I guess we all heard the fundamentalist IPv6 mantra by now: “Every subnet gets a /64.” Being a good foot soldier, I included it in my Enterprise IPv6 webinar. Time to fix that slide and admit what we also knew for a long time: IPv6 is classless and we have yet to see the mysterious device that dies in flames when sniffing a prefix longer than a /64.
Before you rush out and change all your 64s prefixes to 120s, a few words of caution:
- You have to use /64 prefixes on subnets running SLAAC.
- I wouldn’t be surprised if some host stacks would be broken enough to die when faced with a local prefix not equal to /64. Conclusion: use /64 on all subnets to which workstations are attached.
- Likewise, I wouldn’t expect consumer CPE vendors to understand IPv6 can be classless. As above, use /64s in consumer environment.
- If a layer-3 forwarding device breaks down when having a prefix longer than /64 in its IPv6 routing table, throw it away.
Jeff Wheeler proposes to use /120 on all (data center?) subnets. I never tested this idea in practice and have no clue whether common server operating systems (Linux, Windows) would work with static IPv6 addresses out of a /120 prefix. Real-life experience? Please write a comment!
As a precaution against yet-to-be-discovered bugs, you could decide to use a single /120 prefix out of a /64 prefix on server-facing subnets (if the /120 prefix fails, you can easily go back to a /64 prefix without renumbering anything else but the affected subnet).
Alternatively, you could decide to be on the safe side, use the /64 prefixes on server subnets, assign static IPv6 addresses with high bits set to zero to servers (for example, use only 2001:DB8:C001:BABE::2/64 through 2001:DB8:C001:BABE::FE/64) and deploy inbound access lists on the L3 switches dropping packets sent to IPv6 addresses outside of that range.
Last but definitely not least, using /64 prefixes on point-to-point core links (and being exposed to script kiddies) is ridiculous. Juniper formalized this line of thinking with a standard-track RFC, recommending /127 prefixes on point-to-point links. And once you leave the 64-everywhere dogma behind, you can make the final step and allocate /128s to loopback addresses (I’ve tested this in Cisco IOS – works like a charm). Welcome back to the VLSM world.