's fine - I doubt it cares if it's doling out
info for a
/56, /64, or /96.  Not like anything on the public internet
is going to
care a lick either.

-- 
Ross Vandegrift
rosskallisti.us

"The good Christian should beware of mathematicians,
and all those who
make empty prophecies. The danger already exists that the
mathematicians
have made a covenant with the devil to darken the spirit and
to confine
man in the bonds of Hell."
	--St. Augustine, De Genesi ad Litteram, Book II, xviii, 37

On Dec 22, 2007 12:23 PM, Ross Vandegrift <rosskallisti.us> wrote:
>
> On Fri, Dec 21, 2007 at 01:33:15PM -0500, Deepak Jain
wrote:
> > For example... Within one's own network (or subnet
if you will) we can
> > absorb all the concepts of V4 today and have lots
of space available.
> > For example... for the DMZ of a business... Why
not give them 6 bits
> > (/122?) are we anticipating topology differences
UPSTREAM from the
> > customers that can take advantage of subnet
differences between /64 and
> > /56 ?
>
> I am confused on this point as well.  IPv6 documents
seem to assume
> that because auto-discovery on a LAN uses a /64, you
always have to
> use a /64 global-scope subnet.  I don't see any
technical issues that
> require this though.  ICMPv6 is capable of passing info
on prefixes of
> any length -  prefix length is a plain old 8bit field.
>

Uhm, so sure the spec might be able to do something
different than /64
but most equipment I've used only does auto-conf if the
prefix is a
/64 :( Somewhere along the path to ipng we got reverted to
classful
addressing again :(

-Chris