On 2023-04-18 11:04, Nohk Two wrote:
BTW, I run pfSense for my firewall/router and it supports multiple /64s. If my modem was in gateway mode, I'd only get a single /64.
I have a question regards to the amount of the IPv6 addresses one can get from his ISP.
For my case, my router use PPPoE to get the IPv6 from the ISP. The router got an IPv6 prefix for the router. The router also issued the DHCP-PD to the ISP to get another IPv6 prefix.
The first IPv6 prefix is for the router itself and the second IPv6 prefix is used to configure router's LAN devices either by the SLAAC and/or RDNSS and/or DHCPv6...
My question is that is it correct that, for the first IPv6 prefix, the router could get 2^64 (or 2^72 in your case) IPv6 addresses since the ISP assigned the IPv6 prefix to the router ?
Of course, router has no reason to assign so many addresses on itself. Router usually assign one IPv6 address which the interface id is based on the MAC address.
Actually, it's a bit different. First off, the link local address is used for routing. This address starts with fe80 and every IPv6 capable device has one. Second, while my router has a single IPv6 address, it's prefix is a /128. This means it can't communicate directly with anything. All traffic for that address has to be routed via the link local address. In fact, you don't even need a global address on the WAN port. If you had to reach it from elsewhere, you could use any other global address in it, such as the LAN address. It makes no difference, as any address on the router has to be reached over the link local address.
On 18.04.2023 18:10, James Knott wrote:
Second, while my router has a single IPv6 address, it's prefix is a /128. This means it can't communicate directly with anything. All traffic for that address has to be routed via the link local address.
Bullshit. On-link connectivity in IPv6 has absolutely nothing to do with "network mask".
On 2023-04-18 13:07, Andrei Borzenkov wrote:
On 18.04.2023 18:10, James Knott wrote:
Second, while my router has a single IPv6 address, it's prefix is a /128. This means it can't communicate directly with anything. All traffic for that address has to be routed via the link local address.
Bullshit. On-link connectivity in IPv6 has absolutely nothing to do with "network mask".
Maybe you need to review how IP works. When a device has a packet to transmit, it compares the destination with it's own address and subnet mask. If it's within the same subnet, the packet is sent directly, using the MAC address. If it's in a different subnet, it's sent to the router for forwarding. With a /24 mask, as commonly used on IPv4, there are 254 usable addresses, as determined by the mask size. The same holds with IPv6, where a /64 means 18.4 billion, billion addresses. The same holds for longer prefixes, up to /127, which supports 2 addresses. This would typically be used on a point to point link. Now, with a /128 on IPv6 or /32 on IPv4, how many addresses are there within the subnet? Only 1, which means there can be no other addresses within the subnet and that means you have to go through a router to reach any other address. Even with link local addresses, the number of reachable addresses is limited by the subnet size and is usually a /64. Here's an example, taken from the computer I'm using right now. fe80::76d4:35ff:fe5b:f5fa/64 scope link In this case the "prefix" is fe80. Now here's my WAN address. inet6 2607:f879:804:90:3899:8d05:91dc:56e3 prefixlen 128 (I've changed the address to protect the guilty) Notice the 128 prefix length? How many bits does that leave for addresses within the subnet?
On 4/18/23 10:24, James Knott wrote:
Even with link local addresses, the number of reachable addresses is limited by the subnet size and is usually a /64. Here's an example, taken from the computer I'm using right now. fe80::76d4:35ff:fe5b:f5fa/64 scope link
This is off-topic. I've always wondered why /64 was chosen for the default IPv6 netmask. It seems to be a horrible waste of IP address space. Sure, no problem now, but what about 100-years from now when the Internet may extend to the moon, mars, the asteroid belt, and beyond? I'd think that /64 of subnet address space will always be wasted. Where am I wrong? Regards, Lew
* Lew Wolfgang <wolfgang@sweet-haven.com> [04-18-23 15:11]:
On 4/18/23 10:24, James Knott wrote:
Even with link local addresses, the number of reachable addresses is limited by the subnet size and is usually a /64. Here's an example, taken from the computer I'm using right now. fe80::76d4:35ff:fe5b:f5fa/64 scope link
This is off-topic. I've always wondered why /64 was chosen for the default IPv6 netmask. It seems to be a horrible waste of IP address space. Sure, no problem now, but what about 100-years from now when the Internet may extend to the moon, mars, the asteroid belt, and beyond? I'd think that /64 of subnet address space will always be wasted. Where am I wrong?
you haven't lately conversed with Bill Gates about memory requirements? -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet oftc
On 2023-04-18 15:09, Lew Wolfgang wrote:
This is off-topic. I've always wondered why /64 was chosen for the default IPv6 netmask. It seems to be a horrible waste of IP address space. Sure, no problem now, but what about 100-years from now when the Internet may extend to the moon, mars, the asteroid belt, and beyond? I'd think that /64 of subnet address space will always be wasted. Where am I wrong?
