[ale] IPv6 Subnetting

Michael B. Trausch mike at trausch.us
Tue Feb 15 00:16:39 EST 2011


On Mon, 2011-02-14 at 21:28 -0500, David Tomaschik wrote:
> I'm no networking expert, so I hope I'm missing something here.
> 
> According to RFC 4291, all interface IDs for unicast addresses will be
> 64 bits in length.  It's also widely believed that most residential
> ISPs will hand out a /64 on a per-client basis.  Because IPv6 does not
> have the concept of NAT, it seems that this forces all of the
> computers on that connection to be on a single subnet.

More or less.  Though it isn't exactly as black-and-white as all that.
There are options (albeit non-standard). It is (technically) possible to
do things that are slightly more complicated, at the expense of not
being able to use stateless autoconfiguration).

> This is rather disappointing to me, as in the past I have run 3 NAT
> subnets off a single NAT router/firewall.  I've used one as my
> "regular" LAN (workstations, one wifi SSID), a "guest" LAN (another
> SSID with a different key for my guests) and a lab network (for
> testing things I'd rather keep separate).  It seems to me that under
> IPv6 this addressing scheme will be impossible unless I can convince
> my ISP to hand out a /56.  (Or, I suppose, multiple /64s and have
> multiple (virtual) interfaces on the router.)

It is possible to subnet further than /64, at least as I understand it.
So, let's say you've got a /64 prefix 2001:db8:49a1:39be::/64.

Now, you want three subnetworks from that.  You will need a router at
your network's edge (a true router; not a NAT).  And of course, if you
desire firewalling, you'll want that at the edge of your network.  The
router is likely then to be connected to all three subnetworks, and to
the Internet.  (At least, that's how I would likely do it, unless you
have a device like a WRT54G that will perform routing, but you'll need
to configure that specially for that purpose).

Now, then, you can subnet two ways: take a nybble for the subnetwork, or
take a byte.  If you have 3 subnets, and you don't think you'll ever go
above 16 subnets, take a nibble.  That means your prefix that you'll
actually use will be one of sixteen different /68 subnetworks inside
your /64.  (For that matter, you can take just two bits, and have
exactly three subnetworks.  Up to you---but either way, you break
stateless autoconf, so might as well do four or eight bits and move on.)
If you take a nybble, then you will have the following subnetworks
available to use:

    2001:db8:49a1:39be:0000::/68    2001:db8:49a1:39be:8000::/68
    2001:db8:49a1:39be:1000::/68    2001:db8:49a1:39be:9000::/68
    2001:db8:49a1:39be:2000::/68    2001:db8:49a1:39be:a000::/68
    2001:db8:49a1:39be:3000::/68    2001:db8:49a1:39be:b000::/68
    2001:db8:49a1:39be:4000::/68    2001:db8:49a1:39be:c000::/68
    2001:db8:49a1:39be:5000::/68    2001:db8:49a1:39be:d000::/68
    2001:db8:49a1:39be:6000::/68    2001:db8:49a1:39be:e000::/68
    2001:db8:49a1:39be:7000::/68    2001:db8:49a1:39be:f000::/68

The three zeros you see in each address there is, of course, part of the
host section, since each hex digit maps exactly to one nybble.

If you use a /72 then you would have 256 subnetworks.  Either way, you
need to use static addresses, stateless algorithmic address generation
(e.g., custom software to create shorter addresses in a stateless
manner), or DHCPv6.

Your nodes will still make their link-local addresses the same way.  And
as far as your ISP is concerned, you're using your /64.  The details of
your routing behind that /64 do not matter to them: your address space
is perfectly opaque as far as they're concerned.

You could actually, if you really wanted to, make subnetwork prefixes as
long as /112 or /120 or /126 if you wanted really small networks.  I
mean, crap.  You've got 64 bits of network space to carve up and do with
what you wish.  :-)

Now, that said, here is a BIG DISCLAIMER:  I have never *actually*
performed this.  I believe that Linux allows it; based on my
understanding, any standards-compliant operating system should.  YMMV.

	--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110215/9e3a02a7/attachment-0001.bin 


More information about the Ale mailing list