IPv6 addressing in SMB environment

Martin Bernier has decided to open another can of IPv6 worms: how do you address multiple subnets in a very typical setup where you use a firewall (example: ASA) to connect a SMB network to the outside world?

Imagine a simple network with an SP-supplied CPE and a customer-supplied firewall:


Now what?

The CPE learns the /64 prefix used on its outside interface through PE router’s RA advertisements, and uses DHCPv6 IA_PD to get a prefix it can use on internal interfaces. This works great as long as you connect the inside subnets straight to the CPE (sample configurations are included with the Building Large IPv6 Service Provider Networks webinar).


I wish life would always be so easy ...

However, what could you do if you connect the inside interface of the CPE to a firewall?


And who will delegate what to whom?

In theory, you could use LLA on the FW-to-CPE interface and delegate the whole prefix CPE received from the SP’s DHCPv6 server to the firewall, which could use it to address its other interfaces ... the “only” problem being that I haven’t found a CPE yet that would be able to use a delegated prefix as its own DHCPv6 prefix delegation pool (or a firewall that would run DHCPv6 IA_PD client ... at least ASA and SRX don't).

Alternatively, you could use DHCPv6 relay on the CPE and request the delegated prefix straight from the firewall (assuming you actually find the mythical beast that does that). Unfortunately, at least Cisco IOS doesn’t install a static route for a delegated prefix when relaying DHCPv6 responses to another DHCPv6 relay, so the static route to the firewall (and its delegated prefix) would be installed in the CPE (final relay), but not in the PE-router.

There are two viable alternatives I can see at the moment:

Use a bridging CPE. This design would create direct IPv6 connectivity between the firewall and the PE-router, and allow the firewall to use SLAAC to get its outside IPv6 address, and IA_PD to get a prefix to use on the inside interfaces. Still won’t work with with firewalls that don't support DHCPv6 IA_PD client.


The only thing we need is a unicorn DHCPv6 IA_PD client in the firewall

Use properly delegated PA address space and static routing. This approach always works, but it’s usually available only from the business customer price list, something SMBs pretending to be residential customers might not appreciate.

More information

You’ll find detailed description of SLAAC, DHCPv6 and prefix delegation mechanisms in the Building Large IPv6 Service Provider Networks webinar. You can buy its recording or get it as part of the IPv6 trilogy or yearly subscription ... and don’t forget to use Unique Local Addresses to reduce the renumbering headaches if you don’t have your own IPv6 PI address space.

4 comments:

  1. (removed and reposted due to typo)
    This is another issue with the transition from the "NAT" approach to the "delegate" approach. Delegation means pushing network addressing "down the pipe", from the core to the end devices, and we are trying to do it with DHCP.

    How much address space? How to support arbitrary levels of delegation? How to dual home? How to dynamically change addressing without long loss of connectivity?

    Interesting IPv6 debates usually revolve around the NAT/delegate shift, while less interesting but still very practical debates are about unhealthy implementations. There is also some space about DHCPv6 quirks and how it disregards MAC addresses.

    The technical leaders obviously failed to address these problems during RFC development, so now we are struggling to make IPv6 without NAT at least as useful as IPv4 with NAT, and failing in many ways.

    I see now NAT66 in Linux iptables and Cisco ASA, and this could be the premature end of the idea of pushing network addressing downwards.

    ReplyDelete
  2. As you already stated, the SMB should get a static /48 or /56.

    The challenges surrounding DHCPv6-PD in cascading CPE configurations have been heavily discussed in HOMENET (https://www.ietf.org/mailman/listinfo/homenet). You may want to read through the archives there.

    ReplyDelete
  3. I am not sure that I agree with the use of ULA for a connected network...

    Indeed, it simplifies the renumbering at the expense of breaking some applications by forcing to go through a NPTv6 function...


    ReplyDelete
  4. I'm wondering when (if?) IOS will get the ability to supply IPv6 addresses via DHCP for a delegated prefix. This would be useful in an SMB environment where a specific host needs a firewall rule opened (web server, mail server, etc).

    For this to work we would also need either wildcards in IPv6 ACLs or the ability to use the general-prefix in screening ACLs to account for changing IPv6 prefixes.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.