WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets"
-
@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.
So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface.
I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.
-
@JKnott said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
@awebster said in WAN IPv6 problem "gateway does not lie within one the chosen interface's subnets":
One might argue that /127 is good because it very precisely identifies a PTP link, but others argue /126 is better because some vendors didn't implement /127 properly.
I've never heard of /126 being recommended, though I had heard of /30, because some operating systems (Windows) couldn't handle a /31. There are also RFCs advocating both /64 and /127 for p-p links, though the /127 one is later, IIRC.
So basically regardless of what configuration you choose, any /64 is pretty much 100% unused!
Don't forget, with SLAAC, you could have as many as 8 GUAs on an interface.
I have a /56 and a half dozen or so IPv6 capable devices on 1 /64 and another /64 for OpenVPN. However, this sparse address space makes scanning attacks pretty much a waste of time, as you're unlikely to find a device in any useful time.
You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.
Once I got a DHCP server messed up in my lab, I had a Windows PC that had over 800 ip v6 addressess. They all seemed to work as far as ping, etc.
One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.
That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate.
-
You can have a lot more than 8. I don't know if there is a limit. Probably each OS might have it's own limits.
Both Linux & Windows have 8 addresses, after being up for a week, with a new one each day
One concept of multiple addresses on an interface is for each service on the host to have its own GUA. That way you don't have to worry about port conflicts.
There are also privacy addresses with SLAAC, which change daily
That was one of the reasons they decided on 64 bits for the host part of the address so that they could be randomly generated by the service with a reasonable chance that it wouldn't be a duplicate
Also, to work with the EUI-64 MAC addresses. EUI-48 addresses are converted to EUI-64 by inserting fffe in the middle.
On my own network, I have both GUA and ULA addresses, 8 of each.
