[c-nsp] IPv6 best practices
Mack McBride
mack.mcbride at viawest.com
Fri Feb 8 12:10:42 EST 2013
You may want to attend the North American IPv6 summit.
It usually has a large variety of topics that might be helpful.
http://rmv6tf.org/na-ipv6-summit/2013-north-american-ipv6-summit
Shameless plug as I am on the steering committee.
The RMv6TF is a non-profit to educate the public about IPv6.
Big caveats on subnetting at the lower end:
Always allocate a /64 even if you only use a /127 for a point to point (someday something cool may use SLAAC).
On connected interfaces only configure the portion of a /64 that you will actually use unless you require SLAAC (various DoS attacks).
When you have to connect certain juniper gear on both ends of a link make sure ALL IPs are responding (ping-pong) issue.
Anything that needs subnets should get at least a /56 and more likely a /48 but most devices can only utilize a /52 (4096 subnets).
A site should get at least a /48 (although home users are probably fine with a /56 - see above related to vlans).
Most of the time it is better to use static IPs or DHCPv6 rather than SLAAC (at least until SLAAC DNS Support is actively deployed).
Don't use private IPv6 (IPv6 ULA) space unless you register it at http://www.sixxs.net/tools/grh/ula/ (and mostly don't use it).
Don't use NAT66 (NAT is not a firewall, a firewall is a firewall).
Don't block ICMPv6 too much of the protocol depends on it. Only block specific messages that you have deemed 'dangerous' after THOROUGH review.
Others have posted various good advice so read their posts too.
Hope to see you at the summit.
LR Mack McBride
Network Architect
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Charles Sprickman
Sent: Thursday, February 07, 2013 1:41 AM
To: cisco-nsp NSP
Subject: [c-nsp] IPv6 best practices
All,
Perhaps a bit OT here, but we've got our v6 allocation from ARIN and I've been doing a fair amount of deployment elsewhere (in a colo facility where we don't have any networking gear beyond L2 switches). I've found plenty of lively discussion (if not consensus) on how to allocate subnets, some ideas on numbering, and a good deal of application-layer BCPs, but I'm simply not finding very much info coming out of the service provider community.
Topics I'm interested in are:
IPv6 BGP best practices/gotchas
Security considerations (particularly WRT network gear) Preferred interior routing protocols An overview of where vendors (in this case, Cisco) fall short + workarounds As definitive a set of guidelines as is possible at this (early?) point regarding subnet sizes for business customers, residential customers, PoPs
I know folks like CYMRU (https://www.team-cymru.org/) have some excellent security BCPs, but nothing IPv6 specific. Many of the IPv6-centric information sites seem to mainly deal with end-user issues and application-specific information. Am I missing a particularly solid "nsp" IPv6 resource?
Thanks,
Charles
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list