Sunday, March 19, 2017

Breath deeply, a /64 is a good thing

by Craig Miller

Earth's atmosphere is vast
IPv6 is a different networking protocol from IPv4. To illustrate, just look at how a host can get a globally unique IP address (GUA) without requiring any servers, without sending a packet*.  This is made possible by the fact that IPv6 does not have variable subnet-masking. All end user LANs are a /64.

There are some who say that it is a waste of address space to use an entire /64 (4 billion * 4 billion) on a single subnet. I would suggest that those who do are still in a IPv4-frame-of-mind. The IPv6 address space is vast (see Simplifying Subnetting).

Take a breath

Think of it this way, how many breaths have your taken since getting up this morning? I have no idea how many I have taken. But if you are scuba diving, and are breathing off of a tank of compressed air, you pay close attention to how much air you have (usually measured in minutes, but when diving, that can change depending on how deep you are, and what kind of effort you are expending). We don't think about how many breaths we take driving into work, because Earth's atmosphere is vast.

A prefix longer than /64?

There is the additional problem, that if the LAN subnet is defined as something other than /64, many things will break, much more than just SLAAC (Stateless Address Auto Config). The authors of RFC 7421 have exhaustively gone through the RFCs to examine what assumes the end user LAN is a /64.

Some failure modes highlighted by RFC 7241:
  • Routers may drop packets on interfaces /65 to /126 (inclusive)
  • Specific Multicast Addresses will fail (resulting in NDP failures)
  • The Cryptographically Generated Address format [RFC3972] relies on /64
  • Many Transition mechanisms, such as NAT64, XLAT464 
  • Duplicate Address risk, should SLAAC be modified to work with more than /64
  • Link-Local, defines the Interface ID (IID) as 64 bits wide
  • IP Address Management (IPAM) systems assume /64
  • Firewall look up issues (where there are not enough content addressable memory bits to include longer prefixes + L4 port numbers)
Although not specifically a failure mode, a smaller subnet space takes less time for attackers to scan.

Think Different, Think Vast

Think about how many breaths you take in a day, a month, a year. Compared to how much air is in the world, what you breath is insignificant. So take a deep breath, and remember IPv6 address space is vast.

* Duplicate Address Detection (DAD) is performed, but only after a GUA has been selected.
** Photo licences under Creative Commons

No comments:

Post a Comment