Where in the interface is an interface's IPv6 prefix delegation (PD) shown

Gertjan

@NickyDoes said in Where in the interface is an interface's IPv6 prefix delegation (PD) shown:

And what about the PD size? For me, DHCPv6 Primary Address Pool shows a /64 for this LAN, but the logs show a /56 from the ISP/tunnel broker.

The prefix size / (should be) Always a /64

@NickyDoes said in Where in the interface is an interface's IPv6 prefix delegation (PD) shown:

but the logs show a /56 from the ISP/tunnel broker.

That means that /64-/56=/8 or 256 so you could, in theory, have your pfSense, or other routers, ask for 255 prefixes, which mans you can have 256 LANs with 18 446 744 073 709 551 616 IP addresses.

NickyDoes

I understand; The ISP allocated IPv6/56, allowing 64-56 subnets, usable as their own networks (i.e. subnets).

From a usability perspective, for those who are taking on IPv6: I should be able to see the number of subnets allocated without diving into the logs.

johnpoz

@NickyDoes said in Where in the interface is an interface's IPv6 prefix delegation (PD) shown:

I should be able to see the number of subnets allocated without diving into the logs.

Why? Are you not getting the number you asked for or larger? And you can't assign the number of prefixes you need via tracking? This info isn't something you would normally have to even care about - unless something was wrong..

I mean why should I care if they give me a /60 or /56 or /48 even if I only need say 5 or 6.. I mean a /60 is what 16 /64s..

Gertjan

@NickyDoes said in Where in the interface is an interface's IPv6 prefix delegation (PD) shown:

The ISP allocated IPv6/56, allowing 64-56 subnets, usable as their own networks (i.e. subnets).

The IS give you a /56.
For me, it's my ISP router showing this, and I can see :

So, pfSense has take the 'random' "eb" hex. It could have given anything from '01' to 'ff'.
The '00' is reserved by the ISP router for it's own LAN, and the pfSense WAN interface has an IPv6 using that prefix '00'

JKnott

@NickyDoes said in Where in the interface is an interface's IPv6 prefix delegation (PD) shown:

allowing 64-56 subnets

Actually, 256 /64 subnets.

NickyDoes

@johnpoz my perspective is someone who is figuring out IPv6. There's tons of Reddit and other FUD on whether [insert ISP here] delegates /64 or some other prefix.

MAny of these posts/recipes/tutorials lead someone new to think a /64 cannot readily be divided into subnets. By 'readily', I mean divide and still firewall effectively. People (including me) are already nervous giving up our IPv4 NAT inherent security blanket. Yes, I've read that the security afforded by NAT is not security per se. It's still scary to start learning about IPv6 and be sure you're not inadvertently exposing machines to the public net.

From your comment ("why should I care.../60 is what 16 64s"), I presume someone can readily divide their /64 and effectively control access. That's beyond what most tutorial/recipes explain. I've RTM, and am still confused, so I've resorted to searching for more tutorials. I'll try posting more questions here.

Thanks for the help, as always.

johnpoz

@NickyDoes said in Where in the interface is an interface's IPv6 prefix delegation (PD) shown:

presume someone can readily divide their /64 and effectively control access

No not really - some shit not going to work if you break down a /64, pretty sure slaac min size is a /64 for it to work correctly

Why would you need to break down a /64? While technically you can do it, pretty sure it will break parts of IPv6..

How many local networks do you have? A /56 is 256 /64s you could have - do you need more than that? I think I have a lot for home - 8.. Which some I could prob get rid of really.. Or I could maybe make a few more if I wanted to segment some stuff even further.. I currently lump a lot of different types iot into same network.. But that is a long freaking way from 256 networks..

Get with your ISP then, or use a HE tunnel they give you a /48 which is 65k /64s

If you are a decent sized company, not some ma and pa shop - you should prob just get direct from arin for example - /32 is like the min size they give out..

Do you have some large campus network where you need more than say a /56 would give you?

Even if your isp was being stingy and only gave you a /60, that is 16 /64s - which is quite a lot really for some residential customer.. I mean I have my network pretty freaking segmented and I have 8, and couple of those are just test networks, etc.

NickyDoes

@johnpoz ok, I'm making this more confusing because I'm working to learn IPv6 practices thoroughly, but not professionally. I was attempting to share points of confusion as I learn and implement IPv6.

My situation: I'm primarily a homelab, with a minor professional component. Google Fi residential is the ISP, providing one dynamic IPv4 and a /56 PD. I have internal IPv4-only networks for home and for work. A 3rd net is for IPv6 testing. I have now verified that my ISP is granting a /56 PD, which is plenty large.

JKnott

@NickyDoes said in Where in the interface is an interface's IPv6 prefix delegation (PD) shown:

I have now verified that my ISP is granting a /56 PD, which is plenty large.

Some provide a /48, which is huge!

johnpoz

@NickyDoes yeah a /56 is lot of /64s for testing and playing with ;)

Best practice is /64 for any segment you want to break out.. Even if it only has a couple of devices on it.. It seems insane when you first start playing with Ipv6 to be honest.. Since a /64 is so freaking huge when it comes to how many IPs..