In addition to splitting an address equally between host and network portions, I suspect it had something to with EUI-64 addresses, which are a longer version of the 48 bit MAC addresses. This means the host portion would be the same length as the MAC. On the security side, having such a sparse address space means it will be extremely difficult for attacker to find anything to attack. For example, I have 2^72 addresses in my prefix, but only a few dozen working addresses. That leaves a heck of a lot of nothing to attack. Add to that the address I used to "surf the web" changes daily. So, even if someone manages to capture one, it won't last for long. Regardless, the number of addresses is so huge, they're compared to being more than all the grains of sand, etc.. There are enough addresses allocated to global addresses that each person on earth could have over 4000 /48 prefixes. Each /48 contains 2^80 addresses. It's going to take a while to run out! 😉
On 4/18/23 12:21, James Knott wrote:
On 2023-04-18 15:09, Lew Wolfgang wrote:
This is off-topic. I've always wondered why /64 was chosen for the default IPv6 netmask. It seems to be a horrible waste of IP address space. Sure, no problem now, but what about 100-years from now when the Internet may extend to the moon, mars, the asteroid belt, and beyond? I'd think that /64 of subnet address space will always be wasted. Where am I wrong?
In addition to splitting an address equally between host and network portions, I suspect it had something to with EUI-64 addresses, which are a longer version of the 48 bit MAC addresses. This means the host portion would be the same length as the MAC. On the security side, having such a sparse address space means it will be extremely difficult for attacker to find anything to attack. For example, I have 2^72 addresses in my prefix, but only a few dozen working addresses. That leaves a heck of a lot of nothing to attack. Add to that the address I used to "surf the web" changes daily. So, even if someone manages to capture one, it won't last for long.
Regardless, the number of addresses is so huge, they're compared to being more than all the grains of sand, etc.. There are enough addresses allocated to global addresses that each person on earth could have over 4000 /48 prefixes. Each /48 contains 2^80 addresses. It's going to take a while to run out! 😉
Yes, but having such a huge subnet address space surely is wasteful, and means carrying around all those extra bits in packets that will never be used. And what was it they said about security through obscurity? Regards, Lew
On 2023-04-18 15:30, Lew Wolfgang wrote:
Yes, but having such a huge subnet address space surely is wasteful, and means carrying around all those extra bits in packets that will never be used.
One other thing is we don't have to worry about subnet size. All LANs are /64. A /64 has as many addresses as the entire IPv4 address space squared! As for extra bits, that's not as much of an issue as you seem to think. With modern networks running a gigabit or more, it doesn't amount to much time. Network equipment also handles things an entire frame at a time, so overall packet length doesn't even affect processing time. Also, with jumbo frames, now used in many networks, the address is a smaller portion of the overall packet. 9KB is a common size for jumbo frames. I don't know if you remember Novell Netware & IPX. An IPX address was 64 bits, 48 bits for the host and 16 for the network and that was back in the 80s, when networks and computers were a lot slower.
Lew Wolfgang wrote:
On 4/18/23 10:24, James Knott wrote:
Even with link local addresses, the number of reachable addresses is limited by the subnet size and is usually a /64. Here's an example, taken from the computer I'm using right now. fe80::76d4:35ff:fe5b:f5fa/64 scope link
This is off-topic. I've always wondered why /64 was chosen for the default IPv6 netmask.
One key concern is the space needed in internet routing tables. With smaller ranges, more entries are needed. The standing recommendation is to dish out /64, but providers also often use /48. -- Per Jessen, Zürich (10.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-18 15:41, Per Jessen wrote:
One key concern is the space needed in internet routing tables. With smaller ranges, more entries are needed. The standing recommendation is to dish out /64, but providers also often use /48.
This is also why IPv6 addresses are distributed geographically, so that similar address ranges tend to be in the same physical area. This goes a long way to reducing routing tables. With IPv4, this was not a consideration, which led to address blocks being scattered all over.
On 2023/4/18 23:10, James Knott wrote:
On 2023-04-18 11:04, Nohk Two wrote:
BTW, I run pfSense for my firewall/router and it supports multiple /64s. If my modem was in gateway mode, I'd only get a single /64.
I have a question regards to the amount of the IPv6 addresses one can get from his ISP.
For my case, my router use PPPoE to get the IPv6 from the ISP. The router got an IPv6 prefix for the router. The router also issued the DHCP-PD to the ISP to get another IPv6 prefix.
The first IPv6 prefix is for the router itself and the second IPv6 prefix is used to configure router's LAN devices either by the SLAAC and/or RDNSS and/or DHCPv6...
My question is that is it correct that, for the first IPv6 prefix, the router could get 2^64 (or 2^72 in your case) IPv6 addresses since the ISP assigned the IPv6 prefix to the router ?
Of course, router has no reason to assign so many addresses on itself. Router usually assign one IPv6 address which the interface id is based on the MAC address.
Actually, it's a bit different. First off, the link local address is used for routing. This address starts with fe80 and every IPv6 capable device has one. Second, while my router has a single IPv6 address, it's prefix is a /128. This means it can't communicate directly with anything. All traffic for that address has to be routed via the link local address. Ok, this is very clear. Thank you very much.
I have to correct my original statement that the first IPv6 prefix should be a complete /128 IPv6 address. And the MAC address derived interface id must be learned by the ISP during the PPPoE handshake process.
In fact, you don't even need a global address on the WAN port. If you had to reach it from elsewhere, you could use any other global address in it, such as the LAN address. It makes no difference, as any address on the router has to be reached over the link local address.
You are right, I also found this global WAN IPv6 address is useless. And the default gateway is the router's link local address in my LAN devices.
On 2023-04-19 09:10, Nohk Two wrote:
You are right, I also found this global WAN IPv6 address is useless. And the default gateway is the router's link local address in my LAN devices.
No, it's not useless. It can be used for things like a VPN. But then again, so could any other global address on the router.
participants (6)
-
Andrei Borzenkov -
James Knott -
Lew Wolfgang -
Nohk Two -
Patrick Shanahan -
Per Jessen