[AusNOG] another ipv6 Q

Mark Andrews marka at isc.org
Thu Jul 3 16:51:31 EST 2014 

In message <1404367187.3159.306.camel at karl>, Karl Auer writes:
> On Thu, 2014-07-03 at 15:47 +1000, Tony wrote:
> > * We allocate a /48 (out of our /32 that we have from APNIC) to customer
> > * customer splits this up as they see fit (hopefully following some rules  
> > as to how they allocate subnets)
> > * customer gives devices an IPv6 address out of this /48 on all their  
> > devices
> > * all customer devices are now globally addressable
> > 
> > So what happens when said customer changes to another SP ?
> 
> What the customer did was get provider aggregatable (PA) address space.
> It was probably very cheap, probably even free, but the downside is that
> it is tied to the particular provider. If they change providers, they
> will have to renumber.

They partially renumber.  They use ULA for *stable* internal
addressing.  Have your servers update their own address in the DNS
(internal and external) using DNS UPDATE.  This really isn't hard
to do.  You DHCP server has probably been doing this for the last
decade for IPv4.  Let the rest of the machines choose their own
addresses.

The machine I am typing this on has 5 IPv6 addresses per interface.
1 Link local, 2 GUA (fixed + temporary), 2 ULA (fixed + temporary).
The stack works out which address to use for which function.

A simple script like this will do.  It deletes all the old AAAA
records then add the current set of AAAA records.  The nameserver
will workout what the minimal change to the zone is and also update
the DNSSEC records is required.  This uses TSIG to authenticate the
updates and to select the instance of the zone to be updated.

"+" is used in the tsig name to move it out of the hostname namespace.

# update the external DNS.
ifconfig en0 inet6 |
awk -v hostname=`hostname` '
        BEGIN {
                print "key", "tsig+external." hostname ":secret";
                print "update delete", hostname, "AAAA";
        }
        /^fd/ { next }  # No ULA externally
        /^fe/ { next }  # No Link Local
        /temporary/ { next } # No temporary addresses
        { print "update add", hostname, "3600 AAAA", $1 }
        END { print "send" }'
nsupdate
# update the internal DNS.
ifconfig en0 inet6 |
awk -v hostname=`hostname` '
        BEGIN {
                print "key", "tsig+internal." hostname ":secret";
                print "update delete", hostname, "AAAA";
        }
        /^fe/ { next }  # No Link Local
        /temporary/ { next } # No temporary addresses
        { print "update add", hostname, "3600 AAAA", $1 }
        END { print "send" }'
nsupdate

You just need to trigger it on address changes.

hostname is of course fully qualified.

> > The alternative could be the customer  
> > approaches the LIR and gains a /48 from the LIR,
> 
> That's "provider independent" (PI) AKA "portable" address space.
> 
> >  but wouldn't you then  
> > just have every company in the world with their own /48 which would just  
> > cause issues with aggregation and routing table size ?
> 
> Well, yes and no. PI is the solution for someone who needs multihoming
> or who wants portability. There are lots of people who will be happy to
> use PA, not least because it is usually very cheap. PA will be certainly
> be the default for millions upon millions of homes and small businesses,
> just as it is now. Also, renumbering isn't quite the horrible bugbear it
> used to be, especially if you design with possible renumbering in mind.
> There are other solutions if they really want to push it (1:1 NAT with
> ULA etc) but none have much to recommend them over nice clean PI address
> space, if renumbering is so deeply feared (or so very likely).
> 
> > In the IPv4 world, this would mean changing DHCP  
> > scopes, then changing anything that is manually set ?
> 
> Same for IPv6.
> 
> > I'm just curious as for anyone who isn't able to get their own globally  
> > unique space from a LIR then does [...]
> 
> The predicate is wrong. Why would someone not be able to get PI? There
> is a metric shitload of it available.

There isn't a metric shitload of routing slots.
 
> Regards, K.
> 
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer (kauer at biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
> 
> GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
> Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list