Martin Bernier has decided to open another can of IPv6 worms: how do you address multiple subnets in a very typical setup where you use a firewall (example: ASA) to connect a SMB network to the outside world?
Imagine a simple network with an SP-supplied CPE and a customer-supplied firewall:
The CPE learns the /64 prefix used on its outside interface through PE router’s RA advertisements, and uses DHCPv6 IA_PD to get a prefix it can use on internal interfaces. This works great as long as you connect the inside subnets straight to the CPE (sample configurations are included with the Building Large IPv6 Service Provider Networks webinar).
However, what could you do if you connect the inside interface of the CPE to a firewall?
In theory, you could use LLA on the FW-to-CPE interface and delegate the whole prefix CPE received from the SP’s DHCPv6 server to the firewall, which could use it to address its other interfaces ... the “only” problem being that I haven’t found a CPE yet that would be able to use a delegated prefix as its own DHCPv6 prefix delegation pool (or a firewall that would run DHCPv6 IA_PD client ... at least ASA and SRX don't).
Alternatively, you could use DHCPv6 relay on the CPE and request the delegated prefix straight from the firewall (assuming you actually find the mythical beast that does that). Unfortunately, at least Cisco IOS doesn’t install a static route for a delegated prefix when relaying DHCPv6 responses to another DHCPv6 relay, so the static route to the firewall (and its delegated prefix) would be installed in the CPE (final relay), but not in the PE-router.
There are two viable alternatives I can see at the moment:
Use a bridging CPE. This design would create direct IPv6 connectivity between the firewall and the PE-router, and allow the firewall to use SLAAC to get its outside IPv6 address, and IA_PD to get a prefix to use on the inside interfaces. Still won’t work with with firewalls that don't support DHCPv6 IA_PD client.
Use properly delegated PA address space and static routing. This approach always works, but it’s usually available only from the business customer price list, something SMBs pretending to be residential customers might not appreciate.
You’ll find detailed description of SLAAC, DHCPv6 and prefix delegation mechanisms in the Building Large IPv6 Service Provider Networks webinar. You can buy its recording or get it as part of the IPv6 trilogy or yearly subscription ... and don’t forget to use Unique Local Addresses to reduce the renumbering headaches if you don’t have your own IPv6 PI address space.