What If ISP can only provide a /64
-
@bob-dig
This is my home example (it's Saturday!), so no sub-routers needed.The only thing notable about a /64 is that most (all?) auto-configurations do not subnet below a /64. You can actually subnet all the way down to tiny subnets. For example, you could subnet down to say a /124, giving you just 16 IPv6 addresses for that LAN/VLAN.
There are many subnet calculators out there that give you all the options if you want to get really wacky.
๏ธ -
@robbiett said in What If ISP can only provide a /64:
There are many subnet calculators out there that give you all the options if you want to get really wacky.
True, but there are many devices that will not work with a subnets smaller than /64, so it is no good advise. But sure, try for yourself, if it would work for you, but you can't and shouldn't count on this at all.
-
The IETF didn't really imagine that an ISP would be as stingy as handing out a /64, expecting /56 or a /48 address space to be commonplace. Things didn't work out that way but the /64 address space is still massive and I've not run into a case where a client cared about its address space.
-
@robbiett I once had such an ISP and I tried splitting up the /64. If I remember correct, my dell printer and my android phone didn't liked it, Windows and Linux were fine though.
-
@bob-dig Yeah, some ISPs are just mean. Yours is the first example I have heard of a device rejecting its subnet. That's some really bad coding!
For the OP the Negate manual has some words on the subject and the address ranges possible:
The prefix length denotes how many bits of the address define the network in which it exists. Most commonly the prefixes used with IPv6 are multiples of four, as seen in Table IPv6 Subnet Table, but they can be any number between 0 and 128.
Netgate Docs - IPv6 Subnetting
๏ธ -
@robbiett At this time, everything not being /64 is just wrong. And with dynamic prefixes via track interface you also can't go below /64, even in pfSense.
-
@bob-dig said in What If ISP can only provide a /64:
@robbiett ...my android phone didn't liked it, Windows and Linux were fine though.
Just thinking about the Android bit and I guess this would be due to Android pretending that DHCPv6 does not exist?
๏ธ -
@robbiett Would make sense, but I don't think that was the case with the printer. And I am just a home user...
-
@bob-dig
Clearly I don't know about the printer specifics; but If I had to guess (and it is a guess) it could be its inbuilt NIC not handling privacy or assigned addresses and is reliant on the 48-bit MAC derived address and that the subnet defined had crossed into the MAC address space.Of course, in all things networking there is always one-more-way to screw something up.
Anyway, we should beat-up ISPs that don't give a static /48 (or /56 at least) address block to their customers. I'm in the UK and even the 'managed' monopoly of BT gives a /56 away (and they would eat your first-born if you let them).
๏ธ -
A 64 bit host part (or "interface identifier") is baked into the v6 specs in a number of ways. Here's a good summary.
It may be possible to assign and use longer prefixes with DHCP, but SLAAC, hence Android, will definitely break.
Anyway, we should beat-up ISPs that don't give a static /48 (or /56 at least) address block to their customers. I'm in the UK and even the 'managed' monopoly of BT gives a /56 away (and they would eat your first-born if you let them).
+1 on this. Here's RIPE's view on best practices for prefix assignment. In particular,
Assigning a /64 or longer prefix does not conform to IPv6 standards and will break functionality in customer LANs
-
@robbiett said in What If ISP can only provide a /64:
Just thinking about the Android bit and I guess this would be due to Android pretending that DHCPv6 does not exist?
Yep, you can thank some genius at Google for that.
-
@robbiett said in What If ISP can only provide a /64:
@bob-dig I'm still confused. The /64 refers to the first part of the 128-bit address (half in this example) aka 'the prefix'. The rest of it can be farmed-out as you like.
pfSense has no issue in doing this, using the first part as the prefix and then allowing you to subnet the rest, usually adding a simple addition after the prefix address to signify which address range belongs on any given interface. In my case a ':1' for management, ':2' for main LAN, ':3' for first VLAN etc.
๏ธHow can Android devices on your LAN SLAAC like this ?
Issuing a single /64 is nonsense and indicative of a half-hearted rollout by the residential ISP. See this BCOP RIPE-690 for many pros and cons
https://www.ripe.net/publications/docs/ripe-690
-
@mfld The 'droids are only ever on the 'guest' wifi network and I don't use SLAAC. They still get an IPv4 so can NAT out/in. Clearly no Google or Android equipment is purchased or touches any trusted network.
The RIPE document you linked to is a very good one and great to have to hand if you have a difficult ISP spouting nonsense. The trouble with standards and best practice is that some major players just ignore them - like Google does with DHCPv6 and quite a few US ISPs. The only defence customers have is to shop elsewhere.
I've lived on various bits of the globe and the one that befuddled me the most was living in the US with stuff like CGNAT and even providers with no IPv6 at all. It is bonkers what goes on in the States. I bemoan the UK's regulated monopoly that is BT/Openreach but at least they stick with the recognised standards and at least the minimums of best practice.
๏ธ -
@robbiett said in What If ISP can only provide a /64:
The point is that you can subnet a /64.
Um not according the the specification - breaking up a /64 is going to be problematic for sure..
If your isp is shit when it comes to IPv6 you have couple of options. Don't use it - What resource on the public internet can you not get to if you do not have IPv6? Can you name one??
2nd option just use HE tunnel for your IPv6, they give you a /48 you can do whatever you want with..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@mfld said in What If ISP can only provide a /64:
Issuing a single /64 is nonsense and indicative of a half-hearted rollout by the residential ISP.
My ISP initially provided a single /64 when they first rolled out native IPv6, but soon moved to /56. So, I wouldn't worry if the single /64 is temporary for a new provider. On the other hand, some ISPs are stingy.
-
@johnpoz said in What If ISP can only provide a /64:
@robbiett said in What If ISP can only provide a /64:
The point is that you can subnet a /64.
Um not according the the specification - breaking up a /64 is going to be problematic for sure..
Word
@NANOG 2 months ago I enjoyed this presentation
https://youtu.be/uSvvHzs1ebA
Unfortunately many residential ISP rolled out IPv6 reluctantly and done by biased engineers who applied IPv4 mindset to IPv6 deployment.
If your isp is shit when it comes to IPv6 you have couple of options. Don't use it - What resource on the public internet can you not get to if you do not have IPv6? Can you name one??
Most of my job's ASN is Ipv6 only.
There's definitely more and more of that happening.
My home pfsense has CGNAT and IPv6. Without IPv6 I can't hook into it directly.
2nd option just use HE tunnel for your IPv6, they give you a /48 you can do whatever you want with..
HE IP tun broker reputation almost as bad as AS9009 due to shtheads doing shtty things for years. CAPTCHA galore.
More radical option: Sponsored RIPE ASN and a /48 assigned. BGP announce on a Vultr VPS near your location and distribute to your network via GRE or WG. That way you control the IP reputation.
-
@mfld said in What If ISP can only provide a /64:
ho applied IPv4 mindset to IPv6 deployment.
Yeah I can see that for sure..
I like the idea of your own tunnel - but that is well beyond the ability of many users to set that up, I was not aware that any of the registries where handing out IPv6 to individuals? When you say sponsored so free as well. The IPv6 space company got from arin - isn't free ;)
From Ripe site..
"Before you can request IPv6 addresses, you need to become a RIPE NCC member and open your Local Internet Registry (LIR) account. "So where exactly is this IPv6 space coming from in your idea of doing my own tunnel?
-
@mfld said in What If ISP can only provide a /64:
and done by biased engineers who applied IPv4 mindset to IPv6 deployment
That problem affects more than just the ISPs engineers. A lot of people are stuck in the IPv4 mindset, which is why some are still thinking NAT with IPv6.
I first learned about IPv4, when I took some classes at a local college, in early 1995. Even back then, I knew 32 bits wasn't enough. I've been advocating for IPv6, ever since I first read about it in the April 1995 issue of Byte magazine and have been running it on my home network for 13 years.
BTW, I recently came across something interesting. In this article about IP history:
"Versions 2 and 3, and a draft of version 4, allowed an address length of up to 128 bits, but this was mistakenly reduced to 32 bits in the final version of IPv4."
I knew Vint Cerf, one of the creators of IP, said he intended it to have many more address bits, but I didn't know versions 2 & 3 already had 128 bits.
-
@johnpoz RIPE is one of a few RIR where a LIR can "sponsor" an individual or organization for an ASN and assign them a /48.
Sponsoring here doesn't mean financial sponsorship it's more like an endorsement. ARIN don't do it. APNIC sort of do but it's messy. IMO RIPE are the most open and feature complete RIR for this scenario.
The cost is actually pretty decent. Some examples:
https://ifog.ch/en/ip/lir-services
https://www.securebit.ch/internet/resources/autonomous_system
Note: you can be an org or individual outside of the RIPE region and still go down this route. But your cost goes up slightly because to be RIPE eligible you must have a demonstrable footprint (5 dollar vps in Amsterdam will suffice). You can totally also announce some prefixes from Asia or the US.
Vultr hands down best provider for this.
-
@johnpoz said in What If ISP can only provide a /64:
The point is that you can subnet a /64.
Um not according the the specification - breaking up a /64 is going to be problematic for sure..
If everyone stuck to the specifications and best practice then there would be zero need to have such conversations.
To be clear, I'm not an advocate of splitting up a /64 and certainly not an advocate of anyone receiving just a /64 or worse, not being served by IPv6 at all. None of these limitations are applicable to my situation either. This is just a conversation for those stuck in the gap between what should be happening and what is actually happening when stupid strikes.
๏ธ
